Author: Vaksin.com - detikinet Jakarta - Virus "K0pL4xZ" detected as VBWorm.QTT mengincar computer users, especially with a lot of Office files, how to change the icon and the Microsoft Office file types.
But there, the virus is not to destroy files Office. The virus is made using Visual Basic. To be unsuspected virus, disguise it with the icon "Windows Media Player Classic" with the type of application files (exe). For up, follow these steps:
1. Disconnect the computer that will be cleared from the network (LAN).
2. Turn off "System Restore" during the cleaning process.
3. Turn off the virus is active in memory. Use the tools to turn KillVB process in memory. Please downlod tools at: http://www.compactbyte.com/brontok/killvb.zip
4. Fix the registry has been modified by the virus. To expedite the process of repair registry copy the script below on the notepad program, and save it with the name "Repair.inf". Run the file in the following manner:
- Click right repair.inf
- Click Install
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*" HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*" HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*" HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*" HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1"" HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*" HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe" HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SOFTWARE\Classes\exefile,,,application HKLM, SOFTWARE \ Classes \ exefile, application
HKCU, Software\Microsoft\Internet Explorer\Main, start page,0, "about:blank" HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start page, 0, "about: blank"
HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, "about:blank" HKCU, Software \ Microsoft \ Internet Explorer \ Main, Search Page, 0, "about: blank"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0 HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, UncheckedValue, 0x00010001, 0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1 HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0x00010001, 1
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization" HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOrganization, 0, "Organization"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner" HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOwner, 0, "Owner"
HKLM, SOFTWARE\Classes\txtfile, FriendlyTypeName,0, "@C:\Windows\system32\notepad.exe,-469" HKLM, SOFTWARE \ Classes \ txtfile, FriendlyTypeName, 0, "@ C: \ Windows \ system32 \ notepad.exe, -469"
HKLM, SOFTWARE\Classes\Word.Document.8,,,"Microsoft Word Document" HKLM, SOFTWARE \ Classes \ Word.Document.8, "Microsoft Word Document"
HKLM, SOFTWARE\Classes\Word.Document.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500 48383C9}\wordicon.exe,1" HKLM, SOFTWARE \ Classes \ Word.Document.8 \ DefaultIcon, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01500 48383C9) \ wordicon.exe, 1"
HKLM, SOFTWARE\Classes\PowerPoint.Show.8,,, "Microsoft PowerPoint Presentation" HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8, "Microsoft PowerPoint Presentation"
HKLM, SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-015 0048383C9}\pptico.exe,1" HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8 \ DefaultIcon, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-015 0048383C9) \ pptico.exe, 1"
HKLM, SOFTWARE\Classes\Excel.Sheet.8,,,"Microsoft Excel Worksheet" HKLM, SOFTWARE \ Classes \ Excel.Sheet.8, "Microsoft Excel Worksheet"
HKLM, SOFTWARE\Classes\Excel.Sheet.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500483 83C9}\xlicons.exe,1" HKLM, SOFTWARE \ Classes \ Excel.Sheet.8 \ DefaultIcon, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01500483 83C9) \ xlicons.exe, 1"
HKLM, SOFTWARE\Classes\Access.Application.11,,,"Microsoft Office Access Application" HKLM, SOFTWARE \ Classes \ Access.Application.11, "Microsoft Office Access Application"
HKLM, SOFTWARE\Classes\Access.Application.11\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01 50048383C9}\accicons.exe,1" HKLM, SOFTWARE \ Classes \ Access.Application.11 \ DefaultIcon, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01 50048383C9) \ accicons.exe, 1"
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00010001,1 HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0x00010001, 1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt, 0x00010001,0 HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0x00010001, 0
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1 HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0x00010001, 1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,WarningIfNotDefault,0,"@ shell32.dll,-28964" HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, WarningIfNotDefault, 0, "@ shell32.dll, -28964"
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DIsablecmd HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DIsablecmd
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoFolderOptions HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer, NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableRegistryTools HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableRegistryTools
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableTaskMgr HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableTaskMgr
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore HKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, System HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, System
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, shell HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, shell
HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD HKCU, Software \ Policies \ Microsoft \ Windows \ System, DisableCMD
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, WarningIfNotDefault HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run, cintaku HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Run, Cintaku
HKLM, SOFTWARE\Classes\exefile, FriendlyTypeName HKLM, SOFTWARE \ Classes \ exefile, FriendlyTypeName
5. Delete the file "C: \ Windows \ desktop.ini" (a file that works to change the icon into the Windows Control Panel icon). Use the dos prompt to delete the file.
6. Find and delete the files in the parent virus Hard Disk and Flash Disk with the first show hidden files.To speed up the search function use the "Search Windows".
Here are some files that parent will be made by Koplaxz:
- C: \ Documents and Settings \% username% \ Start Menu \ Programs \ Startup
Winhelp.exe
- C: \ Documents and Settings \% username% \ Start Menu \ Programs
Hellloo_Gheea.exe
- C: \ Documents and Settings \% username% \ My Documents
Jangan_Dihapus_Apalagi_Dibuka.exe
- C: \ Documents and Settings \% username% \ Start Menu
Koplaxz Kudo Shop.exe Koplaxz Kudo Shop.exe
- C: \ Documents and Settings \% username% \ Start Menu \ Programs
Hellloo_Gheea..exe Hellloo_Gheea .. exe
- C:\Windows C: \ Windows
TourWindowsXP.exe
svchost.exe
Kudo.com
command32.pif
KopLaXz@KudoShop.exe
- C:\F4HM1_KudO_M4n4j3r.exe C: \ F4HM1_KudO_M4n4j3r.exe
- C:\G0d3G.exe C: \ G0d3G.exe
- C:\Ghe@_i_miss_u.3gp.exe (All Drive) C: \ Ghe@_i_miss_u.3gp.exe (All Drive)
- C:\K0pL4xZ.exe C: \ K0pL4xZ.exe
- C:\K 0 PL 4 X Z.exe C: \ K 0 PL 4 X Z.exe
- C:\KopLaXz@KudoShoP.exe (All Drive) C: \ KopLaXz@KudoShoP.exe (All Drive)
- C:\R0n13G4N_G3Ndut_S3xY.exe C: \ R0n13G4N_G3Ndut_S3xY.exe
- C:\R3eve5.exe C: \ R3eve5.exe
- C:\K0pL4xZ@KudoShop (All Drive) C: \ K0pL4xZ @ KudoShop (All Drive)
folder.htt
msvbvm60.dll
K0pL4xZ.exe
- C:\K0pl4xZ@KudoShop\K0pL4xZ.exe C: \ K0pl4xZ @ KudoShop \ K0pL4xZ.exe
- C:\[spasi] WINDOWS\System_FriendZ_KopLaXz32 C: \ [space] WINDOWS \ System_FriendZ_KopLaXz32
F4HM1_KudO_M4n4j3r.exe
G0d3G.exe
K 0 PL 4 X Z.exe K 4 X 0 PL Z.exe
R0n13G4N_G3Ndut_S3xY
R3eve5.exe
- C: \ [space] Windows \ Zx4Lp0K.html
- C: \ Windows \ system32 \ smkn2majalengka.scr
- C: \ Windows \ system32 \ PCMAV.exe
- C: \ Windows \ system32 \ Asholest.exe
- C: \ Documents and Settings \% username% \ SendTo \ KoPLaXzKudo (e-mail). Exe
- C: \ Autorun.inf (all Drive)
- C: \ Desktop.ini (all Drive)
- C: \ A Letter Ghe @ 4. Txt (all Drive)
- C: \ K0pL4xZ@kUdO_5h0P.txt
- C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf
- C: \ Windows \ desktop.ini
Then delete the file parent viruses have characteristics:
- Iconcon "Windows Media Player" CLASIC / 3GP Video Format
- Size 31 KB
- extension, PIF, COM, and SCR
- File type "Application"
Delete the following files:
- C: \ Autorun.inf (each root drive: c: \ or D: \)
- C: \ Desktop.ini (each root drive: c: \ or D: \)
- C: \ A Letter Ghe @ 4. Txt (the root of each drive: c: \ or D: \)
- C: \ K0pL4xZ@kUdO_5h0P.txt (the root of each drive: c: \ or D: \)
- C: \ K0pL4xZ @ KudoShop (the root of every drive and Flash Disk)
- C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf
- C: \ [space] WINDOWS
- C: \ [space] Windows \ Zx4Lp0K.html
( dwn / dwn ) (Dwn / dwn)
0 comments:
Post a Comment