Saturday, March 13, 2010


It is specially designed to findout and then remove Rootkits from PC.

A rootkit is a program that a hacker uses to mask intrusion and obtain administrator-level access to a computer or computer network. The intruder installs a rootkit on a computer using a user action or by exploiting a known vulnerability or cracking a password. The rootkit installs a backdoor giving the hacker a full control of the computer. It hides their files, registry keys, and process names, and network connections from your eyes.
Your antivirus could not detect such programs because they use compression and encryption of its files.

Un Hack Me allows you to detect and remove Rootkits.

Avast 4 Antivirus Professional Edition

Avast 4.8.1356 Professional Edition is a collection of high end technologies that work in perfect synergy.It has one common goal: to provide high level protection against computer viruses. Avast 4 represents an ideal solution for any Windows based workstation.Its Professional Edition is a complete ICSA certified antivirus software for your company. It obtained VB100% awards in 2002/4 Virus Bulletin comparative reviews.

Avast scans for viruses, worms and Trojans: On Demand - with two User Interfaces, On Access, E-mail, during Boot Time, in File Explorer and Screen Saver. It maintains Virus Chest. Protects E-mail, HTTP, NNTP, ICQ, mIRC, Kazaa etc. True incremental updates based on iAVS technology updates twice a week virus definition file.
This Home / Professional now fully supports the 64-bit Windows and Vista platforms.
Avast 4 Antivirus Professional Edition


- Antivirus kernel
- Simple User Interface
- Enhanced User Interface
- Resident protection
- Script Blocker (Professional Edition only
- P2P and IM Shields
- Virus Chest
- System integration
- Command-line scanner
- Integrated Virus Cleaner
- Support for 64-bit Windows / Vista
- Internationalization
- Network Shield
- Web Shield
- Automatic updates
- PUSH updates

Avast 4 Antivirus Professional Edition download
Antivirus Kernel

New version of avast antivirus kernel features outstanding detection abilities, together with high performance. You can expect 100% detection of In-the-Wild viruses (the ones what are really spreading amongst people) and very good detection of Trojan horses, all that with only a minimum number of false alarms.
The kernel was certified by ICSA; it frequently takes part in the tests of Virus Bulletin magazine, often yielding the VB100 award.

Simple User Interface

Simple User Interface is used to start on-demand scanning, work with the results, change various options etc. Basic resident protection settings can be modified here. Simple User Interface is the main application of avast 4 Home Edition. You can start additional avast! modules from here, such as the Virus Chest, Updater or Log Viewer.

Enhanced User Interface

Unlike the Simple User Interface, the scanning is performed by so called "tasks". First, you define a task, including various parameters - areas to scan, what to scan, how to scan, etc. Having the task, you can (possibly repeatedly) run it. Each task generates a list of results; you can work with them later.

Resident protection

Resident protection, i.e. the real-time protection of the computer, is one of the most important parts of an antivirus program today. avast! features a powerful resident module that is able to detect the virus before it has any chance to infect your computer.
E-mail protection consists of two independent modules; first, there is a generic scanner working on the SMTP/POP3/IMAP4 protocol level. It is capable of protecting any existing e-mail client that uses these protocols. Second, there is a special plugin for MS Outlook only; it is completely transparent, requiring no special settings.
New feature of version 4 is heuristic analysis of e-mail scanners. It is extremely useful in protecting against new, unknown viruses and worms that are not possible to detect by the usual means. The heuristic module performs a thorough investigation of every e-mail message and watches for suspicious signs that might announce virus presence. When the number of those signs exceeds the user-defined level, the message is considered dangerous and the user is warned.

Script Blocker

The resident protection of the Professional Edition includes an additional module, not contained in the Home Edition - Script Blocker. This module watches all the scripts being executed in the operating system (so called WSH scripts - Windows Scripting Host). It also scans all the scripts run as a part of a web page within your web browser (Internet Explorer, Netscape Navigator and Mozilla).

Automatic updates

Automatic updates are another key point in virus protection. Both the virus database and the program itself can be updated automatically.

PUSH updates

A special feature of the Professional Edition are PUSH updates. It is a dramatic change in the philosophy of updates. Usually, every installed program checks every now and then whether a new version is available. PUSH updates, however, are initialized by our server; they result in your computer quickly responding and performing the necessary update. The system is based on the SMTP protocol, i.e. on usual e-mail messages. The updates itself are controlled by the avast! resident e-mail providers (MS Outlook and Internet Mail).

Virus Chest

The main properties of the Virus Chest are complete isolation from the rest of the operating system (no outside process, i.e. no virus either, may access the files inside) and the fact that the files inside the Chest may not be run (i.e. there is no danger in storing viruses there).

System integration

avast 4 antivirus features outstanding integration into your system. The scanning can be started directly from Windows Explorer, by clicking a folder or a file with your right mouse button and selecting the corresponding choice from the menu.
Another interesting feature is a special screen-saver that performs scanning for viruses during its run-time. avast! antivirus works together with your favorite screen-saver, so you don't have to change to anything you wouldn't like.
Another new option is the boot-time scan (Windows NT/2000/XP/.NET only). It is important in the case that a virus is suspected to be active on your computer. The boot-time scan is performed before the virus may get activated, so the virus cannot influence the scanning in any way.

Command-line scanner

Experienced users may like another Professional Edition feature - command-line scanner. The scanning can be controlled by many arguments and switches; to use as a pipe filter, a special STD IN / STD OUT mode is available.
The module is intended to be used in BATCH programs. Its output is the same as the output from the Enhanced User Interface tasks (including the report files).

Changes in Version 4.8.1356 (September 25, 2009):

* solved a memory leak in the GZIP unpacker
* solved vulnerabilities in AavmKer4.sys, aswMon2.sys and ashWsFtr.dll

Hitman Pro 3.5.4

Hitman Pro 3.5.4 is a fastest tool to identify and remove viruses, spyware,rootkits,trojans and other malwares. It will quickly shows if your Computer is infected with malicious software. By the research it shows that many computers are infected, even if they have an updated virus signature installed, and that a combination of different anti malware programs would be required to prevent infection. Hitman Pro 3 uses innovative cloud computing techniques to detect and remove potential malware threats with minimal impact on system performance.
Hitman Pro 3.5.4
Advantages of Hitman Pro 3

  •  It recognizes and removes viruses, trojans, rootkits, spyware and other malware.
  •  Revolutionary innovation in scanning technique to distinguish between malicious and safe software without signatures.
  •  Short scan time - searches the system within a few minutes.
  •  No extra system load that's why its ia fast removal tool.
  •  It creates a check point in System Restore before removing malicious software.
  •  Hitman Pro 3 removes resistant threats using native NT boot-time deleter.
  •  It removes references to malicious software (like shortcuts and registry entries).
  •  It also provide free malware scan.
  •  Free online support in English, German and Dutch.
  •  Impossible to make false positives on important systems files thanks to "profiling" and whitelisting.
  •  Multi-vendor identification of malware in our real-time "Scan Cloud".
  •  Automatically restores common system alterations made by malicious software.
Hitman Pro

Fixed a problem reading data from encrypted hard drives.
Early Warning Scoring (EWS) is no longer on the Settings screen. Also, it is no longer remembered as a default scan. It now needs to selected manually from the new split button "Next" on the Welcome screen. Note that EWS is not meant to run on a daily basis. It is intended for experts only as it potentially lists non-malware files. EWS can also be used when the Internet connection is disabled or unavailable.

ESET NOD32 4.0.474

ESET NOD32 is the the fastest and most effective technology available to protect you from viruses and spyware without slowing you down while you work or play.Its threat Sense scanner is even smarter and faster and while adding removable media security.Nod32 have new diagnostic and recovery tools, and more advanced heuristics.
NOD Enabler seeks out for new accounts for never gets outdated or obsolete.

Sunday, March 7, 2010

Panda Antivirus Pro 2010

Panda Antivirus Pro 2010 enables you to forget about viruses, spyware, hackers.
Older versions of Panda Antivirus software has been pretty good, probably along with most of their competitors. Unfortunately, both competitors and malicious software are becoming more difficult.

There are some decent features, like its real-time virus protection that is adequate and phishing, which is pretty good, ranking third in this part of our tests.

Secondly, the fact that Panda has included a firewall in their antivirus software is remarkable.

The latest version of Panda Antivirus Pro 2010 is the easiest to use and most intuitive protection for your computer.

While it is all the time pleasant to receive more guard rather than less, the firewall is not installed or enabled by default. Most people may think they are fully covered when in fact they have no firewall protection at all Panda.

Despite this, the firewall appears to be average and not much better than the standard firewall for Windows.

The user interface of this year was another big disappointment. He did not ease of use and polish we've come to expect from Panda and the other major antivirus companies.

Although the basic virus protection from Panda Antivirus Pro 2011 is sufficient, it is not good enough when you're against the best antivirus software. Panda is the good antivirus.

Kaspersky Rescue Disk

Kaspersky Rescue Disk is designed for testing and treatment of infected computers. Annex applies when it is not possible to cure your computer with antivirus software or utilities of treatment (eg, Kaspersky AVP Tool), run under the operating system. The effectiveness of treatment is increased by the fact that in the system are malicious programs do not receive control during operating system. This CD was made on the basis of the Russian version of Kaspersky PURE with updated topical bases on 03/03/2010. Recommended speed recording an image on CD - no higher than 8x.
Kaspersky Rescue Disk

Year: 2010
Program Version:
Language: English, German, French,Russian
Tablet: Not required
System Requirements: Windows XP, Vista, Win 7

McAfee Internet Security 2010

McAfee Internet Security - a convenient solution for comprehensive security, ideal for people who are constantly using the Internet for data exchange, shopping, banking and trading operations or for entertainment. He has composed award-winning tool for web security McAfee Site Advisor Plus, which warns you about suspicious Web sites and blocks them.

McAfee Internet Security protects the family and the entire computer network from viruses, spyware, hackers, identity thieves and online fraudsters. It also provides parental control. In the products program McAfee Internet Security, which now uses a revolutionary technology Active Protection, provides proactive protection for your computer against various threats. Now do not need to wait for hours, as when using traditional methods - the program analyzes and blocks new threats in a fraction of a second. Active Protection - the best technology to ensure protection against constantly evolving Internet threats.

McAfee Internet Security makes regular automatic updates, which helps to ensure a protection against evolving Internet threats.

Virus Protection

McAfee Virus Scan Plus automatically protects your computer from viruses, mass-mailing worms, Trojans and many other viruses. The program also automatically removes viruses, or puts them in quarantine, with minimal interference in your computer.

Protection from hackers
Continuous monitoring of incoming and outgoing traffic can effectively deal with McAfee to hackers and fraudsters involved in identity theft and to prevent operation of malicious programs that can seize control of the system (for example, to send unsolicited messages), or introduce a virus program that violate privacy. Quick and easy installation, customizable security levels, the function of the visual trace the path, smart alerts, full screen mode and automatically customized functions - all this will fine-tune your protection , identify the source of the threat and act to block suspicious programs that may transfer your personal data " in the right place. "

Spyware protection
McAfee Protection from spyware can detect, block and remove spyware, adware and other suspicious programs before they try to steal passwords to log into the system ( "keyboard loggers"), or start tracking your movements on the network or (files cookie) or output screen a large and intrusive ads while browsing the internet. Better protection based on the new built-in protection againstviruses and spyware. Now this protection detects and blocks tracking a cookie.

Privacy Policy
McAfee Internet Security helps protect your personal data and financial information (such as name, telephone number, credit card number and bank account) from the unauthorized transmission over the Internet. Function McAfeeShredder can permanently delete confidential files and thereby protect your privacy.
McAfee tools to protect against viruses, spyware, spam, and firewall work together, forming a layered defense against threats to identity thieves who can use a combination of malware to steal files, credentials to enter the financial system, and other personal information, identifying the user.

Protection from spam and fraudulent actions by e-mail

McAfee Internet Security automatically detects and blocks unwanted messages, including messages in foreign languages, as well as letters by which the fraudsters can get users to run a virus. Thus, junk mail is blocked and you receive only messages from trusted sources. Regular anti-spam filter updates ensure protection against spam. The exact mechanisms of analysis, filtering and blocking unwanted messages can reduce the number of locks allowed letters.

Protecting children from harmful influences at work in the Internet
McAfee Internet Security helps protect family members from viewing inappropriate Web content and online predators by age settings and easy-to-use filtering options. In addition, the package includes McAfee Image Analyzer, protecting children from viewing obscene images.

Backing up and restoring files
McAfee Internet Security provides automatic backup, preserving irreplaceable photos, music files, video files and documents on CD-, DVD-, USB-media, or external or network drives. Extract files from archives possible with a single click.


fakeav.xp is a fake antivirus product which relies on pop-ups with false detection on the system, forcing the user to buy the annoying software to get rid of infections that aren't there.

The user receives messages of false infection on his computer in order to make him activate (buy) the fake antivirus product. The rogue antivirus resembles the program suite from the operating system and on the installation of the malware the user can notice.


The malware creates the following file %CommonAppData%\[RandomString]\[RandomString].exe. Another noticeable sign of infection is the folder %AppData%\Enterprise Suite.
A typical path for %CommonAppData% is C:\Documents and Settings\All Users\Application Data.
A typical path for %AppData% is C:\Documents and Settings\[UserName]\Application Data.

When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:\Documents and Settings\[UserName]\Local Settings\Temp ) and creates a folder %CommonAppData%\[RandomString] in which it stores the rogue antivirus.
The malware modifies the hosts file (%System%\drivers\etc\hosts) which redirects each entry of the site mentioned bellow to a known search engine webpage. The modified entries are :

It creates a startup registry value "Enterprise Suite" in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to run every time the operating system starts. (Daniel Chipiristeanu, virus researcher)


It is suggested to use Bitdefender or any strong Trojan Remover to remove this trojan.


Networm-i.Virus@fp is not a real worm. It's a fake security alert generated by Zlob.Trojan to promote rogue anti-spyware products (MalwareCrush, Virus Heat, Virus Protect and other). This trojan will show message (system tray notification) about Networm-i.Virus@fp infection every 2-5 minutes.


This trojan will show message (system tray notification) about Networm-i.Virus@fp infection every 2-5 minutes. This may slow your computer and may cause serious system errors.


First Remove Networm-i.Virus@fp following files:

%UserProfile%Application DataMicrosoftCryptoRSA
%UserProfile%Application DataMicrosoftProtect nvctrl.exe

Secondly,Remove Networm-i.Virus@fp registry entries:

Click on start menu and then click on run: type regedit.

than remove following entries.

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows CurrentVersionRunRegSvr32=%System%msmsgs.exe
HKEY_LOCAL_MACHINE SoftwareMicrosoftWindows NT CurrentVersionWinlogon
Shell=explorer.exe, msmsgs.exeHKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentV
SOFTWAREMicrosoftInternet ExplorerToolbar{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}
SoftwareMicrosoftInternet ExplorerToolbarWebBrowser{41F6170D-6AF8-4188-8D92-9DDAB3C71A78}
Helper Objects{D579A683-0CC7-4023-BAE7-0544D0D1DA3A}

We recommend to use Spyware Doctor anti-spyware to remove Networm-i.Virus@fp fake spyware alert, Zlob.Trojan and rogue anti-spyware infections.


Win32.Worm.DownadupJob.A  is a generic detection of .job files created by Downadup worm. One of the methods used by this worm to load its library file every day is by creating many Scheduled Tasks in %WINDOWS%\Tasks. The name of the application which will be executed is rundll32.exe and the parameter has the following format: ., - this is the worm's .dll file.
Win32.Worm.Downadup is a worm that relies on the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-67) in order to spread on other computers in the local network. The authors took various approaches to make this malware especially fast spreading and hard to remove.

Connection times out while trying to access various antivirus-related websites.
Windows Update has been disabled.
Presence of autorun.inf files in the root of mapped drives pointing to a .dll file inside the RECYCLER folder of the drive.

Once gained execution this worm does the following actions:
  • Hooks NtQueryInformationProcess from ntdll.dll inside the running process
  •  Creates a named Mutex based on the computer name
  •  Injects intself into one of the following processes:
  •  Explorer.exe
  •  Svchost.exe

  •  uses the following registry key to hide the files with hidden attributes:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
  •  executes the following command, which disables auto-tuning (details) option under Windows Vista :
  •  netsh interface tcp set global autotuninglevel=disabled
  •  copies itself into one or more of the following locations:
  •  %Program Files%\Internet Explorer\[Random Name].dll
  •  %Program Files%\Movie Maker\[Random Name].dll
  •  %Documents and Settings%\All Users\Application Data\[Random Name].dll
  •  %Temp%\[Random Name].dll
  •  %System32%\[Random Name].dll
  •  if residing into services.exe application (Win2K) it hooks on the following apis:
  •  NetpwPathCanonicalize from netapi32.dll - this api is used to avoid reinfection of the local machine from other infected computers
  •  sendto from ws2_dll.dll
  •  if residing into svchost.exe it hooks the following apis
  •  NetpwPathCanonicalize from netapi32.dll - this api is used to avoid reinfection of the local machine from other infected computers
  •  DnsQuery_A, DnsQuery_W, DnsQuery_UTF8, Query_Main from dnsapi.dll - this apis are hooked to restrict access to various sites related to antivirus companies.
  •  it sets maximum number of simultaneous connections allowed by doing one of the following
  •  patching tcpip.sys driver, using a driver it drops itself (contained in an unencrypted form)
  •  setting HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\"TcpNumConnections" to "00FFFFFE"
  •  injects itself into services.exe (Win2K)
  •  it sets the following registry keys (if they are not set already), probably as an infection marker:
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  •  HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  •  Disabled the following Windows services:
  •  Background Intelligent Transfer Service (BITS)
  •  Windows Automatic Update Service (wuauserv)

  •  sets the following registry key to hide files with hidden attribute:
  •  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL\"CheckedValue" = "0"
HOW TO REMOVE Win32.Worm.DownadupJob.A
It is recommended to download bitdefender or any strong antivirus to protect against this virus.


Autorun.inf can pose a security threat, when the user does not expect or intend to run the software, such as in the case of some viruses, which take advantage of this feature to propagate, especially on USB FLASH DRIVES.


For instance, an attacker with brief and casual physical access to a computer can surreptitiously insert a disc and cause software to run. Alternately, malicious software can be distributed with a disc that the user doesn't expect to contain software at all -- such as an audio compact disc. Even music CDs from well known name-brand labels have not always been safe.


To erase this, restart your window to Safe Mode Command Prompt. (Do this by rebooting your computer and pressing F8 before windows go out and select from the boot menu). On drive C and other drives type the following commands: 1. attrib -h -r -s autorun.inf    2. del autorun.inf

Do this steps to other drives to disable the autorun.inf.

Now,Disable autorun.inf from Registry.

Now you can disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:
Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). (If the NoDriveAutorun does not exists, you can creat it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun) Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and at least will prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe.

If you want to prevent viruses that uses autorun.inf  to infect your USB flash drive, try to do this:

1. Open your flash drive via Command Prompt (do this via Start->Run->cmd.exe)

2. Change your logged drive to your USB flash drive (e.g. if your drive is at drive E: then type E: on the command prompt then press enter)

3. Create a folder named: AUTORUN.INF on the root directory of your flash drive. (to do this type the command: MD\AUTORUN.INF). If an error: a subdirectory already exists… shows, try to follow the instruction above to remove existing autorun.inf before doing this instruction.

The reason why this will avoid future infection is that autorun.inf viruses usually generates a file autorun.inf. Having an AUTORUN.INF folder on the root directory of your drives will make virus programs unable to create their own autorun.inf file, virus can’t even overwrite it because it’s a folder and not a file.


This detection is for a worm that attempts to copy itself to the root of any accessible disk volumes.
Additionally it attempts to place an Autorun.inf file on the root of the volume so that it is executed the next time the volume is mounted.


This detection is for a worm.It attempts to spread to removable drives by creating an autorun.inf file, which will run the worm automatically, if a systems which use the removable drive are set to Autorun.

The following files are written to root of writable volumes:

The following files are also written to the infected system:
  • %WinDir%\services.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

The following registry keys are created:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnabled: "FALSE"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Client: "%WinDir%\services.exe"
  • HKEY_USERS\S-1-5-21-746137067-299502267-1547161642-1003\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run: "%WinDir%\services.exe"

The following files are written to root of writable volumes:
  • AdobeRd9.0.exe
  • autorun.inf
  • scene.exe
  • Symptoms

Existence of mentioned files and registry keys
Method of Infection

This worm may be spread by its indented method of infected removable drives.
Alternatively this may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the worm onto the user's system with no user interaction.


It is suggested to use strong worm killer software.Download it.


Win32/Zafi.B (Other names: W32.Erkez.B) is a worm spreading via e-mail and P2P networks. It runs on Windows 95 and higher versions. Its size is 12800 bytes compressed by the FSG utility. After its decompression its size is 49 kB.

Note: In following text a symbolic inscription %windir% is used instead of the name of directory in which Windows operating system is installed. Of course, this may differ from installation to installation. The subdirectory System or System32 placed in %windir% has a name %system%

The worm arrives in an e-mail message with randomly selected subject line and body from the pre-defined subject lines and bodies specified in the worm code. The text in the subject line might be for example;

eIngyen SMS!

And the message body:

------------------------ hirdet=E9s -----------------------------

A sikeres =E9s az t=E1mogat=E1s=E1val =FAjra
indul az ingyenes sms k=FCld=F5 szolg=E1ltat=E1s! Jelenleg ugyan
korl=E1tozott sz=E1mban, napi 20 ingyen smst lehet felhaszn=E1lni.
K=FCldj te is SMST! Neh=E1ny kattint=E1s =E9s a mell=E9kelt regisztr=E1ci=F3s
lap kit=F6lt=E9se ut=E1n azonnal ig=E9nybevehet=F5! B=F5vebb inform=E1ci=F3t
a oldalon tal=E1lsz, de siess, mert az els=F5 ezer
felhaszn=E1l=F3 k=F6z=F6tt =E9rt=E9kes nyerem=E9nyeket sorsolunk ki!

------------------------ ---------------------------

The worm is attached in the attachment of the e-mail message.


Upon activation Win32/Zafi.B copies itself into the %system% directory with a random name and the extension .exe. In the same directory it creates the new file with a random name and extension .dll. The worm uses this file as a store for collected e-mail addresses used for further spreading.

The worm changes the following system Registries to ensure starting on the following system start up:
The worm also creates the following registry key:
Where it stores its internal information.

The worm searches the hard disk for folders named "share" and "upload" and copies itself into them using one of the following names:
Total Commander 7.0 full_install.exe
winamp 7.0 full_install.exe

The worm searches the disk for the files with the following extensions:


The worm spreads itself to all the e-mail addresses that it finds. It avoids the e-mail addresses that contain the following strings:


The worm terminates all the process that contain the following strings in their names:
"firewall" and "virus"

The worm also blocks starting of the following utilities:


Infected computers send requests to the following web sites:


The NOD32 detects Win32/Zofi.B using the Advanced Heuristics.
Download ESET NOD32 Antivirus.


Win32/Conficker.AA is a worm that spreads via shared folders and on removable media. It connects to remote machines in attempt to exploit the Server Service vulnerability.

When executed, the worm copies itself in some of the the following locations:
  •  %system%\%variable%.dll
  •  %program files%\Internet Explorer\%variable%.dll
  •  %program files%\Movie Maker\%variable%.dll
  •  %appdata%\%variable%.dll
  •  %temp%\%variable%.dll
A string with variable content is used instead of %variable% .

The worm loads and injects the %variable%.dll library into the following processes:
  •  explorer.exe
  •  services.exe
  •  svchost.exe
The worm registers itself as a system service with the name combined from the following strings:
  •  Boot
  •  Center
  •  Config
  •  Driver
  •  Helper
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
- "%variable_name%" = "rundll32.exe "%system%\%variable%.dll",

The following Registry entries are set:

- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%\Parameters]
"ServiceDll" = "%system%\%variable%.dll"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%random
service name%]
"Image Path" = "%System Root%\system32\svchost.exe -k netsvcs"
A string with variable content is used instead of %random service name% .

The following Registry entries are deleted:

- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
"wscsvc" = "%filepath%"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
"Windows Defender" = "%filepath%"

The worm starts a HTTP server on a random port.t connects to remote machines to port TCP 139, 445 in attempt to exploit the Server Service vulnerability.
If successful, the remote computer may attempt to connect to the infected computer and download the copy of the worm.This vulnerability is described in Microsoft Security Bulletin MS08-067 .
Spreading via shared folders.The worm tries to copy itself into shared folders of machines on a local network.

The following usernames are used:
- %username%
The following passwords are used:
- 123
- 1234
- 12345
- 123456
- 1234567

If successful the following filename is used:
The worm schedules a task that causes the following file to be executed daily:
rundll32.exe %variable%.dll, %random_string%
Spreading on removable media
The worm copies itself into existing folders of removable drives.

If successful the following filename is used:

- %drive%\RECYCLER\S-%variable1%\%variable2%.%variable3%
A string with variable content is used instead of %variable1-3% .

The worm creates the following file:

- %drive%\autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.
Other information
The following services are disabled:
  •  Windows Security Center Service (wscsvc)
  •  Windows Automatic Update Service (wuauserv)
  •  Background Intelligent Transfer Service (BITS)
  •  Windows Defender Service (WinDefend)
  •  Windows Error Reporting Service (ERSvc)
  •  Windows Error Reporting Service (WerSvc)
If the current system date and time matches the condition the worm will attempt to download several files from the Internet.
The worm runs only encrypted and properly signed files.The file is stored into the following folder:
- %temp%
If successful the following filename is used:
- %variable%.tmp

The worm may set the following Registry entries:

- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
- "%port number%:TCP" = "%port number%:TCP:*:Enabled:%variable%"

The performed data entry creates an exception in the Windows Firewall program.


you have to download win32 conficker removal tool to remove this virus.


This is a complex malware discovered on Nov,26 2009. Technically its called TDss.ZR.The spreading speed is medium but causes high damages found in variable sizes


Following actions upon execution:

  • Creates a copy of itself in “%windir%\System32\spool\PRTPROCS\W32X86\” directory under the name “[random-number].tmp” and modifies the headers of the copy by setting the attributes related to a dll;
  • Creates a driver file in “%windir%\Temp\" directory under the name “[random-number].tmp”
  • Creates a copy of itself in “%Temp%” directory under the name “[random-number].tmp”
  •  Injects code in “spoolsv.exe” process in order to run with higher privileges, code which will load the dropped driver.
  • The injected code will also communicate with different servers as: https://h4356***.cn, https://h9237***.cn, https://212.117.174.***, making the computer part of a botnet network and from now on it can download files, execute them and do many other malware related actions.
  • Browser redirection and increased network activity.

It is recommended to download latest Antivirus with latest signatures to protect your pc
Bitdefender may be suitable to remove this virus.


This virus is spreading through the pen drive / external HDDs. They use the autorun function of windows to run this. Its create files in windows folder in the name of MS32DLL.dll.vbs. and create file named autorun.inf in the root directory of each drive. So whenever we double click on the drive, the script will run from c:\windows\MS32DLL.dll.vbs


We can not Double Click to open any Drive on our computer. But we can Right Click to Open or Explore.
It will effect regedit, task manager, hidden folders/ files etc …




Open task manager and end following process
1. wscript.exe
2. mslogon.exe
3. systemnt.exe
4. wscript.exe
5. flashy.exe
6. sondmsg.exe

Open command prompt and do the following
Change attributes of the file
Attrib –s –r –h autorun.inf
Remove autorun.inf from root directory.
Del autorun.inf
Delete MS32DLL.dll.vbs from windows directory
Delete c:\windows\MS32DLL.dll.vbs
Open registry editor
Delete following values
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - MS32DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Run - flashy.exe
HKU\Software\Microsoft\InternetExplorer\Main - "window Title"
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disabletaskmgr
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\system - disableregistrytools
HKU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - NoFolderOptions
Now restart the PC
To avoid spreading this, disable autorun in windows.
And there is a small tric.Just create a folder named autorun.inf in all the root directory. And change the all the atribs to “+” so that they can’t chant put the files to root direct easly
Eg :MD autorun.inf & Attrib +h +s +r autorun.inf


Win32:Banker is a family of Trojans capable of monitoring user activity and stealing private information. Win32:Banker monitors user’s internet access. If certain websites (banking, payment system) are visited, Win32:Banker will log user’s activity. Win32:Banker will than send all the stolen details to the attacker.
Win32:Banker is a family of Trojans capable of stealing private information such as account numbers, passwords and banking credentials. Many variants can wait in the background and monitor user's internet activity
A logging procedure starts when a certain website is accessed, or if the address of an accessed website contains certain words. Many variants may supplement legitimate banking or payment system websites to get user details.


After getting the user details, Win32:Banker will send all the information to the attacker. Data can be sent to the attacker’s e-mail, can be uploaded to the attacker’s FTP server or can be submitted to the attacker’s website
Win32:Banker may be downloaded by a user or can be received via email, but usually it is downloaded by other Trojan-Downloaders. When Win32:Banker is launched, it may copy itself to various folders such as %WINDOWS% or %SYSTEM%. Many variants set themselves to run each time Windows starts by creating the corresponding registry entries.
Most known variants target the users of Brazilian banks. These variants may be distributed in executables with names containing the word "cartao" ("card" in English).
If a user’s computer is infected with Win32:Banker, it is recommended to change the logging details of user’s bank account.


Win32:Banker is a very fast growing family and most Antivirus Software's updates contain signatures of new variants. Update your Antivirus product file regularly.

Download Anti virus Software to remove this virus.


Win32 Zimuse virus is a disguised IQ test combines virus, rootkit and worm -- malicious code for one fatal formula
Once executed, the worm creates between seven and eleven copies of itself (depending on the variant) in critical areas of the Windows system.


Win32.Worm.Zimuse.A is an extremely dangerous piece of malware. Unlike average worms, Win32.Worm.Zimuse.A could lead to severe data loss as it overwrites the first 50 KB of the Master Boot Record - a key zone of the hard disk drive.
In order to execute on each Windows boot-up, the worm sets the following registry entry:

It also creates two driver files, namely:
%system%\drivers\Mstart.sys and %system%\drivers\Mseu.sys
Since 64-bit versions of Windows Vista and Windows 7 require digitally signed drivers, the worm would fail installing these files.

Unfortunately, in its early stages, this worm makes it nearly impossible for users to know their system has fallen victim to the e-threat. If a certain number of days have elapsed since the infection (40 days for variant A and 20 days for variant B), the computer user receives an error message stating that a problem has occurred due to malicious content in IP packets from a peculiar-looking web address. It then asks the user to recover the system by pressing “OK.” After this message, the next restart causes the computer’s hard disk to become damaged due to the compromised boot sector. To view a video detailing what occurs during an attack by Win32.Worm.Zimuse


In order to stay safe, BitDefender recommends downloading, installing and updating a complete antimalware suite with antivirus, antispam, antiphishing and firewall protection. Users should also employ extra caution when prompted to open files from unfamiliar locations.

Saturday, March 6, 2010


WIN32 Sasser which is also know as The shutdown virus,Shuts down the computer in 30 seconds leaving your computer unusable.
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.
When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.


Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:
  • You see an LSA Shell crash dialog box
  • Your computer restarts every few minutes without user interaction.
  • Your computer performance is decreased or your network connection is slow.


First we need to stop the shutdown action initiated by the virus.
There are 2 ways to do this:
1: Click Start>Run and type shutdown -A and press Enter.
2: On the lower right side, right click on the time and change the time and go 1 hour back.
In my opinion, the 1st option is really easy. It will remove the shutdown dialog box.

Install Anti Virus or free Anti-spyware Software

Download it .

After installation, it will prompt you to update the database. Click Yes to update.

Click on the Scan PC button. Now select Deep Scan button and click Scan.

After the scan completes it will show the scan results.
Select all harmful items found during the scan.
Click on Delete Selected Object. Click Yes if prompted.
After restart, your PC is clean as ever. Feel free to ask if you face any issues.

NOTE:Restart the computer after scan.Don't use any other application when the scan is in progress.




Recently we received a mail from one of our readers whose computer was infected by Win32/NSAnti virus, this virus mainly causes drive opening problem by double click in Windows XP.

If your system is infected by this virus you can’t see hidden files and folders , even after applying the settings to show hidden folders. This setting is reverted back to Don’t show hidden files and folders by the virus.

This happens because virus protects the two hidden, system files called and autorun.inf which are created by amvo.exe and amvo0.dll , amvo1.dll which resides in system32 folder on the OS drive (hard disk partition on which windows operating system is installed).


In order to fix the problems caused by this virus ,you will need to delete all these files created by the virus.

Follow the set of commands to delete these files

Open Start>>Run and type cmd and press enter. This will open windows command prompt window. On this window, type as directed in steps further and press enter at the end of each step.
type cd\
type cd windows\system32
type attrib -r -h -s amvo.exe
type del amvo.exe
type attrib -r -h -s avmo0.dll ,repeat the steps 5 and 6 again to delete avmo1.dll
now type d: and press enter for d: drive partition.
type attrib -r -h -s autorun.inf
type del autorun.inf
type attrib -r -h -s
type del
Similarly repeat from steps 8 to 11 for all your hard disk partitions to remove the files created by the virus.

Note: Above procedure may seems cumbersome but proves to be of great help to repair your system, if none of your anti-virus tools is able to solve the problem and remove the infections caused by the virus.


BUBBLE BOY VIRUS discovered on November 9,1999.Also know as VBS/BubbleBoy@MM [McAfee], I-Worm.BubbleBoy [AVP], VBS_BUBBLEBOY [Trend], VBS/BubbleBoy.Worm [CA], VBS/BubbleBoy [Panda], VBS/BubbleBoy-A [Sophos]

Type: Worm, Virus

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP

VBS.BubbleBoy is a worm that works under Windows 98 and Windows 2000. The worm also works under Windows 95, but only if the Windows Scripting Host is installed. The worm only works with the English and Spanish versions of these operating systems, and does not work under Windows NT.
The computer must use Microsoft Outlook (or Express) with Internet Explorer 5 in order for the worm to propagate.
The worm utilizes a known security hole in Microsoft Outlook/IE5 to insert a script file, Update.hta, when the email is viewed. It is not necessary to detach and run an attachment.
Update.hta is placed in the Start Up folder. Therefore, the infection routine is not executed until the next time you Start your computer. Update.hta is a script file that uses MS Outlook to send the worm email message to everyone in the MS Outlook address book.
Patching the known security hole in Microsoft Outlook/IE5, prevents the worm from propagating. For further information regarding the security hole, please read the following Microsoft article: Microsoft has provided a patch to fix this problem at
The worm will not propagate if IE5 Internet security settings have been set to "High."



A Trojan Horse Virus is a common yet difficult to remove computer threat. This is a type of virus that attempts to make the user think that it is a beneficial application. A Trojan Horse virus works by hiding within a set of seemingly useful software programs. Once executed or installed in the system, this type of virus will start infecting other files in the computer. A Trojan Horse Virus is also usually capable of stealing important information from the user's computer. It will then send this information to Internet servers designated by the developer of the virus. The developer will then be able to gain a level of control over the computer through this Trojan virus. While these things take place, the user will notice that the infected computer has become very slow or unexpected windows pop up without any activity from the user. Later on, this will result to a computer crash. A Trojan Horse virus can spread in a number of ways. The most common means of infection is through email attachments. The developer of the virus usually uses various spamming techniques in order to distribute the virus to unsuspecting users. These emails contain attachments. Once the user opens the attachment, the Trojan Horse Virus immediately infects the system and performs the tasks mentioned above. Another method used by malware developers to spread their Trojan Horse viruses is via chat software such as Yahoo Messenger and Skype. Another method used by this virus in order to infect other machines is through sending copies of itself to the people in the address book of a user whose computer has already been infected by the virus. The best way to prevent a Trojan Horse Virus from entering and infecting your computer is to never open email attachments or files that have been sent by unknown senders. However, not all files we can receive are guaranteed to be virus-free. With this, a good way of protecting your PC against malicious programs such as this harmful application is to install and update an antivirus program.