Yahoo Messenger virus can update your antivirus program like by downloading some files from websites that have been determined. No doubt, to remove him was somewhat difficult.
Check out 9 steps to clean the most vicious viruses and most disturbing in the beginning of the year 2010.
1. Decide who will clean your computer from the network or internet
2. Change the name of the file [C: Windws system32 msvbvm60.dll] to [xmsvbvm60.dll] to prevent the virus reactivation during the cleaning process.
3. Should do the cleaning by using the Tools Windows Live CD Mini PE this is due to some master files and file rootkits masquerading as services and drivers difficult to delete these files will be hidden by the virus.
Then boot the computer using software Mini PE Live CD. After that deleting some files iduk virus by:
a. Click the [Mini PE2XT]
b. Click the [Programs]
c. Click the [File Management]
d. Click the [Windows Explorer]
e. Then delete the following files:
-. C: Windows System32
-. WMI% xxx.exe, where xxx indicate karater random (example: wmispqd.exe, wmisrwt.exe, wmistpl.exe, atu wmisfpj.exe) with file sizes vary depending on the variant that infects the target computer.
-. % xxx%. exe @, where the% xxx% showing random characters (example: qxzv85.exe @) with sizes varying depending on the variant that infects.
-. secupdat.dat
-. C: Documents and Settings % user% % xx%. Exe, where xx is a random character (example: rllx.exe) with a file size of about 6 kb or 16 kb (depending on the variant that infects).
-. C: Windows System32 drivers
-. Kernelx86.sys
-. % xx%. sys, where xx is a random character who has a size of about 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
-. Ndisvvan.sys
-. krndrv32.sys
-. C: Documents and Settings % user% secupdat.dat
-. C: Windows INF
-. netsf.inf
-. netsf_m.inf
4. Delete registry created by the virus, by using the “Avas! Registry Editor”, how:
a. Click the [Mini PE2XT]
b. Click the [Programs]
c. Click the [Registry Tools]
d. Click [Avast! Registry Editor]
e. If the confirmation screen appears Kelik button “Load …..”
f. Then delete the registry:
LOCAL_MACHINE_SOFTWARE ü microsoft windows currentverson Run ctfmon.exe
LOCAL_MACHINE_SYSTEM ü ControlSet001 Services kernelx86
LOCAL_MACHINE_SYSTEM ü CurrentControlSet Services kernelx86
LOCAL_MACHINE_SYSTEM ü CurrentControlSet Services passthru
LOCAL_MACHINE_SOFTWARE ü Microsoft Windows NT CurrentVersion Image File Execution Options ctfmon.exe
LOCAL_MACHINE_SOFTWARE ü microsoft Windows NT CurrentVersion winlogon
§ Change the string value to be Userinit = userinit.exe,
LOCAL_MACHINE_SOFTWARE ü microsoft Windows NT CurrentVersion winlogon
§ Change the string value Shell = Explorer.exe becomes
LOCAL_MACHINE_SYSTEM ü ControlSet001 Services % xx%
LOCAL_MACHINE_SYSTEM ü CurrentControlSet Services % xx%
LOCAL_MACHINE_SYSTEM ü ControlSet002 Services SharedAccess Parameters FirewallPolicy DomainProfile AuthorizedApplications List C: windows system32 % file_induk_virus%. exe (example: wmistpl.exe)
LOCAL_MACHINE_SYSTEM ü ControlSet002 Services SharedAccess Parameters FirewallPolicy StandardProfile AuthorizedApplications List C: windows system32 % file_induk_virus%. exe (example: wmistpl.exe)
Note:% xx% showing random characters, this key is made to run the file. SYS which has the size of 40 KB which is in the directory [C: Windows system32 drivers ]
5. Restart the computer, restore the remaining registry that changed by the virus to copy the following script in notepad and then save with the name repair.inf. Execute the following manner: right-click repair.inf | click install
[Version]
Signature = “$ Chicago $”
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE SOFTWARE Classes batfile shell open command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE SOFTWARE Classes comfile shell open command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE SOFTWARE Classes exefile shell open command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE SOFTWARE Classes piffile shell open command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE SOFTWARE Classes regfile shell open command,,, “regedit.exe”% 1 “”
HKEY_LOCAL_MACHINE SOFTWARE Classes scrfile shell open command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Winlogon, Shell, 0, “Explorer.exe”
HKEY_LOCAL_MACHINE software microsoft ole, EnableDCOM, 0, “Y”
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Security Center, AntiVirusDisableNotify, 0×00010001, 0
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Security Center, FirewallDisableNotify, 0×00010001, 0
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Security Center, AntiVirusOverride, 0×00010001, 0
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Security Center, FirewallOverride, 0×00010001, 0
HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Control LSA, restrictanonymous, 0×00010001, 0
HKEY_LOCAL_MACHINE SYSTEM ControlSet002 Control LSA, restrictanonymous, 0×00010001, 0
HKLM, SYSTEM CurrentControlSet Control LSA, restrictanonymous, 0×00010001, 0
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced Folder SuperHidden, CheckedValue, 0×00010001, 0
SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced Folder SuperHidden, DefaultValue, 0×00010001, 0
SOFTWARE Microsoft Windows CurrentVersion Explorer Advanced Folder SuperHidden, UncheckedValue, 0×00010001, 1
[del]
HKCU, Software Microsoft Windows CurrentVersion Policies System, DisableRegistryTools
HKCU, Software Microsoft Windows CurrentVersion Policies System, DisableCMD
HKCU, Software Microsoft Windows CurrentVersion Policies Explorer, NoFolderOptions
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Run, ctfmon.exe
HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services kernelx86
HKEY_LOCAL_MACHINE SYSTEM ControlSet002 Services kernelx86
HKLM, SYSTEM CurrentControlSet Services kernelx86
HKLM, SYSTEM CurrentControlSet Services mojbtjlt
HKEY_LOCAL_MACHINE SYSTEM ControlSet001 Services mojbtjlt
HKEY_LOCAL_MACHINE SYSTEM ControlSet002 Services mojbtjlt
HKEY_LOCAL_MACHINE System ControlSet001 Services Passthru
HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows NT SystemRestore
HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows windowsupdate, DoNotAllowXPSP2
HKEY_LOCAL_MACHINE SOFTWARE Policies Microsoft Windows windowsupdate
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows NT CurrentVersion Image File Execution Options ctfmon.exe
6. Windows registry fix to restore the computer to boot to “safe mode with command prompt” to download the file FixSafeBoot.reg (Windows XP) at the following address and then run the file the following manner:
o Click the [Start]
o Click [Run]
o Type Regedit.exe and click the [OK]
o On the “Registry Editor”, click the menu [File | Import]
o Determine the file. REG you created new
o Click the [Open]
7. Delete temporary files and temporary Internet files. Please use the tools ATF-Cleaner. Download these tools here.
8. Restore back to the host file in Windows that has been changed by the virus. You can use tools Hoster, please download here
Click the [Restore MS Hosts File], to restore the Windows hosts file.
9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus.
