Saturday, May 23, 2009

The Ways to Remove The Coutsonif.A Virus on YM

Attack of Coutsonif.A virus that threaten Yahoo Messenger and Skype users should be alerted. This virus spreads by sending itself to all contacts in the address of the application from the infected computer.

The Message at glance like a general message. But do not click the link, though sent by your friends. The message was not sent by your friends, but by viruses that have been successful infected your friend's computer.

Well, if already infected, then it will automatically create a random file name with the extension .Tmp and .Exe that will stored in the directory [C: \ Documents and Settings \% username% \ Local Settings \ Temp] with the different name.

There are 6 to destroy the virus :

1. Disable 'System Restore' during the cleaning process
2. Disable Windows autorun, so the virus can not be activated automatically when the access to the drive / flash disk.
  • - Click 'start'
  • - Click 'run'
  • - Type 'GPEDIT.MSC', without quotes. Then the screen will display 'Group Policy'
  • - In the 'Computer Configuration and User Configuration,' click 'Administrative templates'
  • - Click 'System'
  • - Right click on 'Turn On Autoplay', select 'Properties'. Then the screen will appear 'Turn on Autoplay properties'
  • - In the tabulation 'Settings', select 'Enabled'
  • - Turn off Autoplay
  • - Click 'Ok'
3. Turn off the virus, use the tools 'security task manager' and delete the file [sysmgr.exe, vshost.exe, winservices.exe, *.tmp]
Just a note, .Tmp files that have indicated an extension TMP [example: 5755.tmp]. Right-click on the file and select 'Remove', select the option 'Move files to Quarantine'.

4. Repair the registry that has been modified by the virus.
To speed up the process of elimination, please copy the script below on the notepad program and save it with the name repair.inf. Run the file in the following manner : repair.inf -> Right-click, and select install.

Provider=Vaksincom Oyee



HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, SessionInformation, ProgramCount, 0x00010001,3
HKCU, AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current,,,"C:\WINDOWS\media\Windows XP Pop-up Blocked.wav"
HKCU, AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.Current,,,"C:\Windows\media\Windows XP Recycle.wav"
HKCU, AppEvents\Schemes\Apps\Explorer\Navigating\.Current,,,"C:\Windows\media\Windows XP Start.wav"
HKCU, AppEvents\Schemes\Apps\Explorer\SecurityBand\.current,,,"C:\WINDOWS\media\Windows XP Information Bar.wav"


HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microsoft(R) System Manager
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, bMaxUserPortWindows Service help
HKLM, SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, MaxUserPort

5. Remove virus file below:
C: \ vshost.exe [all drives]

C: \ autorun.inf [all drives]

C: \ RECYCLER \ S-1-5-21-9949614401-9544371273-983011715-7040 \ winservices.exe

C: \ Documents and Settings \% username% \ Local Settings \ Temp

A415.tmp [random]

034.exe [random]

Lady_Eats_Her_Shit -

C: \ WINDOWS \ system32 \ sysmgr.exe

C: \ WINDOWS \ Temp \ 5755.tmp

C: \ windows \ system32 \ crypts.dll

C: \ windows \ system32 \ msvcrt2.dll

6. For optimal cleaning and prevent re-infection, please use the antivirus can detect and eradicate this virus.
Read More..

Wednesday, May 6, 2009

How to Solve Windows Genuine

Recently Microsoft issued the newest update called WGA (Windows Genuine Advantage). For some people this is so disrupt, therefore, in this tutorial, I will explain how to remove even to uninstall the WGA. To remove you just follow a few simple steps below, but to uninstall its you must follow these steps II thoroughly .

I. The WGA Warning can be removed by:
Open task manager, turn off wgatray.exe program, and then restart in safe mode. Then:
1. Delete Files WGAtray.exe from c: \ windows \ system32
2. Delete Files WGAtray.exe from c: \ windows \ system32 \ dllcache

Open windows registry editor and delete "WGALOGON" folder that found in the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ WinlogonNotify
Then restart again as usual.

II. How to uninstall WGA
1. Login to your computer using the admin account.

2. Check the version of WGA on your computer. The version which can be removed is 1.5.0527.0 to 1.5.0532.2

3. Rename the following files to .Old :
• % windir% \ system32 \ WgaLogon.dll -> % windir% \ system32 \ WgaLogon.old
• % windir% \ system32 \ WgaTray.exe -> % windir% \ system32 \ WgaTray.old

4. Restart the computer.

5. Unregister LegitCheckControl.dll :
a. Run the command promt (start -> Run and type cmd)
b. Type in the command promt:
Regsvr32% windir%\system32\LegitCheckControl.dll/u

6. Restart the computer.

7. Run the command promt.

8. Delete the following files (type it at the command prompt):
• Del% windir%\system32\wgalogon.old
• Del% windir%\system32\WgaTray.old
• Del% windir%\system32\LegitCheckControl.dll

9. Type regedit in the command promt.

10.Delete the following registry:
• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ Winlogon \ Notify \ WgaLogon
• HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall \ WgaNotify
Read More..