Archive for March, 2008

W32/Dumaru.Z@mm myphoto.zip Removal

Posted by egomoo on March 13, 2008
Worm / No Comments

[#: The article W32/Dumaru.Z@mm myphoto.zip Removal is an article in Spyware Removal Instructions, the original author is egomoo .you can read more articles at Worm,the next article:.#]

MSN worm variant still keeps updating  after “imageXX.zip“.

It may also called Win32.IRCBot.gen.

The worm will auto send a message to your friend with Attachment: “myphoto.zip” file,the message maybe will one of this:

checkout my newest pic before I upload!!
  hey over there… check out my new photo!
  when youre around accept.. its my new default pic.
  u seen this crazy shit?
  holy shit this new pic is hot as fuck!
  I just made this design for a friend. U like it?
  I think I had sex with them :X What should i do?
  You don’t think I had sex with them… rite?
  Is it horrible if I only remember the sex?
  Is this really a pic of you?
  Would you have had a threesome with them?
  Wow! I can’t believe I had a threesome with them!
  You see these crazy people? Almost havin sex on the dance floor!
  u want to see something really funny? Take a look!
  I cant stop laughing!

Creation of these files -
  %Startup Folder%\dllxw.exe
  %Windows%\rundllx.sys
  %Windows%\winload.log
 %System%\l32x.exe
 %System%\vxd32v.exe
 %Temp%\zip.tmp
%System%\msthost.exe
%System%\rdshost.dll

The virus may also steal password information for e-gold and other data, then send this information to the hard-coded email address
‘anyname2@btw.egold-hosting.com’

The virus will auto run at Windows startup after modifying the registry as in this example -

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
load32 = C:\WINNT\System32\l32x.exe

The virus will load a second time as an accomplice to the Windows shell as in this example -

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon\
“Shell” = explorer.exe C:\WINNT\System32\vxd32v.exe

How to remove?

download SREng:
http://www.kztechs.com/sreng/sreng2.zip
Extract it to the Desktop
Double click SREng.exe to run it
Select: Smart Scan
Then, click the [Scan] buttonWhen finished, click on the [Save Reports] button
Save the log to the Desktop,and send me a email with the log as Attachment.mailto:egomoo#gmail.comI would be glad to help you to removal this worm.

Share/Save/Bookmark

Tags: , , ,

Remove Worm.Win32.Netsky with SmithfraudFix

Posted by egomoo on March 11, 2008
Worm / No Comments

SmithfraudFix is a free tool that S!Ri created to remove fake anti-spyware programs. It can be risky so we cannot guarantee the result. Please use it with reservations. We would never recommend to purchase anything unless it’s necessary. That’s why we produce this free removal process.

1. Download SmithfraudFix tool and save it to your desktop.

2. Restart your computer and boot into Safe Mode. If you don’t know how to start the computer in safe mode, click here to read more.

3. Double-click on the SmithfraudFix.exe icon then follow the screen instructions. Option #2 should be selected in this case.

4. When you are prompted with “Do you want to clean the registry ?”, simply answer “Y”.

5. Reboot.

6. You have just removed Worm.Win32.Netsky from your computer.

Share/Save/Bookmark


 Powered by Max Banner Ads 
« Previous Page Next Page »