AVG 8 Security Suite Software

That what will happen if you happen to use Dutch, French, Italian, Portuguese or Spanish version of Microsoft Windows XP and AVG8 as your antivirus program, with recent virus definition file update.

AVG8 with the latest update file detected user32.dll, which is a crucial system file in Microsoft Windows XP as a trojan. Fortunately, AVG have fixed the problem immediately and casualty have been kept to a minimum

This is quite a shocking news considering the glitch came from a well know Security Product Manufacturer such as AVG.

See also:

• No related posts.

This worm will create the files MS32DLL.dll.vbs and autorun.inf in every computer drives on the system. This will enable the Yongyut Aunkaen worm to autorun every time the drive are double clicked.

To remove the Yongyut Aunkaen worm, follow steps below:

1. Download the vb script fix here.
2. Run the vb script fix.
3. Run the Task Manager (ctrl+alt+del) or (ctrl+shift+esc), kill the process “wscript.exe”.
4. Run My Computer > Control Panel > Folder Option.
5. Select view tab, choose “Show hidden files and folder” , uncheck “Hide protected operating system files”.
   
   
6. Go to C:\ drive , search and delete autorun.inf and MS32DLL.dll.vbs
7. Run registry editor. Start menu > run > regedit
8. Go to HKEY_LOCAL_MACHINE -> Software ->Microsoft ->Windows -> Current Version -> Run
9. Delete MS32DLL
10. Go to HKEY_CURRENT_USER -> Software -> Microsoft -> Internet Explorer -> Main
11. Delete Yongyut Aunkaen
12. Run Microsoft Configuration Utility. Start menu > run > msconfig
13. Go to startup tab > uncheck MS32DLL entry.
14. Restart your computer.

This will remove the Yongyut Aunkaen title from Internet Explorer bar, and remove the files autorun.inf and MS32DLL.dll.vbs that the Yongyut Aunkaen have created.

See also:

• No related posts.

The KyrEnt Virus will copy these files into the following directories:

c:\text.exe
c:\windows\windows.exe
c:\windows\WinSystem.exe
c:\windows\Win System.exe
c:\windows\windows.exe
c:\windows\WinSys32.exe
c:\windows\runrunrun.exe
c:\windows\SystemMonitor64.exe
c:\windows\MonitorSetup.exe
c:\windows\MonitorMission.run
c:\bootex.exe
d:\bootex.exe
c:\windows\system32\WindowsProtection.exe
c:\log.exe
c:\windows\winsystem.exe
c:\windows\explorer.exe
c:\windows\sysa.exe
c:\windows\sysb.exe

And will create the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_CLASSES_ROOT\folder\defaulticon
HKEY_CLASSES_ROOT\.run
HKEY_CLASSES_ROOT\*\shell\Run As\Command
HKEY_CLASSES_ROOT\Folder\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\Folder\shell\Search\Command
HKEY_CLASSES_ROOT\*\shell\Scan for Virus\Command
HKEY_CLASSES_ROOT\.doc\shell\new\command
HKEY_CLASSES_ROOT\.dot
HKEY_CLASSES_ROOT\.exed
HKEY_CLASSES_ROOT\exedfile
HKEY_CLASSES_ROOT\exedfile\DefaultIcon
HKEY_CLASSES_ROOT\exedfile\Shell\Open\Command
HKEY_CLASSES_ROOT\exedfile\Shell\Open
HKEY_CLASSES_ROOT\.ppa
HKEY_CLASSES_ROOT\.xlt
HKEY_CLASSES_ROOT\.mdb
HKEY_CLASSES_ROOT\.ldb
HKEY_CLASSES_ROOT\.db
HKEY_CLASSES_ROOT\.dbf
HKEY_CLASSES_ROOT\.dbl
HKEY_CLASSES_ROOT\.ttf
HKEY_CLASSES_ROOT\.fon
HKEY_CLASSES_ROOT\.cfg
HKEY_CLASSES_ROOT\cfgfile\shell\Open\command
HKEY_CLASSES_ROOT\cfgfile
HKEY_CLASSES_ROOT\cfgfile\shell\open\command
HKEY_CLASSES_ROOT\.bin
HKEY_CLASSES_ROOT\.cvd
HKEY_CLASSES_ROOT\.dat
HKEY_CLASSES_ROOT\.com
HKEY_CLASSES_ROOT\.exc
HKEY_CLASSES_ROOT\excfile\shell\open\command
HKEY_CLASSES_ROOT\excfile
HKEY_CLASSES_ROOT\exefile\shell\open\command
HKEY_CLASSES_ROOT\excfile\DefaultIcon
HKEY_CLASSES_ROOT\htmlfile

The KyrEnt Virus will also modified your Microsoft Windows OEM informations, sound familliar? You guessed right, another Brontox Virus copycat.

The KyrEnt Virus will block programs or processes containing these texts:

Updatex, Updatingx, upgradex, pcmav, system restore, registry, Task Manager, System Configuration, Process Manager, hijack, process xp, Process View, Process Control, Process Explorer, Process Patrol, cmd xxxx, raypc, ntfs4dos, ntfs for dos, ntfs 4 dos, Confirm File Delete, Confirm Key Delete, Registry, Edit String, cleaner, Confirm Value Delete, Folder Option, control panel error, antivir, avast, clamav, nod32, norton, norman, mcafee, kaspersky, remover, curr proces, defender.

Whenever active, this KyrEnt Virus will display this text:

“Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto“

With a black background on your screen. The text “Gita, gimana kabarmu?, kemana kamu pergi ?, aku merindukanmu, aku mohon kembalilah. By: Ir. Pluto” have been set to be always on top of your screen.

KyrEnt Remover

You can remove KyrEnt Virus using PCMAV antivirus developed by PC Media Indonesia. The current version is 1.1.

Download PCMAV 1.1 package

The password for the zip file is “badxp.com”

See also:

• How To Remove Anti-Virus 2009 (25)

Download RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus remover here

* Credit to maniack.

See also:

• RoMeO A.K.A ILLS [CIXENT] (5)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)

WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs

This “WINDOWS SCRIPT HOST, CANNOT FIND SCRIPT FILE “C:/Bha.dll.vbs” occur due to a worm infection known as VBS/ButSur-A . VBS/ButSur-A is a Visual Basic script worm for Microsoft Windows platform, and also known as

• VBS_BUTSUR.B
• VBS/Butsur.B

When active, VBS/ButSur-A:

1. Copies itself to C:\Windows\Bha.dll.vbs
2. Create the following registry entry:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   MS32DLL
   C:\Windows\Bha.dll.vbs
3. Add the following registry entry:
   HKCU\Software\Microsoft\Internet Explorer\Main\Window Title\
4. Copies itself to all removeable and shared drives as Bha.dll.vbs and creates the file autorun.inf.

This autorun.inf files will run the script Bha.dll.vbs everytime the removeable drive are open with double click. This VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B can be easily remove by deleting the files and the registry entries that this VBS/ButSur-A, VBS_BUTSUR.B, VBS/Butsur.B worms created.

Alternatively you can download this nifty utility called the Flash Disinfector to enable you to disinfect and open your removable drive with double click.

Download Flash Disinfector

A popup message will appear, click “OK” to start the disinfection process. That’s all to it.

See also:

• RoMeO A.K.A ILLS [CIXENT] (5)
• Trixcu.A worm (1)
• The Genealogy of Virus (9)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (3)

C:\WINDOWS\system32\V3-Force.exe
C:\WINDOWS\system32\cipaplu.exe
C:\WINDOWS\system32\mycaption.reg
C:\WINDOWS\system32\butuhlu.bat
C:\WINDOWS\system32\forattrib.bat
C:\WINDOWS\system32\makedir.bat

and will change your C drive name to:

(C:) jadi RoMeO A.K.A ILLS [CIXENT]

RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb] will display a popup title:

Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!!Jeng!!! x100 words

And will display a “51″ icon on the system tray.

The solutions to RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus is to delete all the files that it have copied, and delete all the registry entries containing the name of those files. To delete those registry entries:

1. Run regedit.
2. Click on the menu "Edit".
3. Choose "Find".
4. Type in the name of the files that the RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus have copied, and delete them.

Make sure to update your Antivirus or any other Malicious scanner program such as adware scanner or spyware scanner, and run a full scan using these Software after cleaning and removing this RoMeO A.K.A ILLS [CIXENT] or CIXENT Corp [CIXENT.V3.Force.LovePart.Small.vb virus manually.

virus cleaner and remover here.

See also:

• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Trixcu.A worm (1)
• The Genealogy of Virus (9)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] cleaner and remover (3)

Since then, a lot of Trixcu.A worm have been released on the Internet. A search on google with the keywords such as Trixcu.A, Trixcu worm, Cmd.com, dxdiag.com, Ping.com, Msconfig.com, Regedit.com, Flash.10.exe, Macromedia.10.exe, JambanMu.com, Msn.msn, MY.SECRET.FOLD, NEW SONG.LAGU, NEW VIDEO.VIDZ, AWEKS.PIKZ, SERAM.PIKZ will bring you a lot of informations regarding this Trixcu.A worm.

I have been using this Trixcu.A fix which I have downloaded from some Forum (which I have forgotten which Forum it is). So far this Trixcu.A fix have been reliable and have done its job well. You can download the Trixcu.A fix below:

Download Trixcu.A fix, Flash.10.exe fix, Macromedia.10.exe fix here.

Run the Trixcu.A fix executable file, then reboot for the fix to take effect. Hopefully this Trixcu.A fix will provide a solutions to all your problems regarding this troublesome worm, including registry fixes.

See also:

• Trixcu.A worm (1)

So make sure you update your Antivirus programs regularly, if not daily, and don’t forget to install any upgrades available from the Antivirus manufacturer as soon as they are stable in their releases, for you to have the best Antivirus program protection.

Tags:

See also:

• Trixcu.A worm (1)
• The Genealogy of Virus (9)
• Descriptions of Malicious Programs (1)
• RoMeO A.K.A ILLS [CIXENT] (5)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)

Network Worms
This category includes programs that propagate via LANs or the Internet with the following objectives:

• Penetrating remote machines
• Launching copies on victim machines
• Spreading further to new machines

Worms use different networking systems to propagate: email, instant messaging, file-sharing (P2P), IRC channels, LANs, WANs and so forth.

Most existing worms spread as files in one form or another - email attachments, in ICQ or IRC messages, links to files stored on infected websites or FTP servers, files accessible via P2P networks and so on.

There are a small number of so-called fileless or packet worms; these spread as network packets and directly penetrate the RAM of the victim machine, where the code is then executed.

Worms use a variety of methods for penetrating victim machines and subsequently executing code, including:

• Social engineering; emails that encourage recipients to open the attachment
• Poorly configured networks; networks that leave local machines open to access from outside the network
• Vulnerabilities in operating systems and applications

Today’s malware is often a composite creation: worms now often include Trojan functions or are able to infect exe files on the victim machine. They are no longer pure worms, but blended threats.

Classic Viruses
This class of malicious programs covers programs that spread copies of themselves throughout a single machine in order to:

• Launch and/or execute this code once a user fulfills a designated action
• Penetrate other resources within the victim machine

Unlike worms, viruses do not use network resources to penetrate other machines. Copies of viruses can penetrate other machines only if an infected object is accessed and the code is launched by a user on an uninfected machine. This can happen in the following ways:

• The virus infects files on a network resource that other users can access
• The virus infects removable storage media which are then attached to a clean machine
• The user attaches an infected file to an email and sends it to a ‘healthy’ recipient

Viruses are sometimes carried by worms as additional payloads or they can themselves include backdoor or Trojan functionality which destroy data on an infected machine.

Trojan Programs
This class of malware includes a wide variety of programs that perform actions without the user’s knowledge or consent: collecting data and sending it to a cyber criminal, destroying or altering data with malicious intent, causing the computer to malfunction, or using a machine’s capabilities for malicious or criminal purposes, such as sending spam.

A subset of Trojans damage remote machines or networks without compromising infected machines; these are Trojans that utilize victim machines to participate in a DoS attack on a designated web site.

Hacker Utilities and other malicious programs
This diverse class includes:

• Utilities such as constructors that can be used to create viruses, worms and Trojans
• Program libraries specially developed to be used in creating malware
• Hacker utilities that encrypt infected files to hide them from antivirus software
• Jokes that interfere with normal computer function
• Programs that deliberately misinform users about their actions in the system
• Other programs that are designed to directly or indirectly damage local or networked machines

See also:

• The best antivirus program (2)
• Trixcu.A worm (1)
• The Genealogy of Virus (9)
• RoMeO A.K.A ILLS [CIXENT] (5)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)

1. Trixcu.A creates the following files in the Windows system directory (C:\Windows\System32),:
   - Cmd.com
   - Dxdiag.com
   - Flash.10.exe
   - JambanMu.com
   - Msconfig.com
   - Ping.com
   - Regedit.com
2. Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared
   - Macromedia.10.exe
3. Trixcu.A create the following file in C:\Program Files\Common Files\Microsoft Shared\DAO
   - Msn.msn
4. Trixcu.A create the following file in C:\Documents and Settings\(User)\Start Menu\Programs\Startup
   - (Empty).empty
5. Trixcu.A will delete all the programs in the Startup directory to disable those programs to run whenever Windows is started.
6. Trixcu.A create the following Folder:
   - MY.SECRET.FOLD in My Documents
   - NEW SONG.LAGU and NEW VIDEO.VIDZ in My Document\My Music
   - AWEKS.PIKZ and SERAM.PIKZ in My Documents\My Pictures

Trixcu.A create the following entries in the Windows Registry:

1. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
   Windows MSN = C:\Program Files\Common Files\Microsoft Shared\DAO\MSN.msn
   By creating this entry, Trixcu.A ensures that it is run whenever Windows is started.
2. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
   NoFind = 01, 00, 00, 00
   It disables the option Find of the Start menu.
3. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
   NoFolderOptions = 01, 00, 00, 00
   It disables the option Folder Options of the Start menu.
4. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System\ DisableRegistryTools = 01, 00, 00, 00
   It doesn’t allow the Windows Registry Editor to be run.
5. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System DisableCMD = 01, 00, 00, 00
   It doesn’t allow the CMD shell to be run.
6. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ System
   DisableTaskMgr = 01, 00, 00, 00
   It prevents the Task Manager from being run.
7. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ Date
   (Default) = 070617
8. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgDate
   (Default) = 070701
9. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ MsgMkr
   (Default) = 0
10. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK AZAM
    (Default) = THIS GUY SHIT HEAD!!BIG LIER!!FUCKING GAY!!
11. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK DZULKIFLI
    (Default) = THIS GUY PIG HEAD!!!!U FUCKED EVERYBODY!!
12. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ JambanMuV2\ FUCK ZAWAWI
    (Default) = THIS GUY DICK HEAD!!!NOBODY LIKES U!!!

Trixcu.A modifies the following registry entries

1. HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
   Shell = Explorer.exe
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
   Shell = Explorer.exe %sysdir%\JambanMu.com
   where %sysdir% is the Windows system directory.
2. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
   load
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows NT\ CurrentVersion\ Windows
   load = Flash.10.exe
   By modifying these entries, Trixcu.A ensures that it is run whenever Windows is started.
3. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   Hidden = 01, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   Hidden = 00, 00, 00, 00
   By modifying this entry, Trixcu.A hides the files and subfolders that have the attribute hidden.
4. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   HideFileExt = 00, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   HideFileExt = 01, 00, 00, 00
   By modifying this entry, Trixcu.A hides the extensions of the files.
5. HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   ShowSuperHidden = 01, 00, 00, 00
   It changes this entry to:
   HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
   ShowSuperHidden = 00, 00, 00, 00
6. HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOwner = %name with which the system is registered%
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOwner = JambanMuV2
7. HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOrganization = %name of the organization with which the system is registered%
   It changes this entry to:
   HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows NT\ CurrentVersion
   RegisteredOrganization = HELP ME!!.html
   By modifying these entries, Trixcu.A changes the names with which the operating system and the organization are registered.

Trixcu.A created files can be remove manually or automatically by most of Antivirus, just make sure you update your virus definition files. The registry entry have to be remove manually though.

See also:

• The Genealogy of Virus (9)
• The best antivirus program (2)
• RoMeO A.K.A ILLS [CIXENT] (5)
• Remove VBS/ButSur-A or BHA.DLL.VBS fix (6)
• Descriptions of Malicious Programs (1)