Special Sponsor

Friday, September 28, 2007

W32.Yalove.D, http://eyejuice.net

W32.Yalove.D membiak melalui Yahoo! Instant Messenger program dan mengcopy dirinya ke semua drive (c:, d:, dan lain-lain drive dalam pc) pada komputer yang dijangkiti. Ia menjangkiti kesemua jenis windows OS. Task Manager dan Registry editor tools juga disable. Apa lagi yang w32.yalove.d ni buat?

* Hilangkan config pada system restore
* Hilangkan folder option pada explorer
* Tak boleh nak view hidden files
* Hide extension pada file
* Setkan start page internet explorer pada url http://eyejuice.net
* Buzz ym orang pastu bagi url yang sama seperti di atas


Cara Buang W32.Yalove.D

1. Temporarily Disable System Restore (Windows Me/XP).

2. Update the virus definitions.

3. Reboot computer in SafeMode

4. Run a full system scan and clean/delete all infected file

5. Delete/Modify any values added to the registry.

Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Userinit" = "userinit.exe,%Windir%\
system\lsass.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\"Shell" = "explorer.exe %Windir%\
system\lsass.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot\"AlternateShell" = "%Windir%\
system\cmd.exe"


Restore the following registry entries to their original values, if required:
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
\"content url" = "http://eyejuice.net"

HKEY_CURRENT_USER\Software\Yahoo\pager\View\
YMSGR_Launchcast\"content url" = "http://eyejuice.net"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
\"Start Page" = "http://eyejuice.net"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System\"DisableTaskMgr" = "1"


HKEY_CURRENT_USER\Software\Policies\Microsoft\
Internet Explorer\Control Panel\"Homepage" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\
Windows NT\SystemRestore\"DisableConfig" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"Hidden" = "2"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoFolderOptions" = "1"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer\"NoRun" = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\policies\Explorer\"NoFolderOptions" = "1"

No comments: