What happen when your security software detected a Microsoft Windows Operating System file as a virus and deleted it forever from your Microsoft Windows? The answer is simple, your Microsoft Windows will not be able to boot, or the Operating System might restart itself in a continous cycle.

AVG 8 Security Suite Software

That what will happen if you happen to use Dutch, French, Italian, Portuguese or Spanish version of Microsoft Windows XP and AVG8 as your antivirus program, with recent virus definition file update.

AVG8 with the latest update file detected user32.dll, which is a crucial system file in Microsoft Windows XP as a trojan. Fortunately, AVG have fixed the problem immediately and casualty have been kept to a minimum

This is quite a shocking news considering the glitch came from a well know Security Product Manufacturer such as AVG.

See also:

• No related posts.

Intel has released a BIOS update with a fix for the Q35 bug that was used by rootkit researcher Joanna Rutkowska.

The affected Intel motherboard products for the Q35 bug are:

DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).

The Intel BIOS fix for the Q35 bug is now available for download at Intel Download Centre with severity ratings of “important”.

According to Intel Security Center for the Q35 bug:

A new BIOS update is available for select Intel desktop motherboards to ensure proper configuration settings. This change would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.

If you are using any of the motherboard listed above, you are advised to update your BIOS immediately.

Instructions on how to update the BIOS for Intel Motherboard that are affected with the Q35 bug are available at Intel website.

Intel BIOS update instructions.

See also:

• No related posts.

I received a system today with a message Yongyut Aunkaen appear in the Internet Explorer title bar. Without no doubt this Yongyut Aunkaen text is some kind of worm that hijacked the Internet Explorer. After doing some googling, I found out that this Yongyut Aunkaen is indeed a worm. This worm will display Yongyut Aunkaen in Internet Explorer title bar, will duplicate itself, and will disable user from double clicking the computer drives.

This worm will create the files MS32DLL.dll.vbs and autorun.inf in every computer drives on the system. This will enable the Yongyut Aunkaen worm to autorun every time the drive are double clicked.

To remove the Yongyut Aunkaen worm, follow steps below:

1. Download the vb script fix here.
2. Run the vb script fix.
3. Run the Task Manager (ctrl+alt+del) or (ctrl+shift+esc), kill the process “wscript.exe”.
4. Run My Computer > Control Panel > Folder Option.
5. Select view tab, choose “Show hidden files and folder” , uncheck “Hide protected operating system files”.
   
   
6. Go to C:\ drive , search and delete autorun.inf and MS32DLL.dll.vbs
7. Run registry editor. Start menu > run > regedit
8. Go to HKEY_LOCAL_MACHINE -> Software ->Microsoft ->Windows -> Current Version -> Run
9. Delete MS32DLL
10. Go to HKEY_CURRENT_USER -> Software -> Microsoft -> Internet Explorer -> Main
11. Delete Yongyut Aunkaen
12. Run Microsoft Configuration Utility. Start menu > run > msconfig
13. Go to startup tab > uncheck MS32DLL entry.
14. Restart your computer.

This will remove the Yongyut Aunkaen title from Internet Explorer bar, and remove the files autorun.inf and MS32DLL.dll.vbs that the Yongyut Aunkaen have created.

See also:

• No related posts.

Remote assistance in Microsoft Windows Vista is a nifty utility for troubleshooting system remotely. However, due to security reason, you might want to disable remote assistant in Microsoft Windows Vista. By disabling remote assistance in Microsoft Windows Vista, request for remote assistance to other users will be disabled.

Follow the steps below to disable remote assistance in Microsoft Windows Vista

1. Click start menu.
2. Select “Control Panel”.
3. Click “System and Maintenance”.
4. Click “System”.
5. Choose “Remote Settings”.
6. Under “Remote Assistance” , untick “Allow Remote Assistance connections to this computer”.
7. Click “Ok”.

See also:

• No related posts.

Not much is know about the KyrEnt Virus , except that most of its source code are similar to previous Brontox variant viruses, which originated from Indonesia. Even the executables that this KyrEnt Virus created use “My Documents” icons, similar to Brontox variant viruses. The KyrEnt Virus is known as KyRent due to fact that they are various “KyRent”string inside the virus.

The KyrEnt Virus will copy these files into the following directories:

c:\text.exe
c:\windows\windows.exe
c:\windows\WinSystem.exe
c:\windows\Win System.exe
c:\windows\windows.exe
c:\windows\WinSys32.exe
c:\windows\runrunrun.exe
c:\windows\SystemMonitor64.exe
c:\windows\MonitorSetup.exe
c:\windows\MonitorMission.run
c:\bootex.exe
d:\bootex.exe
c:\windows\system32\WindowsProtection.exe
c:\log.exe
c:\windows\winsystem.exe
c:\windows\explorer.exe
c:\windows\sysa.exe
c:\windows\sysb.exe

And will create the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CLASSES_ROOT\folder\defaulticon
HKEY_CLASSES_ROOT\.run
HKEY_CLASSES_ROOT\*\shell\Run As\Command
HKEY_CLASSES_ROOT\Folder\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\Folder\shell\Search\Command
HKEY_CLASSES_ROOT\*\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\.doc\shell\new\command
HKEY_CLASSES_ROOT\.dot
HKEY_CLASSES_ROOT\.exed
HKEY_CLASSES_ROOT\exedfile
HKEY_CLASSES_ROOT\exedfile\DefaultIcon
HKEY_CLASSES_ROOT\exedfile\Shell\Open\Command
HKEY_CLASSES_ROOT\exedfile\Shell\Open
HKEY_CLASSES_ROOT\.ppa
HKEY_CLASSES_ROOT\.xlt
HKEY_CLASSES_ROOT\.mdb
HKEY_CLASSES_ROOT\.ldb
HKEY_CLASSES_ROOT\.db
HKEY_CLASSES_ROOT\.dbf
HKEY_CLASSES_ROOT\.dbl
HKEY_CLASSES_ROOT\.ttf
HKEY_CLASSES_ROOT\.fon
HKEY_CLASSES_ROOT\.cfg
HKEY_CLASSES_ROOT\cfgfile\shell\Open\command
HKEY_CLASSES_ROOT\cfgfile
HKEY_CLASSES_ROOT\cfgfile\shell\open\command
HKEY_CLASSES_ROOT\.bin
HKEY_CLASSES_ROOT\.cvd
HKEY_CLASSES_ROOT\.dat
HKEY_CLASSES_ROOT\.com
HKEY_CLASSES_ROOT\.exc
HKEY_CLASSES_ROOT\excfile\shell\open\command
HKEY_CLASSES_ROOT\excfile
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\excfile\DefaultIcon
HKEY_CLASSES_ROOT\htmlfile

The KyrEnt Virus will also modified your Microsoft Windows OEM informations, sound familliar? You guessed right, another Brontox Virus copycat.

The KyrEnt Virus will block programs or processes containing these texts:

Updatex, Updatingx, upgradex, pcmav, system restore, registry, Task Manager, System Configuration, Process Manager, hijack, process xp, Process View, Process Control, Process Explorer, Process Patrol, cmd xxxx, raypc, ntfs4dos, ntfs for dos, ntfs 4 dos, Confirm File Delete, Confirm Key Delete, Registry, Edit String, cleaner, Confirm Value Delete, Folder Option, control panel error, antivir, avast, clamav, nod32, norton, norman, mcafee, kaspersky, remover, curr proces, defender.

Whenever active, this KyrEnt Virus will display this text:

“Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto“

With a black background on your screen. The text “Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto” have been set to be always on top of your screen.

KyrEnt Remover

You can remove KyrEnt Virus using PCMAV antivirus developed by PC Media Indonesia. The current version is 1.1.

Download PCMAV 1.1 package

The password for the zip file is “badxp.com”

See also:

• No related posts.

Referring to my previous post regarding RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus , a blogger have created a solution cleaner and remover for this RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus

This RoMeO A.K.A ILLS [CIXENT] remover is design to remove entirely the RoMeO A.K.A ILLS [CIXENT] virus including the registry entries.

Download RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus remover here

* Credit to maniack.

See also:

• RoMeO A.K.A ILLS [CIXENT] (4)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)

Ever try to open a drive with double click and this error message pop up?

WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs

This “WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs” occur due to a worm infection known as VBS/ButSur-A . VBS/ButSur-A is a Visual Basic script worm for Microsoft Windows platform, and also known as

• VBS_BUTSUR.B
• VBS/Butsur.B

When active, VBS/ButSur-A:

1. Copies itself to C:\Windows\Bha.dll.vbs
2. Create the following registry entry:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   MS32DLL
   C:\Windows\Bha.dll.vbs
3. Add the following registry entry:
   HKCU\Software\Microsoft\Internet Explorer\Main\Window Title\
4. Copies itself to all removeable and shared drives as Bha.dll.vbs and creates the file autorun.inf.

This autorun.inf files will run the script Bha.dll.vbs everytime the removeable drive are open with double click. This VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B can be easily remove by deleting the files and the registry entries that this VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B worms created.

Alternatively you can download this nifty utility called the Flash Disinfector to enable you to disinfect and open your removable drive with double click.

Download Flash Disinfector

A popup message will appear, click “OK” to start the disinfection process. That’s all to it.

See also:

• RoMeO A.K.A ILLS [CIXENT] (4)
• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (2)

This is virus is known as CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] . This RoMeO A.K.A ILLS [CIXENT] copied these files to C:\WINDOWS\system32 folder:

C:\WINDOWS\system32\V3-Force.exe
C:\WINDOWS\system32\cipaplu.exe
C:\WINDOWS\system32\mycaption.reg
C:\WINDOWS\system32\butuhlu.bat
C:\WINDOWS\system32\forattrib.bat
C:\WINDOWS\system32\makedir.bat

and will change your C drive name to:

(C:) jadi RoMeO A.K.A ILLS [CIXENT]

RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] will display a popup title:

Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!! x100 words

And will display a “51″ icon on the system tray.

The solutions to RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus is to delete all the files that it have copied, and delete all the registry entries containing the name of those files. To delete those registry entries:

1. Run regedit.
2. Click on the menu "Edit".
3. Choose "Find".
4. Type in the name of the files that the RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus have copied, and delete them.

Make sure to update your Antivirus or any other Malicious scanner program such as adware scanner or spyware scanner, and run a full scan using these Software after cleaning and removing this RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus manually.

virus cleaner and remover here.

See also:

• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (2)

There are still some of my customer who are infected with Trixcu.A worm, also known as Flash.10.exe, Macromedia.10.exe or JambanMu.com.

I’ve written the details about this Trixcu.A worm in previous entry.

Since then, a lot of Trixcu.A worm have been released on the Internet. A search on google with the keywords such as Trixcu.A, Trixcu worm, Cmd.com, dxdiag.com, Ping.com, Msconfig.com, Regedit.com, Flash.10.exe, Macromedia.10.exe, JambanMu.com, Msn.msn, MY.SECRET.FOLD, NEW SONG.LAGU, NEW VIDEO.VIDZ, AWEKS.PIKZ, SERAM.PIKZ will bring you a lot of informations regarding this Trixcu.A worm.

I have been using this Trixcu.A fix which I have downloaded from some Forum (which I have forgotten which Forum it is). So far this Trixcu.A fix have been reliable and have done its job well. You can download the Trixcu.A fix below:

Download Trixcu.A fix, Flash.10.exe fix, Macromedia.10.exe fix here.

Run the Trixcu.A fix executable file, then reboot for the fix to take effect. Hopefully this Trixcu.A fix will provide a solutions to all your problems regarding this troublesome worm, including registry fixes.

See also:

• Trixcu.A worm (1)

What is the best antivirus software in the market nowadays? That is one of the most often ask question by my clients after their system have undergo an attack by malware, viruses, spyware, adware and trojans. Which so much antivirus programs to choose, which are the best for giving the most comprehensive virus protection?

Most IT Professional will recommend some Commercial Antivirus program from established companies, while others will recommend the free alternative for Antivirus program. For me, my answer will be fairly simple and straightforward, the best antivirus program is the one that is regularly updated and upgraded. It is true, whether you are using the commercial antivirus program, or the free antivirus programs out there, those antivirus programs will be useless if those antivirus programs are not regularly updated and upgraded.

So make sure you update your Antivirus programs regularly, if not daily, and don’t forget to install any upgrades available from the Antivirus manufacturer as soon as they are stable in their releases, for you to have the best Antivirus program protection.

Tags:

See also:

• Trixcu.A worm (1)
• The Genealogy of Virus (8)
• Descriptions of Malicious Programs (1)
• RoMeO A.K.A ILLS [CIXENT] (4)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)