How to Remove The Virus on Yahoo Messenger

Yahoo Messenger Virus can update your antivirus program like by downloading some files from websites that have been determined. No doubt, to get rid of it was fairly difficult.

Check out 9 steps how to clean the most vicious viruses and most disturbing.

1. Decide who will clean your computer from the network or the Internet

2. Rename the file [C: \ Windws \ system32 \ msvbvm60.dll] to [xmsvbvm60.dll] to prevent the virus reactivates during the cleaning process.

3. Should do the cleaning by using the Tools Windows Live CD Mini PE this is due to some master files and file rootkits masquerading as services and drivers difficult to delete these files will be hidden by the virus. Please download the software at the address http://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html

Then boot the computer using the software Live CD Mini PE. After that deleting some files the parent virus by:

a. Click the [Mini PE2XT]

b. Click the [Programs]

c. Click the [File Management]

d. Click the [Windows Explorer]

e. Then delete the following files:

-  C: \ Windows \ System32

-  WMI% xxx.exe, where xxx indicates the random characters (example: wmispqd.exe, wmisrwt.exe, wmistpl.exe, atu wmisfpj.exe) with file sizes vary depending on the variant that infects the target computer.

-  % xxx%. exe @, where the% xxx% showing random characters (example: qxzv85.exe @) with different sizes depending on the variant that infects.

-  secupdat.dat

-  C: \ Documents and Settings \% username% \% xx%. Exe, where xx is a random character (example: rllx.exe) with a file size of about 6 kb or 16 kb (depending on the variant that infects).

-  C: \ Windows \ System32 \ drivers

-  Kernelx86.sys

-  % xx%. sys, where xx is a random character that has a size of about 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)

-  Ndisvvan.sys

-  krndrv32.sys

-  C: \ Documents and Settings \% username% \ secupdat.dat

-  C: \ Windows \ INF

-  netsf.inf

-  netsf_m.inf

4. Remove dubah registry created by the virus, by using the "Avas! Registry Editor ", how:

a. Click the [Mini PE2XT]

b. Click the [Programs]

c. Click the [Registry Tools]

d. Click [Avast! Registry Editor]

e. If the confirmation screen appears Kelik button "Load ... .."

f. Then delete the registry:

ü LOCAL_MACHINE_SOFTWARE \ microsoft \ windows \ currentverson \ Run \ \ ctfmon.exe

ü LOCAL_MACHINE_SYSTEM \ ControlSet001 \ services \ \ kernelx86

ü LOCAL_MACHINE_SYSTEM \ CurrentControlSet \ services \ \ kernelx86

ü LOCAL_MACHINE_SYSTEM \ CurrentControlSet \ services \ \ passthru

ü LOCAL_MACHINE_SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ \ ctfmon.exe

ü LOCAL_MACHINE_SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

§ Change the value in a string Userinit = userinit.exe,

ü LOCAL_MACHINE_SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon

§ Change the string value Shell = Explorer.exe

ü LOCAL_MACHINE_SYSTEM \ ControlSet001 \ services \ \% xx%

ü LOCAL_MACHINE_SYSTEM \ CurrentControlSet \ services \ \% xx%

ü (Example: wmistpl.exe)

ü (Example: wmistpl.exe)

Note:% xx% showing random characters, this key is created to run the file. SYS having a size of 40 KB in directory [C: \ Windows \ system32 \ drivers \]

5. Restart the computer, recover the rest of the registry is modified by a virus by copying the following script in notepad and save it as repair.inf. Execute the following ways: right-click repair.inf | click install

[Version]

Signature = "$ Chicago $"

Provider = Vaksincom Oyee

[DefaultInstall]

AddReg = UnhookRegKey

DelReg = del

[UnhookRegKey]

HKLM, Software \ CLASSES \ batfile \ shell \ open \ command,,,"""% 1 ""% * "

HKLM, Software \ CLASSES \ comfile \ shell \ open \ command,,,"""% 1 ""% * "

HKLM, Software \ CLASSES \ exefile \ shell \ open \ command,,,"""% 1 ""% * "

HKLM, Software \ CLASSES \ piffile \ shell \ open \ command,,,"""% 1 ""% * "

HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""

HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command,,,"""% 1 ""% * "

HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"

HKLM, software \ microsoft \ ole, EnableDCOM, 0, "Y"

HKLM, SOFTWARE \ Microsoft \ Security Center, AntiVirusDisableNotify, 0 × 00010001.0

HKLM, SOFTWARE \ Microsoft \ Security Center, FirewallDisableNotify, 0 × 00010001.0

HKLM, SOFTWARE \ Microsoft \ Security Center, AntiVirusOverride, 0 × 00010001.0

HKLM, SOFTWARE \ Microsoft \ Security Center, FirewallOverride, 0 × 00010001.0

HKLM, SYSTEM \ ControlSet001 \ Control \ LSA, RestrictAnonymous, 0 × 00010001.0

HKLM, SYSTEM \ ControlSet002 \ Control \ LSA, RestrictAnonymous, 0 × 00010001.0

HKLM, SYSTEM \ CurrentControlSet \ Control \ LSA, RestrictAnonymous, 0 × 00010001.0

HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, CheckedValue, 0 × 00010001.0

SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, defaultValue, 0 × 00010001.0

SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0 × 00010001.1

[del]

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableCMD

HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions

HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, ctfmon.exe

HKLM, SYSTEM \ ControlSet001 \ Services \ kernelx86

HKLM, SYSTEM \ ControlSet002 \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ kernelx86

HKLM, SYSTEM \ CurrentControlSet \ Services \ mojbtjlt

HKLM, SYSTEM \ ControlSet001 \ Services \ mojbtjlt

HKLM, SYSTEM \ ControlSet002 \ Services \ mojbtjlt

HKLM, SYSTEM \ ControlSet001 \ Services \ passthru

HKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore

HKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate, DoNotAllowXPSP2

HKLM, SOFTWARE \ Policies \ Microsoft \ Windows \ WindowsUpdate

HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ ctfmon.exe

6. Fix Windows registry to restore the computer to boot to "safe mode with command prompt" to download file FixSafeBoot.reg (Windows XP) at the following address and then run the following manner:

- Click the [Start]

- Click [Run]

- Type Regedit.exe and click the [OK]

- On the "Registry Editor", click the menu [File | Import]

- Determine the file. REG your newly created

- Click the [Open]

7. Delete temporary files and temporary internet files. Please use the tools ATF-Cleaner. Download these tools here.

8. Restore back to the host Windows file that have been changed by the virus. You can use the tools Hoster, please download at the following address.

Click the [Restore MS Hosts File], to restore the Windows hosts file.

9. For optimal cleaning and prevent re-infection, anti-virus scan with up-to-date and was able to detect this virus. You can also download the tools on Norman_Malware_Cleaner.exe

Do you Like this Post ?

Get Free Email Updates Daily!	Follow us!

Posted in: How to,Internet,Virus,Virus Yahoo Messenger