RescueCd is a Linux system rescue disk available as a handy bootable CD-ROM for administrating or repairing your system and data after a crash due to a virus attack.It is very useful in case the computer gets infected.
Avira AntiVir Rescue System is another useful utlity that allows accessing computers that cannot be booted anymore. Thus it is possible to:
- repair a damaged system
- rescue data
- scan the system for virus infections
Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer.It gives the user three options on how to handle the situation. You can try to repair a damaged system, rescue data and scan the system for virus infections.
NoVirusThanks is new simple free web service which allows you to keep your computer virus-free. It scan suspicious files for possible presence of viruses, worms, trojans and any other kind of malware. Scanning is done with 25 independent antivirus engines .
It is easy for you to upload your suspicious files and press the Submit File button. The system will then put your file in the queue. Your file will be processed and after about 40 seconds you will see the analysis report.
Features:
- Free and independent service
- Use of multiple antivirus engines
- Automatic updates of virus signatures
- Detailed results from each antivirus engine
- Advanced details of file analyzed
- BBCode support
- Binder Detector
- Scan as many files as you like. No registration needed.
- Maximum size limit per file: 20 Mb
- Files are scanned with 25 anti virus engines. These are A-squared, Avira AntiVir, AVG, Avast!, BitDefender, ClamAV, Comodo, Dr.Web, Ewido, F-PROT 6, G DATA, IkarusT3, Kaspersky, McAfee, NOD32, Norman, QuickHeal, Panda, Solo Antivirus, Sophos, TrendMicro, VBA32, and VirusBuster.
NoVirusThanks Malware Remover Tool V2
NVT Malware Remover Tool V2 is an application designed to detect and remove malware, trojans, keyloggers and other malicious threats from your computer. It has the ability to remove rogue software, spyware and it allows you to do a complete system scan.It is designed to help you eliminate 13 variants of malware from your PC.
Features
A simple way to disable any virus,worm or trojan from entering your USB drive, is to create a folder by the name of ‘autorun.inf’.Once this is done, right click on the folder ,navigate to properties ,hide the folder as well as write protect it.This works as well with a text file of the same.This ensures that even if a virus,trojan or worm does get into the USB drive.It does not being to operate as soon as the drive is connected to my computer.
Sometimes virus may infect your computer it will create some hidden files and other executable which could be responsible to keep the virus active.Main thing is you cant see those files and cant delete those virus executables.Hidden files are scattered across your computer and trying to find all hidden files may turn out to be a tedious work.
If you have hidden files , don’t panic and start deleting them! .Its absolutely normal to have hidden files. Its suspicious only when executable files (.exe, .dll, .sys, .drv etc.) are hidden.If you cannot identify the file, right click it and open the file information dialog. You will see for most executable files the copyright of the executable file, which might help you identifying it.Also you can try Google search.
Sometimes you may getting the message 'resycled\boot.com is not a valid win32 application .As a result of this error the drive does not open but you can open the drive by right clicking on the drive letter and select Explore.
resycled/boot.com is a worm that propagates on local fixed and removable USB drives. It may infect drives via autorun.inf file it created that runs a command each time the drive is accessed. Malicious files will be copied to a drives attached on infected computer.
First you have to clean out the temporoary folders. For this download ATF Cleaner to your Desktop.
- Double-click ATF-Cleaner.exe to run the program.
- Click Select All found at the bottom of the list.
- Click the Empty Selected button
1. Opened the My Computer
2. Right clicked the mouse on the drive having the infection.
3. Selected "Explorer" from the pop-up menu.
4. Went to the Menu bar and select Tools->Folder Option.
5. Select the View tap. and did:
a) selecting "Show hidden files and folders'
b) Unchecking "Hide protected operating system files (recommended)"
6. Click OK.
7. Now search for the file "autorun.inf" file in the root of each infected drive and delete
on the drive letter, instead right-click and select ‘Explore’ to open it.
- Task Manager disabled.
- Registry editing disabled.
- Hidden Folder Options
Conficker infected millions of computers and now another threat called Neeirs Worm is copying the same infection strategies of Conficker.
The latest variant of Neeris which has been in the wild since 2005, is mimicking all of Conficker’s spreading techniques, including the exploitation of MS08-067 and the AutoRun spreading tactic.These worms spread via MNS Messenger and may contain backdoor functionalities.According to Friday blog post from researchers Ziv Mador and Aaron Putnam , new Neeris variant began popping up last week.
The Neeris Worm is now updated using the same methods of Conficker to spread by using the autorun.inf file.To protect against the worm, you should take the same steps as they did with Conficker, . That includes installing MS08-067 and disabling AutoRun, if possible.
Read
The Brontok is a worm that affects Windows based computers and spreads by sending itself to email addresses harvested from the affected computer. It creates a registry entry in the HKLM\Software\Microsoft\Windows\CurrentVersion\Run registry key.
Symptoms
It disables the Windows Registry Editor and modifies Windows Explorer settings.In the Tools menu, "Folder Options" will be disabled , so that the hidden files are not easily accessible to the user. It also turns off Windows firewall.The system also restarts when executing certain EXE files and when trying to start registry editor.
- Downloading shareware/freeware software or visiting questionable websites might lead to a Worm.Brontok infection.
- It can tracks which websites you visited or what terms you’ve typed. Spyware uses your information to deliver targeted ads to you. Also, data of your surfing activities may be sold to third parties.
- Worm.Brontok may display annoying popups while you surf the Web. You might have Worm.Brontok or other types of parasites on your computer if you see pop-up advertising, even when you are not on the Web or when your computer has been idle for many minutes.
- When your Web browser’s home page unexpectedly changes without your consent or your Web browser suddenly closes or stops responding, you might be infected with Worm.Brontok.
- If you see your computer is slowing down dramatically or crashing a lot, you may be infected with an unwanted software.
Variants of the Brontok worm include:
W32/Lebreat-E
W32/Lebreat-E
W32/Brontok-E
W32/Brontok-D
W32/Brontok-E
W32.Rontokbro.K@mm
W32/Brontok-D
W32/Brontok-G
W32/Brontok-G
W32/Brontok-J
W32/Brontok-L
W32/Brontok-L
W32/Rontokbro.gen@MM
W32/Brontok-G
W32/Brontok-G
By using Task Manager to Remove Worm.Brontok Processes
- To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
- Click on the "Image Name" button to search for "Worm.Brontok" process by name.
- Select the "Worm.Brontok" process and click on the "End Process" button to kill it.
- Remove the "Worm.Brontok" processes files:
EKSPLORASI.EXE
BRONSTAB.EXE
By Registry Editor to Remove Worm.Brontok Registry Values
- To open the Registry Editor, go to Start > Run > type regedit and then press the "OK" button.
- Locate and delete the entry or entries whose data value (in the rightmost column) is the spyware file(s) detected earlier.
- To delete "Worm.Brontok" value, right-click on it and select the "Delete" option.
- Locate and delete "Worm.Brontok" registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tok-cirrhatus
Detect and Delete Other Worm.Brontok Files
- To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
- Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
- To change directory, type in "cd name_of_the_folder".
- Once you have the file you're looking for type in "del name_of_the_file".
- To delete a file in folder, type in "del name_of_the_file".
- To delete the entire folder, type in "rmdir /S name_of_the_folder".
- Select the "Worm.Brontok" process and click on the "End Process" button to kill it.
- Remove the "Worm.Brontok" processes files
\Documents and Settings\{UserName}\Local Settings\Application Data\winlogon.exe.
\Documents and Settings\{UserName}\Local Settings\Application Data\smss.exe,
\Documents and Settings\{UserName}\Local Settings\Application Data\services.exe,
\Documents and Settings\{UserName}\Local Settings\Application Data\lsass.exe,
\Documents and Settings\{UserName}\Local Settings\Application Data\inetinfo.exe,
\Documents and Settings\{UserName}\Local Settings\Application Data\csrss.exe,
\Documents and Settings\{User Name}\Templates\WowTumpeh.com f�jl,
\Documents and Settings\{User Name}\Start Menu\Programs\Startup\EMPTY.PIF,
EKSPLORASI.EXE
BRONSTAB.EXE
Tok-Cirrhatus
Tok-Cirrhatus-1761
Tok-Cirrhatus-1860
How do you remove brontok virus manually? From Wiki Answers , Check here
Found a lot of free removal tools in net ,you can use to easily remove Brontok virus.
1. CompactbyteAV
4. Kaspersky Brontok Removal Tool
5. BitDefender Brontok Removal Tool
6. Download SpyHunter's Malware Scanner
7. OgAV
8. AntiBrontok
9. BRONTSFX.EXE
Security researchers are reporting that the Conficker worm virus, which preys on a recently reported vulnerability (MS08-067) in the Microsoft Windows server service, is spreading rapidly."Of the two million computers analyzed, around 115,000 were infected with this malware, a phenomenon we haven't seen since the times of the great epidemics of Kournikova or Blaster," Luis Corrons, Technical Director of PandaLabs, said in a report summary.
When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.
Once this virus infects a computer it does a number of things
- Extracts all of its files to the %System% directory with random DLL file names, which can wreak havoc on your computer.
- Deletes the user's Restore Points.
- Registers a services called Netsvcs
- Creates scheduled tasks that execute all of the DLL files.
- Creates it's own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
- Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.
- Connects to external sites to download additional files.
The registry entries added by Mal/Confiker-A are under:
HKLM\SYSTEM\CurrentControlSet\Services\<random service name>
The random service name will also be added to the list of services referenced by:
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SvcHost\netsvcs
Mal/Conficker-A modifies permissions on the service registry entries so that they are not visible to the user.When spreading to removable media Mal/Conficker-A attempts to create the following hidden files:
<Removable Drive Root>\autorun.inf
<Removable Drive Root>\RECYCLER\S-x-x-x-xxx-xxx-xxx-x\<Random Letters>.dll
Win32/Conficker.A tries to obtain the IP address of the affected system by accessing the following websites:
www.getmyip.org
getmyip.co.uk
checkip.dyndns.org
Mal/Conficker-A will attempt to copy itself to the following location:
<System>\<random filename>
(e.g. C:\windows\system32\zdtnx.g)
Precautions & Removal
- Ensure Windows is fully updated to fix the MS08-067 vulnerability that the Conficker family of worms uses to spread.
- Ensure that all removable storage devices are scanned after being connected to a computer infected with the Conficker family of worms.
- Ensure HIPS and buffer overflow prevention are both turned on and that "alert only" mode is turned off.
- Ensure the on-access scanner is turned on and that "on write" scanning is enabled.
If W32/Confick-E is detected on the computer, clean up this item first and then immediately run another full scan. Cleaning up W32/Confick-E removes the worm from memory and allows Sophos Anti-Virus to scan files that may have been locked by the virus while it was running.
If a full scan reports unscannable files and W32/Confick-E is not found in memory, ensure the on-access scanner is enabled and the virus data is up to date, reboot the computer and immediately perform another full scan. This causes the on-access scanner to prevent the Conficker worm from loading as a service and should unlock those files so they can be scanned. After cleaning up an active infection of the Conficker worm, a reboot may be required.
To remove the worm and its malicious components completely, it is recommended to use Norman Conficker Cleaner. Removal tools are also available from Microsoft and Symantec.
Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended.
How to Diisable AutorunVirus Effect Remover is the tool which help you to remove the effect of virus from windows registry and file system. It also detect the registry error caused by virus and enables the Blocked content like task manager , registry editor, folder option etc.
Virus Effect Remover Features:
SysReq: Windows XP / Vista|Freeware| 806 KB|Microsoft .NET Framework 2.0.
Recently one of my friends IE title shows “Hacked by Godzilla” after transfer some files to a handy drive.This Virus normally spreads through portable drives .
If your system is infected by this virus then your Internet Explorer title will end with “Hacked by Godzilla”.Following are other symptoms of the Godzilla Virus :
- Task manager is disabled.
- Regedit (Command for registry edit) is disabled.
- Folder options got disappeared From windows explorer.
- Double clicking on any of your system drive( c: ,d: etc) initiates a new instance of the virus. (You won’t be able to open any of your drive by double click rather you have to open then by right click >> explore.)
- msconfig command is disabled - this virus is not dependent on system startup but it disables the msconfig command used to modify the system startup programs
[DRIVE LETTER]:\MS32DLL.dll.vbs
[DRIVE LETTER]:\MS32DLL.dll.vbs
[DRIVE LETTER]:\autorun.inf
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
“MS32DLL” = “%Windir%\MS32DLL.dll.vbs” to the registry subkey:
HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \Windows \CurrentVersion \Run
so that it runs every time Windows starts.
“Window Title” = “Hacked by[REMOVED]” to the registry subkey:
HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main
to modify title in Internet Explorer.
How can I get rid of it?
1. First download process explorer ,run it and end all the process which are running as wscript.exe
2. Download RRT.exe (Remove restrictions tool) . RRT (Remove Restrictions Tool) v.2.0 is a tiny tool that does the work for AVs, it re-Enables all what the virus had disabled, and brings every thing including task manager ,regedit ,msconfig and hidden folder options back.
3. Now, you have regedit command enabled.
Browse to Go to HKEY_LOCAL_MACHINE \Software \Microsoft \Windows \Current Version \Run and delete MS32DLL (right click on it and select delete)
Go to HKEY_CURRENT_USER \Software \Microsoft \Internet Explorer \Main and delete “Window Title” which has it’s value of “Hacked by Godzilla“ or you can also write your name as a recognition for yourself.
4. Open My Computer,File menu go to Tools -> Folder Options, click on View tab
Under Advance settings,
check “Show Hidden files and folders“,
uncheck “Hide extensions for known file types“,
uncheck “Hide protected operating system files (Recommended)”
and click “OK” button
5. now right click on each of your drive and click explore now delete the files with names autorun.inf and MS32DLL.dll.vbs including your USB Drive
6. Restart your PC and your PC should be clean from Hacked by Godzilla
Update :Also check this Removal Tool from Mr. Albin: http://albin.1983.googlepages.com/Fix.Godzilla.exe
Details here:
http://tec-updates.blogspot.com/2008/05/godzilla-virus-removal-ms32dlldllvbs.html
There are Bogus Antivirus like WinAntivirus Pro 2007 and Pest Capture available in net.Many are unknowingly install such softwares and get trapped.
So you've discovered that you've been infected with WinAntiVirus Pro 2007 or other types of spyware. Now you want to remove it and prevent it from further damaging your computer. To remove WinAntiVirus Pro 2007 or other spyware components, please follow the instructions below.
Download these programs to your desktop and install them: SmitRem ,SmitFraudFix ,RogueRemover ,HijackThis , and CCleaner
That done, reboot into Safe Mode. Open the SmitRem folder and double-click RunThis.bat to start the SmitRem removal procedure. Next, open SmitFraudFix and choose to search (option 1) and clean (option 2) and run a full system scan to remove anything it finds. Then, run RogueRemover. While still in Safe Mode, run CCleaner. Analyse and clean the files it finds, then click on the Issues button and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing more is found.
Run Hijackthis and Remove any leftover issues. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does. For items in the Hijackthis log like the following, which will not get deleted manually, use KillBox to browse to the
location of the file and delete it or delete it on reboot.
Items that are impossible to remove unless using Killbox usually show up in the “20” section of Hijackthis, for example:
O20—Winlogon Notify: msupdate—C:\WINDOWS\SYSTEM32\msupdate32.dll
O20—Winlogon Notify: winrir32—C:\WINDOWS\SYSTEM32\winrir32.dll
O20—Winlogon Notify: dvd4free—C:\WINDOWS\SYSTEM32\dvd4free.dll
Reboot into normal mode. Scan your computer using online virus checkers such as Kaspersky Online Scanner and Norton Online Scanner Also download, install and thoroughly scan your system using a spyware removal tool such as Spybot Search & Destroy .As a matter of general practice, always install and use an anti-virus program, update it regularly, and never disable it (even when certain programs ask you to do so), especially when you are online.
A backdoor trojan differs from a trojan in that it also opens a backdoor to your system.A trojan is a malicious application that appears to do one thing, but actually does another.Examples of backdoor trojans are Netbus or Back Orifice.They are so dangerous because they have the potential to allow remote adminstration of your system.This gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to be used by the attacker for malicious purposes unknown to the user.
- Use your system and Internet connection to send spam (yes, the majority of spam is now generated by infected systems).
- Steal your online and offline passwords, credit card numbers, address, phone number, and other information stored on your computer that could be used for identity theft, or other financial fraud.
- Log your activity, read email, view and download contents of documents, pictures, videos and other private data.
- Use your computer and Internet connection, in conjunction with others to launch Distributed Denial of Service (DDoS) attacks.
- Modify system files, disable antivirus, delete files, change system settings, to cover tracks, or just to wreak havoc.
How to tackle this ?
Download SDFix.exe and save it to your desktop:
SDFix
- Double click on SDFix on your desktop,and install the fix to C:\
Please then reboot your computer into Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
- Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool will be running and removing files.
- When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Download the UNDO.ZIP file and unzip it with a program like WinZip. Double click the undo.reg file to import it into the registry. For the curious, the contents of the REG file are:
Click Start, then Run, then type "c:\windows\win.ini" in the text box,then click OK. Scroll down to the line that begins with "run=" and if it loads the trojan program, delete it.Click Start, then Run, then type "c:\windows\system.ini" in the text box,then click OK.Scroll down to the line that begins with "shell=" and if it loads the trojan program,be very careful to delete only the part that loads the trojan.After you are done the shell= should look like this:shell=Explorer.exe
Another Utilities & Procedures
Procedure #1
Download the following four items
McAfee Stinger
Trend Sysclean Package
Latest Trend Virus Pattern Files. (example; lpt285.zip*)
(*The file name lpt285.zip is simply an example name of the file and you'll find the filename posted at TrendMicro will have a higher number than 285. Each time TrendMicro produces new Pattern Files the number in the file name will be incremented accordingly.)
Ad-Aware SE (free personal edition)
- Create a new directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\username\Desktop\New Folder") - Place SYSCLEAN.COM (the Trend Sysclean Package referenced above) into the new directory you created. Extract the latest Trend Virus Pattern Files (Example: lpt$vpn.285 and WHATSNEW.TXT) from the zip file you downloaded above into the same new directory you created. The Trend Pattern File contained in the ZIP file must be placed in the same directory as SYSCLEAN.COM!
- Important: The TrendMicro Pattern file is updated reguarly. Aywhere from once per day to a few times in a day. Always make sure you have the latest version of SYSCLEAN.COM and the Pattern File before you scan your platform. The McAfee Stinger Internet worm and Trojan removal tool is upgraded periodically. Always make sure you have the latest version of McAfee Stinger utility before you scan your platform.
- Install and Update Ad-Aware with the latest definitions.
- If you are using WinME or WinXP, disable System Restore.
Disable SysRestore Procedure - Reboot your PC into Safe Mode [F8 key during boot process].
How to Boot Into Safe Mode:
Generic
Windows XP
How to perform a clean boot in Windows XP - Using McAfee Stinger, the Trend Sysclean utility and Ad-Aware, perform a Full Scan of your platform and clean and/or delete any infectors and/or parasites found (a few cycles may be needed).
- Restart your PC and perform a "final" Full Scan of your platform using McAfee Stinger, the Trend Sysclean utility and Ad-Aware.
- If you are using WinME or WinXP,Re-enable System Restore and re-apply any System Restore preferences (e.g. HD space to use suggested 400 ~ 600MB).
- Reboot your PC.
- If you are using WinME or WinXP, create a new Restore point
Download MULTI_AV.EXE from the here
Multi AV
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
Additional Instructions: here
Also check the following
Symantec
Backdoor SDBot.H Trojan
BackDoor-ABH
Backdoor:Win32/zonebac_gen!B FindAWF
