Computer virus always using sociable technique to infecting their victims. When there is gossip virus creator always using this gossip to spreading their virus ex:paris hilton xxx movies, what FBI hidding from us, etc. This time they’re using facebook popularity to infect all facebook fans. This virus also has been reported bundled with FAKE antispyware security tools.
When you see this on your monitor that mean you’re already infected.
Just ignore this fake antispyware warning, if you follow it you will get more virus infected your computer or your operating system gonna be corrupt.
How to Remove Facebook Virus W32/Obfuscated.D2!genr :]
1. It’s recommended to running windows in “safe mode” when in cleaning process, backup all your important data first!.
2. Disable “System Restore” when in cleaning process.
3. Disconnected your computers from local network.
4. Download “unlocker” and install it.
5. Download “security task manager“ then kill virus process active in computer background.
6. Download repair.inf then right click, choose “install”. Make sure repair.inf content same with this:
[Version]
Signature=”$Chicago$”
Provider=nobody
Provider=nobody
[DefaultInstall]
AddReg=inject
DelReg=rem
AddReg=inject
DelReg=rem
[inject]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, Software\Microsoft\Internet Explorer\Main, tart Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,userinit,0, “userinit.exe”
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, Software\Microsoft\Internet Explorer\Main, tart Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,userinit,0, “userinit.exe”
[rem]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,47543326
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,PromoReg
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableProfileQuota
HKLM, SOFTWARE\AGProtect
HKLM, SOFTWARE\47543326
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network, UID
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion, Rlist
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{8FFA689D-2C2B-2B2E-D865-74C04CA4EF06}
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,47543326
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,PromoReg
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,reader_s
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,EnableProfileQuota
HKLM, SOFTWARE\AGProtect
HKLM, SOFTWARE\47543326
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network, UID
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion, Rlist
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
HKU, .DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{8FFA689D-2C2B-2B2E-D865-74C04CA4EF06}
7. Delete this file list has been created by virus, before you doing this set your computers to show all hidden files.
%systemroot%\Documents and Settings\All Users\Application Data\47543326
%systemroot%\Documents and Settings\%user%\Start Menu\Programs\Security Tools.lnk
%systemroot%\Documents and Settings\%user%\Desktop\Security Tools.lnk
%systemroot%\Documents and Settings\%user%\Application Data\wiaservg.log
%systemroot%\Documents and Settings\%user%\Local Settings\Temp\*.tmp
%systemroot%\WINDOWS\Temp\wpv311256600826.exe
%systemroot%\WINDOWS\Temp\wpv411256806849.exe
%systemroot%\Documents and Settings\%user%\reader_s.exe
%systemroot%\Documents and Settings\%user%\Start Menu\Programs\Startup\isqsys32.exe
%systemroot%\WINDOWS\system32\reader_s.exe
%systemroot%\Windows\system32\wbem\proquota.exe
%systemroot%\windows\system32\sdra64.exe
%systemroot%\Documents and Settings\%user%\Start Menu\Programs\Security Tools.lnk
%systemroot%\Documents and Settings\%user%\Desktop\Security Tools.lnk
%systemroot%\Documents and Settings\%user%\Application Data\wiaservg.log
%systemroot%\Documents and Settings\%user%\Local Settings\Temp\*.tmp
%systemroot%\WINDOWS\Temp\wpv311256600826.exe
%systemroot%\WINDOWS\Temp\wpv411256806849.exe
%systemroot%\Documents and Settings\%user%\reader_s.exe
%systemroot%\Documents and Settings\%user%\Start Menu\Programs\Startup\isqsys32.exe
%systemroot%\WINDOWS\system32\reader_s.exe
%systemroot%\Windows\system32\wbem\proquota.exe
%systemroot%\windows\system32\sdra64.exe
%systemroot%\Windows\system32\lowsec
local.ds
user.ds
user.ds.lll
local.ds
user.ds
user.ds.lll
* NOTE: when you have problem deleted folder %systemroot%\Windows\system32\lowsec and file %systemroot%\windows\system32\sdra64.exe please use unlocker. Right click on folder/files then choose unlocker, choose deleted then click OK. If there any warning just ignore it.
7. Deleted all temporary files using ATF-Cleaner.
8. Update your best antivirus then scan full all your system, make sure there is no virus/worm/trojan left.
9. Subscribe to my blog
Ok finisih friend :)
0 comments:
Post a Comment