tips cleaning virus yahoo messengger
Yahoo Virus Messenger can conduct update within reason program antivirus with mendownload some files from website that have been determined. Not ayal, to remove it are even also spelled out members difficult.
Correct reading 9 steps to clean virus most raise hells and at most bother at the beginning of in 2010 this according to virus analyst from Vaksincom, Adang Jauhar Taufik:
1. Decide computer that will be cleared of network and also internet
2. Alter file name [C:\Windws\system32\msvbvm60.dll] become [xmsvbvm60.dll] to prevent active virus returns during sweeping process.
3. Better conduct sweeping by using Tools Windows Mini PERANNUN Live this condition CD are caused for a few mains file and file hazy rootkit as services and drivers difficult to vanish particularly this file will be hidden by virus. Please download software are referred [as] in http address://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html
Later, booting computer by using software Mini PE Live CD are referred [as]. Afterwards vanish some files iduk virus by:
a. Klik menu [Mini PE2XT]
b. Klik menu [Programs]
c. Klik menu [File Management]
d. Klik menu [Windows Explorer]
e. Then clean file follow:
-. C:\Windows\System32
-. Wmi%xxx.exe, where xxx shows random karater (the example: wmispqd.exe, wmisrwt.exe, wmistpl.exe, atu wmisfpj.exe) of the size file that different each other hung variant that infection of goals computer.
-. %xxx%.exe@, where %xxx% show random character (example: qxzv85.exe@) of the size that different each other hung variant that infection.
-. secupdat.dat
-. C:\Documents and Settings\%user%\%xx%.exe, where xx is random character (example: rllx.exe) of the size file around 6 kbs or 16 kbs (hung variant that infection).
-. C:\Windows\System32\drivers
-. Kernelx86.sys
-. %xx%.sys, where xx this is the random character that have size around 40 KBs (example: mojbtjlt.sys or cvxqvksf.sys)
-. Ndisvvan.sys
-. krndrv32.sys
-. C:\Documents and Settings\%user%\secupdat.dat
-. C:\Windows\INF
-. netsf.inf
-. netsf_m.inf
4. clean registry that dubah made by virus, by using "Avas! Registry Editor", its way:
a. Menu click [Mini PE2XT]
b. Menu click [Programs]
c. Menu click [Registry Tools]
d. Click [Avast! Registry Editor]
e. If emerge [screen/sail] confirms kelik knob "Load....."
f. thn clean registry:
ü LOCAL_MACHINE_SOFTWARE\microsoft\windows\currentverson\run\\ctfmon.exe
ü LOCAL_MACHINE_SYSTEM\ControlSet001\services\\kernelx86
ü LOCAL_MACHINE_SYSTEM\CurrentControlSet\services\\kernelx86
ü LOCAL_MACHINE_SYSTEM\CurrentControlSet\services\\passthru
ü LOCAL_MACHINE_SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\ctfmon.exe
ü LOCAL_MACHINE_SOFTWARE\microsoft\windows nt\currentversion\winlogon
§ Alter value at strings Userinit becomes = userinit.exe,
ü LOCAL_MACHINE_SOFTWARE\microsoft\windows nt\currentversion\winlogon
§ Alter value at strings Shell becomes = Explorer.exe
ü LOCAL_MACHINE_SYSTEM\ControlSet001\services\\%xx%
ü LOCAL_MACHINE_SYSTEM\CurrentControlSet\services\\%xx%
ü LOCAL_MACHINE_SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\C:\windows\system32\%file_induk_virus%.exe (example: wmistpl.exe)
ü LOCAL_MACHINE_SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\windows\system32\%file_induk_virus%.exe (example: wmistpl.exe)
Note: %xx% show random character, this key are made to run file .SYS that have size as high as 40 KBs that reside in directory [C:\Windows\system32\drivers\]
5. Restart computer, cure remains registry that altered by virus with copy script following at program notepad then keep by the name of repair.inf. Run file is referred [as] by: right click repair.inf | click install
[Version]
Signature="$Chicago$"
Penyedia=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, software\microsoft\ole, EnableDCOM,0, "Y"
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0x00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0x00010001,0
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0x00010001,0
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
6. Fix registry Windows to return in order to computer can booting "safe mode with command prompt" with download file FixSafeBoot.reg (Windows XP) in [the] following address then run file is referred [as] by:
o Klik menu [Start]
o Klik [Run]
o Ketik REGEDIT.EXE later, knob click [O.K.]
o in screen "Registry Editor", menu click [File | Import]
o determine file your new .REG makes
o clik button [Open]
7. Vanish file temporary and temporary file internet. Please use tools ATF-Cleaner. Download tools are referred [as] here.
8. Restore returns host file Windows that has been altered by virus. You can use tools Hoster, please download in [the] following address.
click button [Restore MS Host File], for merestore file hosts Windows is referred [as].
9. For optimal sweeping and prevent infection repeats, scan with antivirus that up-to-date and already can detect this virus.