how to remove W32/Conficker.worm.gen.d virus
Monday, December 28, 2009
Overview -
This detection is for a worm, which exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.
Aliases
* Net-Worm.Win32.Kido.js [Kaspersky]
* W32.Downadup.E [Symantec)]
* W32/Confick-D [Sophos]
* Worm:Win32/Conficker.D [Microsoft]
* Worm:Win32/Conficker.gen [Ikarus]
* WORM_DOWNAD.E [Trend]
Characteristics
Characteristics -
When executed, this worm connects to one of the following sites to check the date and time:
* myspace.com
* msn.com
* ebay.com
* cnn.com
* aol.com
Further execution of this worm will continue only if the date is before May 3rd 2009.
On successful execution, the worm drops the following file:
* %system%\RandomFileName.tmp [Already detected as W32/Conficker.sys]
It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.
The worm then patches the following system file in the memory:
* %System%\drivers\tcpip.sys
This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.
Note:
* %System% is a variable that refers to the System folder
By default, this is C:\Windows\System32 for Windows XP
This worm creates the following mutex to ensure only one instance of the worm is running in memory:
* Global\[Random Name]
The worm Connects to one of the following URLs to find the IP address of the infected machine:
* whatsmyipaddress.com
* ipdragon.com
* findmyip.com
* ipaddressworld.com
* findmyipaddress.com
* myipaddress.com
* checkip.dyndns.com
* checkip.dyndns.org
The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Symptoms
Symptoms -
* Files, registry, and network communication referenced in the characteristics section
Method of Infection
Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
This worm may also be downloaded unintentionally by users visiting malicious sites. Distribution channels could include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. Avert recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Stinger - A standalone removal tool has been released to assist in detecting and repairing this threat.
This detection is for a worm, which exploits the MS08-067 vulnerability in Microsoft Windows Server Service which may allow for remote code execution. This flaw lies in the improper handling of specially-crafted (malicious) RPC requests and was patched on October 23, 2008.
Aliases
* Net-Worm.Win32.Kido.js [Kaspersky]
* W32.Downadup.E [Symantec)]
* W32/Confick-D [Sophos]
* Worm:Win32/Conficker.D [Microsoft]
* Worm:Win32/Conficker.gen [Ikarus]
* WORM_DOWNAD.E [Trend]
Characteristics
Characteristics -
When executed, this worm connects to one of the following sites to check the date and time:
* myspace.com
* msn.com
* ebay.com
* cnn.com
* aol.com
Further execution of this worm will continue only if the date is before May 3rd 2009.
On successful execution, the worm drops the following file:
* %system%\RandomFileName.tmp [Already detected as W32/Conficker.sys]
It creates a service with a random file name using the above file. Once the service is created, the worm deletes the above ".tmp" file.
The worm then patches the following system file in the memory:
* %System%\drivers\tcpip.sys
This is done to remove the limitation set on the maximum number of TCP connection attempts that can be made by the infected machine.
Note:
* %System% is a variable that refers to the System folder
By default, this is C:\Windows\System32 for Windows XP
This worm creates the following mutex to ensure only one instance of the worm is running in memory:
* Global\[Random Name]
The worm Connects to one of the following URLs to find the IP address of the infected machine:
* whatsmyipaddress.com
* ipdragon.com
* findmyip.com
* ipaddressworld.com
* findmyipaddress.com
* myipaddress.com
* checkip.dyndns.com
* checkip.dyndns.org
The worm then starts an HTTP server on a random port on the infected machine to host a copy of the worm. It then continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Symptoms
Symptoms -
* Files, registry, and network communication referenced in the characteristics section
Method of Infection
Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
This worm may also be downloaded unintentionally by users visiting malicious sites. Distribution channels could include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. Avert recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations
Stinger - A standalone removal tool has been released to assist in detecting and repairing this threat.
how to remove Worm.Win32.Netsky virus spyware
* Warning
o Most of the people follow a common spyware removal technique. They delete the directory C: \ Program Files \ Worm.Win32.Netsky using Windows Explorer and registry key HKEY_LOCAL_MACHINE \ Software \ Worm.Win32.Netsky using regedit.exe without knowing that the spyware might leave some files in Windows System directory using which it can either repair itself or start generating system error notifications usually when Windows starts. We highly recommend to try Windows Add / Remove tool to uninstall the desired malware if found, use a good spyware cleaner / remover or get help from a professional.
* Recommendation
o In order to clean your PC by removing Worm.Win32.Netsky infection which might require you to manually detect the malware that can be in the form of an EXE , DLL , REGISTRY KEY , BROWSER HIJACK , TOOLBAR , LSP, PROCESS and/or BROWSER PLUGIN , we recommend you to DOWNLOAD our FREE Worm.Win32.Netsky FINDER SOFTWARE. Using our FREE DETECTION TOOL not only you will be able to find Worm.Win32.Netsky tracks but this will also help you to find other spyware , adware , trojan and virus infections in your PC containing the leftovers from your previous Anti-Spyware.
* Note
o This Worm.Win32.Netsky info page will not only provide manual removal instructions but also help you to get information about what is and how to remove or get rid of Worm.Win32.Netsky.
Delete the following directories
Worm.Win32.Netsky does not create any directories
Delete the following files
PK_ZIP0.LOG PK_ZIP1.LOG %windir%\PK_ZIP2.LOG PK_ZIP3.LOG PK_ZIP4.LOG PK_ZIP5.LOG PK_ZIP6.LOG PK_ZIP7.LOG %windir%\PK_ZIP8.LOG %windir%\PK_ZIP9.LOG %windir%\Jammer2nd.exe %windir%\pk_zip_alg.log \Jammer2nd.exe \pk_zip_alg.log
Delete the following cookies
Worm.Win32.Netsky does not create any cookies
Delete the following registry keys
Worm.Win32.Netsky does not create any registry keys
Delete the following registry values
Jammer2nd Jammer2nd
o Most of the people follow a common spyware removal technique. They delete the directory C: \ Program Files \ Worm.Win32.Netsky using Windows Explorer and registry key HKEY_LOCAL_MACHINE \ Software \ Worm.Win32.Netsky using regedit.exe without knowing that the spyware might leave some files in Windows System directory using which it can either repair itself or start generating system error notifications usually when Windows starts. We highly recommend to try Windows Add / Remove tool to uninstall the desired malware if found, use a good spyware cleaner / remover or get help from a professional.
* Recommendation
o In order to clean your PC by removing Worm.Win32.Netsky infection which might require you to manually detect the malware that can be in the form of an EXE , DLL , REGISTRY KEY , BROWSER HIJACK , TOOLBAR , LSP, PROCESS and/or BROWSER PLUGIN , we recommend you to DOWNLOAD our FREE Worm.Win32.Netsky FINDER SOFTWARE. Using our FREE DETECTION TOOL not only you will be able to find Worm.Win32.Netsky tracks but this will also help you to find other spyware , adware , trojan and virus infections in your PC containing the leftovers from your previous Anti-Spyware.
* Note
o This Worm.Win32.Netsky info page will not only provide manual removal instructions but also help you to get information about what is and how to remove or get rid of Worm.Win32.Netsky.
Delete the following directories
Worm.Win32.Netsky does not create any directories
Delete the following files
PK_ZIP0.LOG PK_ZIP1.LOG %windir%\PK_ZIP2.LOG PK_ZIP3.LOG PK_ZIP4.LOG PK_ZIP5.LOG PK_ZIP6.LOG PK_ZIP7.LOG %windir%\PK_ZIP8.LOG %windir%\PK_ZIP9.LOG %windir%\Jammer2nd.exe %windir%\pk_zip_alg.log \Jammer2nd.exe \pk_zip_alg.log
Delete the following cookies
Worm.Win32.Netsky does not create any cookies
Delete the following registry keys
Worm.Win32.Netsky does not create any registry keys
Delete the following registry values
Jammer2nd Jammer2nd
How to Remove the Backdoor.Tidserv!inf virus spyware
How to Remove the Backdoor.Tidserv!inf Trojan, spyware
What's about Backdoor.Tidserv!inf
The purpose of Backdoor.Tidserv!inf trojan is installing other computer parasites on a compromised machine.
It modifies Windows Registry and puts itself on startup list. Backdoor.Tidserv!inf is also able to corrupt essential system files; it should be deleted upon detection until it hadn’t done much damage.
Backdoor.Tidserv!inf is dangerous infection for several reasons. This trojan is able to corrupt important system files; this way it can do much damage if it isn’t removed in time. Backdoor.Tidserv!inf also downloads and installs other malware automatically on the infected machine.
Tidserv!inf trojan is difficult to spot and to remove because it runs secretly in a background and it sets itself to run every time a computer boots.
How to clean the Backdoor.Tidserv!inf virus
Please download XDelBox from Here to your Desktop.
**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.
Run XDelBox.exe with a simple click "Start Scan"
download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!
What's about Backdoor.Tidserv!inf
The purpose of Backdoor.Tidserv!inf trojan is installing other computer parasites on a compromised machine.
It modifies Windows Registry and puts itself on startup list. Backdoor.Tidserv!inf is also able to corrupt essential system files; it should be deleted upon detection until it hadn’t done much damage.
Backdoor.Tidserv!inf is dangerous infection for several reasons. This trojan is able to corrupt important system files; this way it can do much damage if it isn’t removed in time. Backdoor.Tidserv!inf also downloads and installs other malware automatically on the infected machine.
Tidserv!inf trojan is difficult to spot and to remove because it runs secretly in a background and it sets itself to run every time a computer boots.
How to clean the Backdoor.Tidserv!inf virus
Please download XDelBox from Here to your Desktop.
**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.
Run XDelBox.exe with a simple click "Start Scan"
download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!
How to remove Adware virus Zwunzi
what’s about Adware.Zwunzi
Zwunzi or Adware.Zwunzi as detected by some antivirus program is another potentially unwanted application that will install itself as a Search plugin for Internet browser. Zwunzi toolbar search was known to infect Internet Explorer and Mozilla Firefox only.
How to get rid of the Zwunzi Adware virus
Step1: Please download XDelBox from Here to your Desktop.
**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
Step 1: If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Step 2:Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.
Step 3:Run XDelBox.exe with a simple click "Start Scan"
Step 4:Waiting less than 5 minutes after scan finished.
Step 5:Click "Fix Checked" to remove spyware or malware threats.
Step6: download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!
Zwunzi or Adware.Zwunzi as detected by some antivirus program is another potentially unwanted application that will install itself as a Search plugin for Internet browser. Zwunzi toolbar search was known to infect Internet Explorer and Mozilla Firefox only.
How to get rid of the Zwunzi Adware virus
Step1: Please download XDelBox from Here to your Desktop.
**Note: In the event you already have XDelBox, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
Step 1: If you are using Firefox, make sure that your download settings are as follows:
* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".
Step 2:Close any open browsers. Close/disable all antivirus,HIPS and anti-malware programs so they do not interfere with the running of XDelBox,visit here for how to temporarily disable your anti-virus and/or anti-malware programs.
Step 3:Run XDelBox.exe with a simple click "Start Scan"
Step 4:Waiting less than 5 minutes after scan finished.
Step 5:Click "Fix Checked" to remove spyware or malware threats.
Step6: download Regace for other Registry repairing, cleaning errors and problems to optimize your PC. It is an amazing program that I use!
How to Remove the W32.Badtrans.13312@mm Worm Virus from Your Computer
Tuesday, December 8, 2009
Also Known As: W32/Badtrans-A [Sophos], W32/Badtrans@MM [McAfee], BadTrans, I-Worm.Badtrans [KAV], WORM_BADTRANS.A [Trend], TROJ_BADTRANS.A [Trend], Win32.Badtrans.13312 [CA], Pws-AV Trojan, W32.Badtrans.13312@mm, Trojan.Psw.Hooker
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References: CVE-2001-0154
Because W32.Badtrans.gen@mm affects different operating systems in different ways, how you remove this worm depends on your operating system. Follow the instructions in the order given.
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.gen@mm. What you do next depends on whether NAV was able to delete files that it detected as infected with W32.Badtrans.gen@mm:
* If NAV was able to delete all the files that it detected as infected, do one of the following:
o If you are running Windows 95/98/Me, skip to the section To edit the Win.ini file.
o If you are running Windows NT/2000 and NAV was able to delete all the infected files, you are finished.
* If NAV was not able to delete all files that it detected as infected, go on to the next section and see the instructions for your operating system.
To remove files that cannot be deleted by NAV:
Follow the instructions for your operating system only if NAV could not delete files that it detected as infected with W32.Badtrans.gen@mm.
* Windows 95/98/Me
1. Restart the computer in Safe Mode. For instructions on how to restart in Safe Mode, see the document How to restart Windows 9x or Windows Me in Safe Mode.
2. Run the scan again, and delete any files detected as W32.Badtrans.gen@mm.
3. When the scan is finished, skip to the section To edit the Win.ini file.
* Windows NT/2000/XP
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes alphabetically.
5. Scroll through the list and look for inetd.exe. If you find the file, click it and then click End Process.
6. Scroll through the list and look for Kern32.exe. If you find the file, click it and then click End Process.
7. Close the Task Manager.
8. Right-click the My Computer icon on the Windows desktop, and click Explore.
9. Do one of the following:
o If you are running Windows NT, click the View menu and click Options.
o If you are running Windows 2000/XP, click the Tools menu and click Folder Options.
10. Click the View tab.
11. Do one of the following:
o If you are running Windows NT, click "Show all files," uncheck "Hide file extensions for known file types," and then click OK.
o If you are running Windows 2000/XP, click "Show hidden files and folders" and uncheck "Hide file extensions for known file types."
12. In the left pane of Windows Explorer, right-click drive C and then click Find (Windows NT) or Search (Windows 2000/XP).
13. In the In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
inetd.exe kern32.exe hkk32.exe hksdll.dll
14. Click Find Now or Search Now.
15. When the search is finished, write down the names and locations of the files that are displayed.
16. Click the Edit menu, and click Select All.
17. Hold down the Shift key down, and press the Delete key. Continue to hold down the Shift key until you are prompted to confirm the deletion. Click Yes. (Holding the Shift key while pressing the Delete key bypasses the Recycle Bin.)
18. Close Windows Explorer.
19. Go on to the section To edit the registry.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
4. In the right pane, delete the value
Kernel32 KERN32.EXE
5. Navigate to the key
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
6. In the right pane, delete the value
run\Inetd.exe
7. Exit the Registry Editor.
8. Restart the computer.
9. Run the scan again, and delete any files detected as W32.Badtrans.13312@mm. This completes the removal procedure for users of Windows NT/2000.
To edit the Win.ini file:
If you are running Windows 95/98/Me, you must also do the following:
1. Click Start, and click Run.
2. Type the following and then click OK:
edit c:\windows\win.ini
NOTE: If you installed Windows in a different location, make the appropriate substitution.
3. In the [windows] section, locate the run= line. It will look similar to the following:
run=c:\windows\inetd.exe
4. Remove the text to the right of the = sign, so that the line now reads
run=
5. Save your changes, and exit the MS-DOS Editor.
Writeup By: Peter Ferrie
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
CVE References: CVE-2001-0154
Because W32.Badtrans.gen@mm affects different operating systems in different ways, how you remove this worm depends on your operating system. Follow the instructions in the order given.
To remove the worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as W32.Badtrans.gen@mm. What you do next depends on whether NAV was able to delete files that it detected as infected with W32.Badtrans.gen@mm:
* If NAV was able to delete all the files that it detected as infected, do one of the following:
o If you are running Windows 95/98/Me, skip to the section To edit the Win.ini file.
o If you are running Windows NT/2000 and NAV was able to delete all the infected files, you are finished.
* If NAV was not able to delete all files that it detected as infected, go on to the next section and see the instructions for your operating system.
To remove files that cannot be deleted by NAV:
Follow the instructions for your operating system only if NAV could not delete files that it detected as infected with W32.Badtrans.gen@mm.
* Windows 95/98/Me
1. Restart the computer in Safe Mode. For instructions on how to restart in Safe Mode, see the document How to restart Windows 9x or Windows Me in Safe Mode.
2. Run the scan again, and delete any files detected as W32.Badtrans.gen@mm.
3. When the scan is finished, skip to the section To edit the Win.ini file.
* Windows NT/2000/XP
1. Press Ctrl+Alt+Delete one time.
2. Click Task Manager.
3. Click the Processes tab.
4. Click the "Image Name" column header two times to sort the processes alphabetically.
5. Scroll through the list and look for inetd.exe. If you find the file, click it and then click End Process.
6. Scroll through the list and look for Kern32.exe. If you find the file, click it and then click End Process.
7. Close the Task Manager.
8. Right-click the My Computer icon on the Windows desktop, and click Explore.
9. Do one of the following:
o If you are running Windows NT, click the View menu and click Options.
o If you are running Windows 2000/XP, click the Tools menu and click Folder Options.
10. Click the View tab.
11. Do one of the following:
o If you are running Windows NT, click "Show all files," uncheck "Hide file extensions for known file types," and then click OK.
o If you are running Windows 2000/XP, click "Show hidden files and folders" and uncheck "Hide file extensions for known file types."
12. In the left pane of Windows Explorer, right-click drive C and then click Find (Windows NT) or Search (Windows 2000/XP).
13. In the In the "Named" or "Search for..." box, type--or copy and paste--the following file names:
inetd.exe kern32.exe hkk32.exe hksdll.dll
14. Click Find Now or Search Now.
15. When the search is finished, write down the names and locations of the files that are displayed.
16. Click the Edit menu, and click Select All.
17. Hold down the Shift key down, and press the Delete key. Continue to hold down the Shift key until you are prompted to confirm the deletion. Click Yes. (Holding the Shift key while pressing the Delete key bypasses the Recycle Bin.)
18. Close Windows Explorer.
19. Go on to the section To edit the registry.
To edit the registry:
CAUTION: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to back up the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the key
HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\RunOnce
4. In the right pane, delete the value
Kernel32 KERN32.EXE
5. Navigate to the key
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Windows
6. In the right pane, delete the value
run
7. Exit the Registry Editor.
8. Restart the computer.
9. Run the scan again, and delete any files detected as W32.Badtrans.13312@mm. This completes the removal procedure for users of Windows NT/2000.
To edit the Win.ini file:
If you are running Windows 95/98/Me, you must also do the following:
1. Click Start, and click Run.
2. Type the following and then click OK:
edit c:\windows\win.ini
NOTE: If you installed Windows in a different location, make the appropriate substitution.
3. In the [windows] section, locate the run= line. It will look similar to the following:
run=c:\windows\inetd.exe
4. Remove the text to the right of the = sign, so that the line now reads
run=
5. Save your changes, and exit the MS-DOS Editor.
Writeup By: Peter Ferrie
How to remove w32.virut.cf Virus
W32.Virut.CF (also referred to as W32/Virut.n) is a virus that will attempt to infect executable files such as .exe, .scr and other Portable Executable (PE) file formats. W32.Virut.CF will inject an iframe into the body of the web-related files such as .html, .php and .asp, in order to further harm your computer. The most challenging thing about W32.Virut.CF is the fact that it can bypass antivirus program detection and evade the scanning process by using Entry Point Obfuscation (EPO).
W32.Virut.CF Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.
Step 1 : Use Registry Editor to Remove W32.Virut.CF Registry Values
Locate and delete "W32.Virut.CF" registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Read more on How to Remove W32.Virut.CF Registry Entries
W32.Virut.CF Manual Removal Instructions
Backup Reminder: Always be sure to back up your PC before making any changes.
Step 1 : Use Registry Editor to Remove W32.Virut.CF Registry Values
Locate and delete "W32.Virut.CF" registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
Read more on How to Remove W32.Virut.CF Registry Entries
How to remove w32 ircbot.worm
Symptoms -
If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot.
Method of Infection
Method of Infection -
This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.
Removal -
AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:
DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)
Stinger
Stinger has been updated to help detect and repair this threat.
McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.
McAfee Entercept
McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.
McAfee VirusScan Enterprise 8.0i
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems. Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.
Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.
The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below
If this worm is run on a system which has not yet been patched for the MS05-039 vulnerability, it may reboot.
Method of Infection
Method of Infection -
This threat scans for MS05-039 exploitable systems. When a vulnerable system is found, it uses a buffer overflow to write the worm file to that machine via a TFTP upload on port 8594. Blocking this port via McAfee Desktop Firewall or McAfee Personal Firewall will prevent infection even if the buffer overflow is not prevented.
Removal -
AVERT DATS
Use specified engine and DAT files (or later) for detection and removal. In addition to the DAT version requirements for detection, the specified engine version (or greater) must also be used.
McAfee Intrushield
Sigsets released on Aug 9th, 2005 will detect this as:
DCERPC: Microsoft Plug and Play Service Buffer Overflow (0x47602000)
Stinger
Stinger has been updated to help detect and repair this threat.
McAfee Managed VirusScan
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems.
McAfee Entercept
McAfee Entercept prevents the vulnerable system from being exploited with Level 1 protection enabled.
McAfee VirusScan Enterprise 8.0i
Buffer Overflow Protection blocks the worm from exploiting vulnerable systems. Additionally, systems running VirusScan Enterprise with the "Prevent creation of new files in the System32 folder (.exe)" access protection rule set to "Block access" will be protected from infection, though the buffer overflow may still occur on unpatched systems.
Note: this rule if set to all processes will also block legitimate updates to files in the Windows directory, such as when applying security patches, so will need to be disabled while such legitimate activity is occurring.
The User-defined Detection feature of the Unwanted Programs Policy can also be used to prevent replication of the worm, by adding a detection for wintbp.exe as shown below
How to remove w32.spybot.worm
Also Known As: Win32.Spybot.gen [Computer Associates], Worm.P2P.SpyBot.gen [Kaspersky], W32/Spybot-Fam [Sophos], W32/Spybot.worm.gen [McAfee], WORM_SPYBOT.GEN [Trend]
Type: Worm
Infection Length: Varies.
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2001-0876, CVE-2002-1145, CVE-2003-0109, CVE-2003-0352, CVE-2003-0533, CVE-2003-0717, CVE-2003-0812, CVE-2004-0120, CVE-2005-1983, CVE-2006-2630, CVE-2007-0041, CVE-2008-4250
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan, and delete all files detected.
4. Delete the value that was added to the registry.
5. Delete any zero-byte files in the Startup folder.
6. Reenable the SharedAccess service (Windows 2000/XP only)
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* How to disable or enable Windows Me System Restore
* How to turn off or turn on Windows XP System Restore
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).
2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).
The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.
3. To scan for and delete the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
* For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.
3. Note any files detected, click Delete.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Click OK.
5. In the Registry Editor, navigate to the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
6. In the right pane, delete any values that refer to the file names that were detected.
7. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
8. In the right pane, reset the original value, if known:
"Start" = "4"
9. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
10. In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
11. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
parameters
12. In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
13. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
14. In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
15. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
16. In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
17. Navigate to and delete the following subkeys, if present:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
18. Exit the Registry Editor.
5. To delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:
Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.
To delete zero-byte files in Windows 95/98/Me/NT/2000
1. On the Windows taskbar, click Start > Find (or b) > Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type, or copy and paste, the following file name:
tftp*.*
4. Click Find Now or Search Now.
5. Delete the files that are zero bytes in size and contained within any folder whose name ends with "Startup."
To delete zero-byte files in Windows XP
1. On the Windows taskbar, click Start > Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type, or copy and paste, the following file name:
tftp*.*
4. Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click More advanced options.
6. Check Search system folders.
7. Check Search subfolders.
8. Click Search.
9. Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."
6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
1. Click Start > Control Panel.
2. Double-click the Security Center.
3. Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
5. Click Close, and then click OK.
6. Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
1. Click Start > Run.
2. Type services.msc
Then click OK.
3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
4. Under "Startup Type:", select "Automatic" from the drop-down menu.
5. Under "Service Status:", click the Start button.
6. Once the service has completed starting, click OK.
7. Close the Services window.
Writeup By: Douglas Knowles
Type: Worm
Infection Length: Varies.
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows Server 2003, Windows 2000
CVE References: CVE-2001-0876, CVE-2002-1145, CVE-2003-0109, CVE-2003-0352, CVE-2003-0533, CVE-2003-0717, CVE-2003-0812, CVE-2004-0120, CVE-2005-1983, CVE-2006-2630, CVE-2007-0041, CVE-2008-4250
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Run a full system scan, and delete all files detected.
4. Delete the value that was added to the registry.
5. Delete any zero-byte files in the Startup folder.
6. Reenable the SharedAccess service (Windows 2000/XP only)
For specific details on each of these steps, read the following instructions.
1. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.
Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.
Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
* How to disable or enable Windows Me System Restore
* How to turn off or turn on Windows XP System Restore
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, reenable System Restore by following the instructions in the aforementioned documents.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article: Antivirus Tools Cannot Clean Infected Files in the _Restore Folder (Article ID: Q263455).
2. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
* Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to Virus Definitions (LiveUpdate).
* Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted daily. You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to Virus Definitions (Intelligent Updater).
The latest Intelligent Updater virus definitions can be obtained here: Intelligent Updater virus definitions. For detailed instructions read the document: How to update virus definition files using the Intelligent Updater.
3. To scan for and delete the infected files
1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
* For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files.
* For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files.
2. Run a full system scan.
3. Note any files detected, click Delete.
Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again.
After the files are deleted, restart the computer in Normal mode and proceed with the next section.
Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:
Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.
1. Click Start > Run.
2. Type regedit
3. Click OK.
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Click OK.
5. In the Registry Editor, navigate to the following subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
RunOnce
HKEY_CURRENT_USER\Software\Microsoft\OLE
6. In the right pane, delete any values that refer to the file names that were detected.
7. Navigate to the subkeys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger
8. In the right pane, reset the original value, if known:
"Start" = "4"
9. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
10. In the right pane, reset the original value, if known:
"restrictanonymous" = "1"
11. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\
parameters
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\
parameters
12. In the right pane, reset the original values, if known:
"AutoShareWks" = "0"
"AutoShareServer" = "0"
13. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
14. In the right pane, reset the original value, if known:
"DoNotAllowXPSP2" = "1"
15. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
16. In the right pane, reset the original value, if known:
"EnableDCOM" = "N"
17. Navigate to and delete the following subkeys, if present:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BoolTern
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_BOOLTERN
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\rdriv
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_RDRIV
18. Exit the Registry Editor.
5. To delete the zero-byte files from the Startup folder
Follow the instructions for your version of Windows:
Note: There may be legitimate files on your system that start with "tftp." Delete only the zero-byte files from the Startup folder.
To delete zero-byte files in Windows 95/98/Me/NT/2000
1. On the Windows taskbar, click Start > Find (or b) > Files or Folders.
2. Make sure that "Look in" is set to (C:) and that "Include subfolders" is checked.
3. In the "Named" or "Search for..." box, type, or copy and paste, the following file name:
tftp*.*
4. Click Find Now or Search Now.
5. Delete the files that are zero bytes in size and contained within any folder whose name ends with "Startup."
To delete zero-byte files in Windows XP
1. On the Windows taskbar, click Start > Search.
2. Click All files and folders.
3. In the "All or part of the file name" box, type, or copy and paste, the following file name:
tftp*.*
4. Make sure that "Look in" is set to "Local Hard Drives" or to (C:).
5. Click More advanced options.
6. Check Search system folders.
7. Check Search subfolders.
8. Click Search.
9. Delete the files that are zero-bytes in size and contained within any folder whose name ends with "Startup."
6. To reenable the SharedAccess service (Windows 2000/XP only)
The SharedAccess service is responsible for maintaining Internet Connection Sharing and the Windows Firewall/Internet Connection Firewall applications in Windows. (The presence and names of these applications vary depending on the operating system and service pack you are using.) To protect your computer and maintain network functionality, re-enable this service if you are using any of these programs.
Windows XP Service Pack 2
If you are running Windows XP with Service Pack 2 and are using the Windows Firewall, the operating system will alert you when the SharedAccess service is stopped, by displaying an alert balloon saying that your Firewall status is unknown. Perform the following steps to ensure that the Windows Firewall is re-enabled:
1. Click Start > Control Panel.
2. Double-click the Security Center.
3. Ensure that the Firewall security essential is marked ON.
Note: If the Firewall security essential is marked on, your Windows Firewall is on and you do not need to continue with these steps.
If the Firewall security essential is not marked on, click the "Recommendations" button.
4. Under "Recommendations," click Enable Now. A window appears telling you that the Windows Firewall was successfully turned on.
5. Click Close, and then click OK.
6. Close the Security Center.
Windows 2000 or Windows XP Service Pack 1 or earlier
Complete the following steps to re-enable the SharedAccess service:
1. Click Start > Run.
2. Type services.msc
Then click OK.
3. Do one of the following:
* Windows 2000: Under the Name column, locate the "Internet Connection Sharing (ICS)" service and double-click it.
* Windows XP: Under the Named column, locate the "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" service and double-click it.
4. Under "Startup Type:", select "Automatic" from the drop-down menu.
5. Under "Service Status:", click the Start button.
6. Once the service has completed starting, click OK.
7. Close the Services window.
Writeup By: Douglas Knowles
How to remove w32.downadup.b
W32.Downadup.B is a worm that propagates and infects computers by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability. W32.Downadup.B will reduce security settings of compromised computer by ending security-related process and blocks them from accessing computer security websites.
Alias:
* Worm:W32/Downadup.AL
* Win32/Conficker.B
* W32/Confick-D
* WORM_DOWNAD.AD
* Net-Worm.Win32.Kido.ih
* Conficker.D
Damage Level: High
Systems Affected: Windows
W32.Downadup.B Removal Tool
1. Download the Downadup removal tool and save it on Desktop.
2. Double click on downloaded file, chose “Extract all files…” from the File menu, and follow the wizard’s instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.
3. Double click on the file “bd_rem_tool_gui.exe” (or just “bd_rem_tool_gui”). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool’s instructions.
4. If you have Restricted Acccess (not Admin) on Windows Vista and XP, right click the “bd_rem_tool_gui” program and choose “Run as Administrator”. Enter the computer Administrator Username and Password when prompted.
5. Reboot your computer when scanning is finished.
Alias:
* Worm:W32/Downadup.AL
* Win32/Conficker.B
* W32/Confick-D
* WORM_DOWNAD.AD
* Net-Worm.Win32.Kido.ih
* Conficker.D
Damage Level: High
Systems Affected: Windows
W32.Downadup.B Removal Tool
1. Download the Downadup removal tool and save it on Desktop.
2. Double click on downloaded file, chose “Extract all files…” from the File menu, and follow the wizard’s instructions. You can use any other archiver, like WinZip. This will create a folder called bd_rem_tool.
3. Double click on the file “bd_rem_tool_gui.exe” (or just “bd_rem_tool_gui”). Make sure that all files have been extracted from the zip archive, because all the contents are required for the removal tool to run. Follow the tool’s instructions.
4. If you have Restricted Acccess (not Admin) on Windows Vista and XP, right click the “bd_rem_tool_gui” program and choose “Run as Administrator”. Enter the computer Administrator Username and Password when prompted.
5. Reboot your computer when scanning is finished.
how to remove w32.ackantta.b@mm
W32.Ackantta.B@mm is a self-replicating computer worm. It spreads by exploiting vulnerabilities in operating systems. Usually, it creates a copy of itself and infects numerous files on compromised system. Then W32.Ackantta.B@mm gathers emails from the infected computer and mass-mail itself as an email attachment with scam messages. This worm has been designed only to spread without making damage to the system. However, it is strongly recommended to remove it from the system as soon as possible after detection.
W32.Ackantta.B@mm manual removal:
Kill processes:
javale.exe
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” =
Delete files:
javale.exe
W32.Ackantta.B@mm manual removal:
Kill processes:
javale.exe
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”SunJava Updater v7″ = “%System%\javale.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewall Policy\StandardProfile\AuthorizedApplications\List\%System%\”javale.exe” = “%System%\javale.exe:*:Enabled:Explorer”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”javastation1.1″ = “02″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\”ultrasparc1.1″ = “25″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = “0×1″
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”RunInvalidSignatures” = “no”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\”LowRiskFileTypes” =
Delete files:
javale.exe
How to remove W32.SillyFDC
Description:
W32.SillyFDC is a common detection process for files that are infected with W32.Silly. It propagates by copying and renaming itself on removable media devices and root of local and remote drives.
HOW TO REMOVE W32.SillyFDC
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Download Ewido Micro Scanner and save it to your Desktop. Do not scan yet
3. Reboot computer in SafeMode [how to]
4. End malicious Process
- Press Ctlr+Alt+Del
- Click Process tab
- End the process if present: password_viewer.exe, CALC, calc, mscalc.exe, startupfolder, config_
startupfolder.com, config_.com
5. Delete the autorun files
- Go to Start > Run, type "cmd"
- At the command prompt, type "cd\", this will bring you to C:\
- Type "attrib" (C:\>attrib), it will display files with attributes. Take note on attribute of autorun.inf. Usually it has SHR.
- Type “attrib -s -h -r C:\autorun.inf”, it will remove System, Hidden and Read-Only attribute
- Type "edit autorun.inf" it will open DOS Editor and display contents as follows
=======================
[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe
=======================
take note of the file/path that it runs. Ex: open=file.exe where file.exe is the filename of the file that autoruns.
- Exit DOS Editor.
- Back at the command prompt type "attrib -s -h -r file.exe", where file.exe is the file that was called on DOS editor to autorun. Ex: C:\>attrib -s -h -r file.exe. If it is located on different directory include the path. Ex: C:\>attrib -s -h -r c:\Windows\file.exe
- Type "del file.exe". If it is located on different directory include the path.
Ex: C:\>del c:\Windows\file.exe
- Type "del autorun.inf"
- Type "del c:\Windows\autorun.inf
- Type "del c:\Windows\password_viewer.exe
- Type "del c:\Douments and Settings\(Your User Name)\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
- Exit command prompt by typing "exit"
6. Run Disc Cleanup
- Go to Start > All Programs > Accessories >System Tools, click Disc Cleanup
- Check the following: Downloaded Program Files, Temporary Internet Files
, Offline Webpage, Recycle Bin and Temporary Files.
7. View hidden files and folders.
- Open Windows Explorer
- Go to Tools > Folder Options
- Go to View Tab
- Mark "Show hidden files and folders"
- Click Apply, then OK
Note: If unable to change the settings, please click here.
8. Update and scan with your installed AntiVirus. Quarantine/Delete infected files
9. Search and delete other files.
- Go to Start > Search
- Find and delete files : password_viewer.exe, calc.exe (not the one located on \system32\calc.exe), mscalc.exe, startupfolder.exe, config_.exe, startupfolder.com and config_.com
10. Scan with Ewido
- Double click the downloaded Ewido_Micro
- It will download Signature Database before scanning
- When update is completed, disconnect computer from Internet (Turn Off Modem or unplug RJ45 jack)
- Click “Start scan” to begin. It may take time for the process to finished
- Click “Remove Infection” to delete infected files.
- Restart computer and do another scan with Ewido
11. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
W32.SillyFDC is a common detection process for files that are infected with W32.Silly. It propagates by copying and renaming itself on removable media devices and root of local and remote drives.
HOW TO REMOVE W32.SillyFDC
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. Download Ewido Micro Scanner and save it to your Desktop. Do not scan yet
3. Reboot computer in SafeMode [how to]
4. End malicious Process
- Press Ctlr+Alt+Del
- Click Process tab
- End the process if present: password_viewer.exe, CALC, calc, mscalc.exe, startupfolder, config_
startupfolder.com, config_.com
5. Delete the autorun files
- Go to Start > Run, type "cmd"
- At the command prompt, type "cd\", this will bring you to C:\
- Type "attrib" (C:\>attrib), it will display files with attributes. Take note on attribute of autorun.inf. Usually it has SHR.
- Type “attrib -s -h -r C:\autorun.inf”, it will remove System, Hidden and Read-Only attribute
- Type "edit autorun.inf" it will open DOS Editor and display contents as follows
=======================
[autorun]
open=file.exe
shell\Open\Command=file.exe
shell\open\Default=1
shell\Explore\Command=file.exe
shell\Autoplay\command=file.exe
=======================
take note of the file/path that it runs. Ex: open=file.exe where file.exe is the filename of the file that autoruns.
- Exit DOS Editor.
- Back at the command prompt type "attrib -s -h -r file.exe", where file.exe is the file that was called on DOS editor to autorun. Ex: C:\>attrib -s -h -r file.exe. If it is located on different directory include the path. Ex: C:\>attrib -s -h -r c:\Windows\file.exe
- Type "del file.exe". If it is located on different directory include the path.
Ex: C:\>del c:\Windows\file.exe
- Type "del autorun.inf"
- Type "del c:\Windows\autorun.inf
- Type "del c:\Windows\password_viewer.exe
- Type "del c:\Douments and Settings\(Your User Name)\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf
- Exit command prompt by typing "exit"
6. Run Disc Cleanup
- Go to Start > All Programs > Accessories >System Tools, click Disc Cleanup
- Check the following: Downloaded Program Files, Temporary Internet Files
, Offline Webpage, Recycle Bin and Temporary Files.
7. View hidden files and folders.
- Open Windows Explorer
- Go to Tools > Folder Options
- Go to View Tab
- Mark "Show hidden files and folders"
- Click Apply, then OK
Note: If unable to change the settings, please click here.
8. Update and scan with your installed AntiVirus. Quarantine/Delete infected files
9. Search and delete other files.
- Go to Start > Search
- Find and delete files : password_viewer.exe, calc.exe (not the one located on \system32\calc.exe), mscalc.exe, startupfolder.exe, config_.exe, startupfolder.com and config_.com
10. Scan with Ewido
- Double click the downloaded Ewido_Micro
- It will download Signature Database before scanning
- When update is completed, disconnect computer from Internet (Turn Off Modem or unplug RJ45 jack)
- Click “Start scan” to begin. It may take time for the process to finished
- Click “Remove Infection” to delete infected files.
- Restart computer and do another scan with Ewido
11. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.
How to Remove The Sasser worm - W32.Sasser.Worm
What is the Sasser worm?
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.
1. Disconnect your computer from the local area network or Internet.
2. Click Start > Run, type:
shutdown -i
and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
3. Reconnect the network/Internet connection, click Start > Windows Update to install all necessary patches automatically.
4. Terminate the running process.
Press CTRL+ALT+DEL to open Windows Task Manager, then select the Processes tab. Scroll down the list and search for the following processes:
* avserve.exe
* avserve2.exe
* skynetave.exe
* any process with a name consisting of four or five digits, followed by _up.exe (eg 64354_up.exe).
If you find any such process, click it, and then click End Process. Exit the Task Manager
5. Disable System Restore (Windows XP)
6. Remove the registry entires.
Click Start > Run, type 'regedit' and click Ok.
Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following entries:
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor.
7. Search for and delete the following files:
avserve.exe
avserve2.exe
skynetave.exe
8. Update your antivirus tools virus definition and run a thorough scan on your system.
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.
1. Disconnect your computer from the local area network or Internet.
2. Click Start > Run, type:
shutdown -i
and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
3. Reconnect the network/Internet connection, click Start > Windows Update to install all necessary patches automatically.
4. Terminate the running process.
Press CTRL+ALT+DEL to open Windows Task Manager, then select the Processes tab. Scroll down the list and search for the following processes:
* avserve.exe
* avserve2.exe
* skynetave.exe
* any process with a name consisting of four or five digits, followed by _up.exe (eg 64354_up.exe).
If you find any such process, click it, and then click End Process. Exit the Task Manager
5. Disable System Restore (Windows XP)
6. Remove the registry entires.
Click Start > Run, type 'regedit' and click Ok.
Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following entries:
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor.
7. Search for and delete the following files:
avserve.exe
avserve2.exe
skynetave.exe
8. Update your antivirus tools virus definition and run a thorough scan on your system.
Complete List of Free spyware virus melware antivirus Removal Tools to clean your PC
Thursday, December 3, 2009
Running two anti virus products on the same computer can cause system instability, degraded performance and maybe the inability to identify a virus correctly. I have even heard of a case where someone managed to install as many as 3 anti virus on his computer and yet no problems. I would say he is just plain lucky and one day the anti virus will conflict and give so much trouble that he will not be able to recover Windows from the crash. It is very important that any previously installed anti virus software is uninstalled from your system before proceeding with the installation of the next anti virus that you would like to install.
The standard method of uninstalling an anti virus is from Add or Remove Programs but sometimes the uninstaller process would hang and you will not be able to remove the anti virus from your system. When this happen, you can try using the removal tool provided by the anti virus company to remove the installed anti virus. I always have a list of uninstallers for anti virus software on my USB flash drive. Here I am sharing with you guys my list and perhaps it could help you uninstall an anti virus program that you are having trouble uninstalling..
Most of the uninstallers below are very straight forward. Just download, run the file and click a button to proceed with the uninstaller. Some is a little more complicated and requires more steps which I have noted.
1. Avast Download avast! Uninstall Utility
2. AVG Download AVG Remover 32-bit | 64-bit
3. Avira Download Avira RegCleaner
4. BitDefender Download BitDefender Uninstall Tool 32-bit | 64-bit
5. Computer AssociatesDownload CA SupportBridge for 2008 | 2009 products
6. ESET Download NOD32Removal
7. F-Secure Download F-Secure Removal Tool
8. Kaspersky Download Kaspersky Anti-Virus Remover
9. McAfee Download McAfee Consumer Product Removal Tool
10. Windows Live OneCare Download Windows Live OneCare Cleanup Tool
11. Norton / Symantec Download Norton Removal Tool
12. G DATA Download G DATA AV-Cleaner
13. Panda Security Download Panda Security Uninstaller
14. Trend Micro Download Trend Micro Diagnostic Toolkit 32-bit | 64-bit
15. AppRemover Download AppRemover
The standard method of uninstalling an anti virus is from Add or Remove Programs but sometimes the uninstaller process would hang and you will not be able to remove the anti virus from your system. When this happen, you can try using the removal tool provided by the anti virus company to remove the installed anti virus. I always have a list of uninstallers for anti virus software on my USB flash drive. Here I am sharing with you guys my list and perhaps it could help you uninstall an anti virus program that you are having trouble uninstalling..
Most of the uninstallers below are very straight forward. Just download, run the file and click a button to proceed with the uninstaller. Some is a little more complicated and requires more steps which I have noted.
1. Avast Download avast! Uninstall Utility
2. AVG Download AVG Remover 32-bit | 64-bit
3. Avira Download Avira RegCleaner
4. BitDefender Download BitDefender Uninstall Tool 32-bit | 64-bit
5. Computer AssociatesDownload CA SupportBridge for 2008 | 2009 products
6. ESET Download NOD32Removal
7. F-Secure Download F-Secure Removal Tool
8. Kaspersky Download Kaspersky Anti-Virus Remover
9. McAfee Download McAfee Consumer Product Removal Tool
10. Windows Live OneCare Download Windows Live OneCare Cleanup Tool
11. Norton / Symantec Download Norton Removal Tool
12. G DATA Download G DATA AV-Cleaner
13. Panda Security Download Panda Security Uninstaller
14. Trend Micro Download Trend Micro Diagnostic Toolkit 32-bit | 64-bit
15. AppRemover Download AppRemover
Blocking Unwanted Parasites with a Hosts File
What a host file does
The Hosts file contains the mappings of IP addresses to host names, this file is loaded into memory at startup then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local (your) machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.
You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.
Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements. Why? ... because in certain cases "Ad Servers" like Doubleclick (and many others) will try to open a separate connection on the webpage you are viewing.
For XP SP2 users you should see a Security Center prompt about allowing this connection. [screenshot]
Simply click No and continue. Yes the prompts can be annoying but at least you'll know, however you should not see these prompts if these entries are included in the HOSTS file.
Note: this prompt only occurs if (example) *.doubleclick.net is included in the "Restricted Zone".
The Hosts file contains the mappings of IP addresses to host names, this file is loaded into memory at startup then Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. This prevents access to the listed sites by redirecting any connection attempts back to the local (your) machine. Another feature of the HOSTS file is its ability to block other applications from connecting to the Internet, providing the entry exists.
You can use a HOSTS file to block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and even most hijackers. This is accomplished by blocking the connection(s) that supplies these little gems.
Example - the following entry 127.0.0.1 ad.doubleclick.net blocks all files supplied by that DoubleClick Server to the web page you are viewing. This also prevents the server from tracking your movements. Why? ... because in certain cases "Ad Servers" like Doubleclick (and many others) will try to open a separate connection on the webpage you are viewing.
For XP SP2 users you should see a Security Center prompt about allowing this connection. [screenshot]
Simply click No and continue. Yes the prompts can be annoying but at least you'll know, however you should not see these prompts if these entries are included in the HOSTS file.
Note: this prompt only occurs if (example) *.doubleclick.net is included in the "Restricted Zone".
UAE Blackberry update was spyware
An update for Blackberry users in the United Arab Emirates could allow unauthorised access to private information and e-mails.
The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance.
Instead, the update resulted in crashes or drastically reduced battery life.
Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM.
Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.
In the statement, RIM told customers that "Etisalat appears to have distributed a telecommunications surveillance application... independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone".
It adds that "independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server".
The concern over this unauthorised access only came to light when users started reporting problems with their handsets.
After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether.
Users have complained that the firm's customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.
'Surveillance solutions'
The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of "lawful electronic intercept and surveillance solutions".
It is not clear why Etisalat wanted to include the software in the download.
The firm issued a brief statement last week, calling the problem a "slight technical fault", saying that the "upgrades were required for service enhancements".
Etisalat told BBC News that it stands by last week's statement and has not yet responded to further requests for comment.
"There may be a good reason they wanted to install the software," said one Blackberry user in Dubai who did not want to be named.
"But my biggest problem is that my phone won't work. If you call customer service you either can't get through, or they don't know what to tell you. I don't know what to do."
RIM has now issued its own update allowing users to remove the application. Customers of the country's rival service, Du, have not been affected.
The update was prompted by a text from UAE telecoms firm Etisalat, suggesting it would improve performance.
Instead, the update resulted in crashes or drastically reduced battery life.
Blackberry maker Research in Motion (RIM) said in a statement the update was not authorised, developed, or tested by RIM.
Etisalat is a major telecommunications firm based in the UAE, with 145,000 Blackberry users on its books.
In the statement, RIM told customers that "Etisalat appears to have distributed a telecommunications surveillance application... independent sources have concluded that it is possible that the installed software could then enable unauthorised access to private or confidential information stored on the user's smartphone".
It adds that "independent sources have concluded that the Etisalat update is not designed to improve performance of your BlackBerry Handheld, but rather to send received messages back to a central server".
The concern over this unauthorised access only came to light when users started reporting problems with their handsets.
After downloading the update, users across the country noticed significantly reduced battery life, poor reception and in some cases, handsets stopped working altogether.
Users have complained that the firm's customer service is unable to provide information on the problem. Initial advice led many users to simply buy new batteries.
'Surveillance solutions'
The update has now been identified as an application developed by American firm SS8. The California-based company describes itself as a provider of "lawful electronic intercept and surveillance solutions".
It is not clear why Etisalat wanted to include the software in the download.
The firm issued a brief statement last week, calling the problem a "slight technical fault", saying that the "upgrades were required for service enhancements".
Etisalat told BBC News that it stands by last week's statement and has not yet responded to further requests for comment.
"There may be a good reason they wanted to install the software," said one Blackberry user in Dubai who did not want to be named.
"But my biggest problem is that my phone won't work. If you call customer service you either can't get through, or they don't know what to tell you. I don't know what to do."
RIM has now issued its own update allowing users to remove the application. Customers of the country's rival service, Du, have not been affected.
Packed.Generic.270
Discovered: November 29, 2009
Updated: November 30, 2009 5:58:30 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Packed.Generic.270 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.
This heuristic detection is used to detect threats associated with the following families:
* Infostealer.Banker.C
* Trojan.Dropper
Protection
* Initial Rapid Release version November 29, 2009 revision 048
* Latest Rapid Release version November 29, 2009 revision 048
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Low
Updated: November 30, 2009 5:58:30 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Packed.Generic.270 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.
This heuristic detection is used to detect threats associated with the following families:
* Infostealer.Banker.C
* Trojan.Dropper
Protection
* Initial Rapid Release version November 29, 2009 revision 048
* Latest Rapid Release version November 29, 2009 revision 048
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Low
Packed.Generic.271
Discovered: November 30, 2009
Updated: November 30, 2009 11:18:21 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Packed.Generic.271 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.
This heuristic detection is used to detect threats associated with the following families:
* Infostealer.Banker.C
* Downloader
Protection
* Initial Rapid Release version November 30, 2009 revision 005
* Latest Rapid Release version November 30, 2009 revision 005
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Low
Updated: November 30, 2009 11:18:21 AM
Type: Trojan, Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Packed.Generic.271 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.
This heuristic detection is used to detect threats associated with the following families:
* Infostealer.Banker.C
* Downloader
Protection
* Initial Rapid Release version November 30, 2009 revision 005
* Latest Rapid Release version November 30, 2009 revision 005
* Initial Daily Certified version November 30, 2009 revision 004
* Latest Daily Certified version November 30, 2009 revision 004
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
Distribution
* Distribution Level: Low
AntivirusSystemPro
Updated: November 30, 2009 3:32:18 PM
Type: Misleading Application
Name: Antivirus System Pro
Risk Impact: Medium
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior
AntivirusSystemPro is a misleading application that may give exaggerated reports of threats on the computer.
Protection
* Initial Rapid Release version November 30, 2009 revision 017
* Latest Rapid Release version November 30, 2009 revision 025
* Initial Daily Certified version November 30, 2009 revision 022
* Latest Daily Certified version November 30, 2009 revision 040
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Type: Misleading Application
Name: Antivirus System Pro
Risk Impact: Medium
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior
AntivirusSystemPro is a misleading application that may give exaggerated reports of threats on the computer.
Protection
* Initial Rapid Release version November 30, 2009 revision 017
* Latest Rapid Release version November 30, 2009 revision 025
* Initial Daily Certified version November 30, 2009 revision 022
* Latest Daily Certified version November 30, 2009 revision 040
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Trojan.Vundo!gen2
Discovered: December 2, 2009
Updated: December 2, 2009 11:57:16 AM
Type: Trojan
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Vundo!gen2 is a heuristic detection used to detect threats associated with the following family:
Trojan.Vundo
Protection
* Initial Rapid Release version December 2, 2009 revision 008
* Latest Rapid Release version December 2, 2009 revision 008
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
Distribution
* Distribution Level: Low
Updated: December 2, 2009 11:57:16 AM
Type: Trojan
Systems Affected: Windows XP, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Trojan.Vundo!gen2 is a heuristic detection used to detect threats associated with the following family:
Trojan.Vundo
Protection
* Initial Rapid Release version December 2, 2009 revision 008
* Latest Rapid Release version December 2, 2009 revision 008
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
Distribution
* Distribution Level: Low
W32.Mabezat.B!dam
Discovered: December 2, 2009
Updated: December 2, 2009 4:38:12 PM
Type: Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Mabezat.B!dam is a detection for corrupted files that are infected with W32.Mabezat.B.
Protection
* Initial Rapid Release version December 2, 2009 revision 022
* Latest Rapid Release version December 2, 2009 revision 022
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
Distribution
* Distribution Level: Low
Updated: December 2, 2009 4:38:12 PM
Type: Virus
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.Mabezat.B!dam is a detection for corrupted files that are infected with W32.Mabezat.B.
Protection
* Initial Rapid Release version December 2, 2009 revision 022
* Latest Rapid Release version December 2, 2009 revision 022
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Medium
Distribution
* Distribution Level: Low
Adware.Zwunzi
Updated: December 3, 2009 12:59:34 AM
Type: Adware
Name: Zwunzi
Version: 1.0 build 128
Publisher: zwunzi.com
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior
Adware.Zwunzi is an adware program that installs itself as a Browser Search Plugin for Internet Explorer and Mozilla Firefox.
Protection
* Initial Rapid Release version December 2, 2009 revision 039
* Latest Rapid Release version December 3, 2009 revision 036
* Initial Daily Certified version December 2, 2009 revision 050
* Latest Daily Certified version December 2, 2009 revision 050
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Type: Adware
Name: Zwunzi
Version: 1.0 build 128
Publisher: zwunzi.com
Risk Impact: High
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Behavior
Adware.Zwunzi is an adware program that installs itself as a Browser Search Plugin for Internet Explorer and Mozilla Firefox.
Protection
* Initial Rapid Release version December 2, 2009 revision 039
* Latest Rapid Release version December 3, 2009 revision 036
* Initial Daily Certified version December 2, 2009 revision 050
* Latest Daily Certified version December 2, 2009 revision 050
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
W32.SillyFDC.BBX
Discovered: December 2, 2009
Updated: December 3, 2009 5:45:23 AM
Type: Worm
Infection Length: 705,283 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.SillyFDC.BBX is a worm that spreads by copying itself to removable and mapped drives. It also drops more malware, attempts to download files, lowers security settings, disables certain system software and alters certain system settings.
Protection
* Initial Rapid Release version December 2, 2009 revision 025
* Latest Rapid Release version December 2, 2009 revision 025
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Modifies Files: Modifies certain files, replacing them with a copy of other malware.
* Compromises Security Settings: Lowers security settings.
Distribution
* Distribution Level: Medium
* Target of Infection: Removable drives
Writeup By: Fergal Ladley and Jarrad Shearer
Updated: December 3, 2009 5:45:23 AM
Type: Worm
Infection Length: 705,283 bytes
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
W32.SillyFDC.BBX is a worm that spreads by copying itself to removable and mapped drives. It also drops more malware, attempts to download files, lowers security settings, disables certain system software and alters certain system settings.
Protection
* Initial Rapid Release version December 2, 2009 revision 025
* Latest Rapid Release version December 2, 2009 revision 025
* Initial Daily Certified version December 2, 2009 revision 024
* Latest Daily Certified version December 2, 2009 revision 024
* Initial Weekly Certified release date December 2, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Modifies Files: Modifies certain files, replacing them with a copy of other malware.
* Compromises Security Settings: Lowers security settings.
Distribution
* Distribution Level: Medium
* Target of Infection: Removable drives
Writeup By: Fergal Ladley and Jarrad Shearer
Backdoor.Tidserv.I!inf
Discovered: December 3, 2009
Updated: December 3, 2009 4:38:36 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Backdoor.Tidserv.I!inf is a detection for legitimate system driver files that have been modified by Backdoor.Tidserv to load other malicious components.
Protection
* Initial Rapid Release version December 3, 2009 revision 019
* Latest Rapid Release version December 3, 2009 revision 019
* Initial Daily Certified version December 3, 2009 revision 021
* Latest Daily Certified version December 3, 2009 revision 021
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Modifies Files: Modifies legitimate system files.
Distribution
* Distribution Level: Low
Updated: December 3, 2009 4:38:36 PM
Type: Trojan
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows Vista, Windows NT, Windows Server 2003, Windows 2000
Backdoor.Tidserv.I!inf is a detection for legitimate system driver files that have been modified by Backdoor.Tidserv to load other malicious components.
Protection
* Initial Rapid Release version December 3, 2009 revision 019
* Latest Rapid Release version December 3, 2009 revision 019
* Initial Daily Certified version December 3, 2009 revision 021
* Latest Daily Certified version December 3, 2009 revision 021
* Initial Weekly Certified release date December 9, 2009
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy
Damage
* Damage Level: Low
* Modifies Files: Modifies legitimate system files.
Distribution
* Distribution Level: Low
