Contents in order to inform the user to update the account with the convenience and security reasons while visiting the site.

If the update button is clicked the user will be delivered to the web log was falsified. Yet this is not a web log Facebook’s original, but to accommodate victims username and password.

This web log has a fake address different, for example http://www.facebook.com.xxxxx.eu/globaldirectory/LoginFacebook.php?ref=1584270691543478059651590405901802254672004589860384285&email=xxxxxxx @ xxxx.com. Where xxxxx is a random character.

If a cursory note, fake web log is similar to the original web log Faceebok. But if tracked more closely so there are some notable differences.

At the time of filling the user name and password, it will open a new page that contains a link to download the tool update your account with the name [updatetool.exe] who actually is a virus / trojan that will infect your computer.

Subject email sent by the virus will usually be different as New login system, update your Facebook, Facebook Update Tools. The virus has a file size of around 105 KB with the name [updatetools.exe].

If the file is run it will create a master file with the name [C: WINDOWSsystem32sdra64.exe] and served injects some Windows process such as: C: WindowsSyste32services.exe, C: WindowsSystem32lsass.exe, C: WindowsSystem32svchost.exe, C: WindowsSystem32alg.exe, C: ProgramFilesinternet exploreriexplore.exe.

In order not easily be deleted by the virus, the file will be hidden even if the user is displaying hidden files. It also will create some files also will be hidden in order not easily be deleted. C: Windowssystem32lowsec, local.ds, user.ds, user.ds.lll.

To spread itself, the virus will send phishing emails to all addresses that have been obtained and containing a notification to users who have a Facebook account to update his account tehadap.

So please be careful when receiving email from the Admin Facebook though. If an email with the subject at the top should be removed immediately and do not follow the information contained in the email.

So every time a user tries to access to certain websites, including website security / antivirus, so that appears not you want the web but the website www.google.com.

Here are 9 steps to clean W32/Smalltroj. VPCG virus:

1. Turn off System Restore during the cleaning process take place.

2. Decide who will clean your computer from the network or the Internet.

3. Change the name of the file [C: \ Windws \ system32 \ msvbvm60.dll] to prevent the virus active again.

4. Perform cleaning by using the Tools Windows Live CD Mini PE. This is due to some rootkit files masquerading as services and drivers difficult to stop. Please download the software at the address http://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html

Then boot the computer using software Mini PE Live CD. After that deleting some files iduk virus by:

l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [File Management]
l Click the [Windows Explorer]
l Then delete the following files:

o C: \ Windows \ System32
§ wmispqd.exe
§ Wmisrwt.exe
§ qxzv85.exe @
§ qxzv47.exe @
§ secupdat.dat
o C: \ Documents and Settings \% user% \% xx%. exe, where xx is a random character (example: rllx.exe) with a file size of 6 kb.
o C: \ windows \ system32 \ drivers
§ Kernelx86.sys
§% xx%. Sys, where xx is a random character who has a size of 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
§ Ndisvvan.sys
§ krndrv32.sys
o C: \ Documents and Settings \% user% \ secupdat.dat
o C: \ Windows \ inf
§ Netsf.inf
§ netsf_m.inf

5. Delete the registry created by the virus, by using the “Avas! Registry Editor”, how:

l Click the [Mini PE2XT]
l Click the [Programs]
l Click the [Registry Tools]
l Click [Avast! Registry Editor]
l If the confirmation screen appears Kelik button “Load …..”
l Kemudain delete registry: (see figure 6)

Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ windows \ currentvers
on \ Run \ \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ kernelx86
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \ passthru
Ø HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
Ø HKEY_LOCAL_MACHINE \ software \ microsoft \ Windows NT \ CurrentVersion \ winlogon

ü Change the string value to be Userinit = userinit.exe,
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List
ü% windir% \ system32 \ wmispqd.exe =% system% \ wmispqd.exe: *: enabled: UPnP Firewall
Ø HKEY_LOCAL_MACHINE \ system \ ControlSet001 \ Services \% xx%
Ø HKEY_LOCAL_MACHINE \ system \ CurrentControlSet \ Services \% xx%

Note:
% xx% showing random characters, this key is made to run the file. SYS which has the size of 40 KB which is in the directory [C: \ Windows \ system32 \ drivers \]

6. Restart the computer, restore the remaining registry that changed by the virus to copy the following script in notepad and then save with the name repair.inf. Execute the following manner: right-click repair.inf | click install

[Version]

Signature = “$ Chicago $”
Provider = Vaksincom

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, “regedit.exe”% 1 “”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, “Explorer.exe”

HKEY_LOCAL_MACHINE \ software \ microsoft \ ole, EnableDCOM, 0, “Y”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusOverride, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallOverride, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKLM, SYSTEM \ CurrentControlSet \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0×00010001, 0

[del]

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ctfmon.exe

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ kernelx86

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Passthru

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate, DoNotAllowXPSP2

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe

7. Delete temporary files and temporary Internet files. Please use the tools ATF-Cleaner. Download these tools in http://www.atribune.org/public-beta/ATF-Cleaner.exe address.

8. Restore back to the host file in Windows that has been changed by the virus. You can use tools Hoster, please download at the following address http://www.softpedia.com/progDownload/Hoster-Download-27041.html

Click the [Restore MS Hosts File], to restore the Windows hosts file.

9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus. You can also use Norman Malware Cleaner, please download at the following address http://www.norman.com/support/support_tools/58732/en.

Follow this steps for cleanup:
1. Decide who will clean your computer from the network or internet

2. Change the name of the file [C: \ Windws \ system32 \ msvbvm60.dll] to [xmsvbvm60.dll] to prevent the virus reactivation during the cleaning process.

3. Should do the cleaning by using the Tools Windows Live CD Mini PE this is due to some master files and file rootkits masquerading as services and drivers difficult to delete these files will be hidden by the virus.

Then boot the computer using software Mini PE Live CD. After that deleting some files iduk virus by:

a. Click the [Mini PE2XT]
b. Click the [Programs]
c. Click the [File Management]
d. Click the [Windows Explorer]
e. Then delete the following files:
-. C: \ Windows \ System32
-. WMI% xxx.exe, where xxx indicate karater random (example: wmispqd.exe, wmisrwt.exe, wmistpl.exe, atu wmisfpj.exe) with file sizes vary depending on the variant that infects the target computer.
-. % xxx%. exe @, where the% xxx% showing random characters (example: qxzv85.exe @) with sizes varying depending on the variant that infects.
-. secupdat.dat
-. C: \ Documents and Settings \% user% \% xx%. Exe, where xx is a random character (example: rllx.exe) with a file size of about 6 kb or 16 kb (depending on the variant that infects).
-. C: \ Windows \ System32 \ drivers
-. Kernelx86.sys
-. % xx%. sys, where xx is a random character who has a size of about 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
-. Ndisvvan.sys
-. krndrv32.sys
-. C: \ Documents and Settings \% user% \ secupdat.dat
-. C: \ Windows \ INF
-. netsf.inf
-. netsf_m.inf

4. Remove dubah registry created by the virus, by using the “Avas! Registry Editor”, how:

a. Click the [Mini PE2XT]
b. Click the [Programs]
c. Click the [Registry Tools]
d. Click [Avast! Registry Editor]
e. If the confirmation screen appears Kelik button “Load …..”
f. Kemudain delete the registry:

LOCAL_MACHINE_SOFTWARE ü \ microsoft \ windows \ currentverson \ Run \ \ ctfmon.exe
LOCAL_MACHINE_SYSTEM ü \ ControlSet001 \ Services \ \ kernelx86
LOCAL_MACHINE_SYSTEM ü \ CurrentControlSet \ Services \ \ kernelx86
LOCAL_MACHINE_SYSTEM ü \ CurrentControlSet \ Services \ \ passthru
LOCAL_MACHINE_SOFTWARE ü \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe
LOCAL_MACHINE_SOFTWARE ü \ microsoft \ Windows NT \ CurrentVersion \ winlogon
§ Change the string value to be Userinit = userinit.exe,
LOCAL_MACHINE_SOFTWARE ü \ microsoft \ Windows NT \ CurrentVersion \ winlogon
§ Change the string value Shell = Explorer.exe becomes
LOCAL_MACHINE_SYSTEM ü \ ControlSet001 \ Services \ \% xx%
LOCAL_MACHINE_SYSTEM ü \ CurrentControlSet \ Services \ \% xx%
LOCAL_MACHINE_SYSTEM ü \ ControlSet002 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ DomainProfile \ AuthorizedApplications \ List \ \ C: \ windows \ system32 \% file_induk_virus%. exe (example: wmistpl.exe)
LOCAL_MACHINE_SYSTEM ü \ ControlSet002 \ Services \ SharedAccess \ Parameters \ FirewallPolicy \ StandardProfile \ AuthorizedApplications \ List \ \ C: \ windows \ system32 \% file_induk_virus%. exe (example: wmistpl.exe)

Note:% xx% showing random characters, this key is made to run the file. SYS which has the size of 40 KB which is in the directory [C: \ Windows \ system32 \ drivers \]

5. Restart the computer, restore the remaining registry that changed by the virus to copy the following script in notepad and then save with the name repair.inf. Execute the following manner: right-click repair.inf | click install

[Version]

Signature = “$ Chicago $”

Provider = Vaksincom Oyee

[DefaultInstall]

AddReg = UnhookRegKey

DelReg = del

[UnhookRegKey]

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, “regedit.exe”% 1 “”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,”"”% 1 “”% * ”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, “Explorer.exe”

HKEY_LOCAL_MACHINE \ software \ microsoft \ ole, EnableDCOM, 0, “Y”

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, AntiVirusOverride, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Security Center, FirewallOverride, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKLM, SYSTEM \ CurrentControlSet \ Control \ LSA, restrictanonymous, 0×00010001, 0

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0×00010001, 0

SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, DefaultValue, 0×00010001, 0

SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0×00010001, 1

[del]

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ctfmon.exe

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ kernelx86

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services \ mojbtjlt

HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Services \ Passthru

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate, DoNotAllowXPSP2

HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows \ windowsupdate

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe

6. Windows registry fix to restore the computer to boot to “safe mode with command prompt” to download the file FixSafeBoot.reg (Windows XP) at the following address and then run the file the following manner:

o Click the [Start]
o Click [Run]
o Type Regedit.exe and click the [OK]
o On the “Registry Editor”, click the menu [File | Import]
o Determine the file. REG you created new
o Click the [Open]

7. Delete temporary files and temporary Internet files. Please use the tools ATF-Cleaner. Download these tools here.

8. Restore back to the host file in Windows that has been changed by the virus. You can use tools Hoster, please download at the following address.

Click the [Restore MS Hosts File], to restore the Windows hosts file.

9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus.

5. Show file [TaskMgr.exe/Regedt32.exe/Regedit.exe/CMD.exe/Logoff.ex e] is hidden by the virus, I typed in the dialog box [Run] -> type CMD-> Enter. Then, type attrib-s-h-r-regedit.exe> Enter. With the same command can be used to display the file Taskmgr.exe, cmd.exe and Logoff.exe
6. For optimal cleaning and prevent infection, please re-install and scan with the antivirus is up-to-date. If you have clean, clear and delete rule block file [WSCript.exe] which was created in step no. (2), with the type SECPOL.MSC in the box [Run] from the [Start], then press Enter. On the screen [Local Security Policy], click 2x [Software Restriction policies] -> Additional Rule] -> delete the rule that has been made.

• Right-click repair.inf

• Click install

• http://www.4shared.com/file/82762498/f5dc1edd/repair.html?dirPwdVerified=feea1d94

4. Turn off the active application program in memory so that the cleaning process faster, especially programs that are in the startup list.
5. We suggest using the removal scan tools with the first extension of the removal tools with an extension other [for example: CMD] in order not to re-infection by W32/Sality.AE. In the example below, the file name “Norman_Malware_Cleaner.exe” in the rename to “Norman_Malware_Cleaner.cmd” so that the infection does not Sality. (see figure 4).

File “Norman_Malware_Cleaner.exe” which has been rename the extension to “Norman_Malware_Cleaner.cmd,” blue box

Always use the latest Norman Malware Cleaner to clean and eradicate new viruses. Download Norman Malware Cleaner from the latest ”

http://download.norman.no/public/Norman_Malware_Cleaner.exe

Note:

So that removal is not infected by W32/Sality.AE, should change the extension of the removal tools will be another extension [eg: CMD] (see image above)

Sality.AE  try infected to have the file extension EXE and SCR, and COM, the files that have been repeatedly in the infection by this virus will sometimes damaged if cleaned by antivirus programs, so if there is a program error after the scan by should re-install the antivirus program.

6. So that the computer that is infected W32/Sality.AE can booting “safe mode”, please restore the registry has been changed by the virus.

Please download the following files and then run on the OS that is infected W32/Sality.AE.

http://www.4shared.com/file/82761423/934fb170/_2__Sality.htmldirPwdVerified=feea1d94

7. Fix registry change on the other by a virus, please download the following tools and run the file in the following manner:

Right-click repair.inf

Click install

http://www.4shared.com/file/82874724/f485f1dd/repair.html?dirPwdVerified=3b1f2fa9

8. Restart the computer and re-scan using the removal tools to ensure your computer has been clean from viruses.

9. For optimal cleaning and prevent re-infection should install and scan with the antivirus that can detect Sality well.

As a result of the changes, Microsoft makes most of flash can not appear automatically display the program using the Windows feature called as Autorun. In a blog posting Microsoft (blogs.technet.com), Microsoft explained that if the infected flash inserted in the machine based on Windows 7, the task Autorun will not be displayed.

While in the other removable media, such as CDs and DVDs can still use the Autorun feature. In addition, several flash ‘smart’ software that has also u3 can still shown as DVD drive, and use the Autorun feature. Changes made to Microsoft this will be shown in the features of Windows 7 RC that plan will be published in the upcoming month of May. Microsoft also plans to make changes in Windows Vista and Windows XP. Autorun functionality in Windows is never be wrong over the spread of malware that comes from the flashdisk.

Message at a glance like a message in general. But do not click the link to a given, though sent by your friend. The message was not sent by your colleagues, but by viruses that have infected your computer colleagues.

Well, if already infected, then it will automatically create a random file name with the extension. Tmp and. Exe that will be stored in the directory [C: \ Documents and Settings \% username% \ Local Settings \ Temp] with the name of the different .

Steps to eliminate Coutsonif.A Virus:

1. Disable ‘System Restore’ during the cleaning process.
2. Disable Windows autorun, so the virus can not be activated automatically when the access to the drive / flash disk.
Click the button ‘start’
Click ‘run’
Type ‘GPEDIT.MSC’, without quotes. Then the screen will display ‘Group Policy’
On the ‘Computer Configuration and User Configuration,’ click ‘Administrative templates’
Click ‘System’
Right click on ‘Turn On Autoplay’, select ‘Properties’. Then the screen will appear ‘on Tun Autoplay propeties’
Tabulation on ‘Settings’, select’ Enabled ‘
On the ‘Tun off Autoplay on’ select ‘All drives’
Click ‘Ok’

3. Turn off the virus, use the tools’ security task manager ‘and delete the file [sysmgr.exe, vshost.exe, winservices.exe, *. tmp]

Just a note,. Tmp files that have indicated the extension TMP [example: 5755.tmp]. Right-click on the file and select ‘Remove’, select the option ‘Move files to Quarantine.

4. Repair registry that has been modified by the virus. To speed up the process of elimination, please copy the script below on the notepad program and save it with the name repair.inf. Run the file in the following manner: repair.inf Right-click, and select install.

[Version]
Signature=”$Chicago$”
Provider=Vaksincom Oyee

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKCU, SessionInformation, ProgramCount, 0×00010001,3
HKCU, AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current,,,”C:\WINDOWS\media\Windows XP Pop-up Blocked.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current,,,”C:\Windows\media\Windows XP Recycle.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\Navigating\.Current,,,”C:\Windows\media\Windows XP Start.wav”
HKCU, AppEvents\Schemes\Apps\Explorer\SecurityBand\.current,,,”C:\WINDOWS\media\Windows XP Information Bar.wav”

[del]

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, bMaxUserPortWindows Service help
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, MaxUserPort

5. Remove virus file below:

C:\vshost.exe [all drive]

C:\autorun.inf [all drive]

C:\RECYCLER\S-1-5-21-9949614401-9544371273-983011715-7040\winservices.exe

C:\Documents and Settings\%user%\Local Settings\Temp

A415.tmp [acak]

034.exe [acak]

Lady_Eats_Her_Shit–www.youtube.com

C:\WINDOWS\system32\sysmgr.exe

C:\WINDOWS\TEMP\5755.tmp

C:\windows\system32\crypts.dll

C:\windows\system32\msvcrt2.dll

6. For optimal cleaning and prevent reinfection, please use the antivirus can detect and eradicate this virus up to date. You can also download tools in Norman Malware Cleaner http://download.norman.no/public/Norman_Malware_Cleaner.exe

1. Files Virus
This virus has a job that is infection applications or documents that are in your computer.
When an infected application is executed, the virus will spread this way infected all files or documents that are accessed by the application.

2. Boot Sector Virus
I have this virus that is working hard infected boot sector (boot sector is a region in the first hard drive is accessed when the computer is turned on).
If the boot sector virus is active, users will not be able booting computer normally.

3. E-mail Virus
This virus has a job that is spread through e-mail (usually in the form of file attachments / attachment).
The virus has a characteristic form of a special extension. Scr,. Exe,. Pif, or. Bat.
When the virus is active, then he will submit himself to the various e-mail address listed in the user’s address book.

4. Multipartite Virus
This virus has a job that is infectedcomputer files at once on the hard disk boot sector.
This type of virus will cause many problems because of the damage caused fatal.

5. Virus Polimorfis
This virus has a unique way of working that this virus can change the code itself (change shape) when spread itself to other computers
Virus type more difficult to detect because it has such a nature ..

6. Virus invisible (stealth virus)
This virus has a job that he is able to Hide itself with how to create a file that seems infected file is not infected.

7. Macro virus
This virus has a job that is infected Microsoft Office applications, such as Word and Excel.
Documents are usually infected by a macro virus will modify the existing command in Microsoft Office such as the “Save” to spread itself when the command is executed.

For security for the computer user, you should always protect computer and update the latest patch. Because the spread of the virus type of Worm is very fast, not even difficult to be detected.