Tech No Blog
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Tech No Blog as PDF for free.
More details
- Words: 1,839
- Pages: 13
Technoblog Most Viewed Posts New virus Strain Found Motorola V3r Flash Mode Solution • Folder Options Missing •
•
Labels Cell Phones (1) • Computers (2) • Downloads (1)
•
Blog Archive • • • •
Mar 06 (1) Mar 03 (1) Mar 01 (1) Feb 28 (1)
Enter your search terms Submit search form Web
drvamsikrishna.blogspot.com
Wednesday, February 28, 2007 Solution for Folder options missing , Registry editing disabled by Adminstrator Information about Virus Solution to resolve your problem How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore
Tool to reset shell\open\command registry subkeys
Infected by virus name RontokBro@Mn W32.Rontokbro@mm is a mass-mailing worm that causes system instability Details of this Virus : When W32.Rontokbro@mm is executed, it performs the following actions: 1. Copies itself as the following files: C:\Windows\PIF\CVT.exe • %UserProfile%\APPDATA\IDTemplate.exe • %UserProfile%\APPDATA\services.exe • %UserProfile%\APPDATA\lsass.exe • %UserProfile%\APPDATA\inetinfo.exe • %UserProfile%\APPDATA\csrss.exe • %UserProfile%\APPDATA\winlogon.exe • %UserProfile%\Programs\Startup\Empty.pif • %UserProfile%\Templates\A.kotnorB.com • %System%\3D Animation.scr •
Note: • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP). 2. Creates the folder: %UserProfile%\Local Settings\Application Data\Bron.tok-24 3. Overwrites C:\Autoexec.bat with the following text: "pause"
4. Adds the value:
"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"
to the registry subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts. 5. Adds the value: "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"
to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts. 6. Modifies the value: "DisableRegistryTools" = "1" "DisableCMD" = "2"
in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System
7. Modifies the value: "NoFolderOptions" = "1"
in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\
8. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day: %UserProfile%\Templates\A.kotnorB.com
9. Reboots the computer when it detects a window whose title contains one of the following strings: .. • .@ • @. • .ASP • .EXE • .HTM • .JS • .PHP • ADMIN • ADOBE • AHNLAB • ALADDIN • ALERT • ALWIL • ANTIGEN • APACHE • APPLICATION • ARCHIEVE • ASDF • ASSOCIATE • AVAST • AVG • AVIRA • BILLING@ • BLACK • BLAH • BLEEP • BUILDER • CANON • CENTER • CILLIN • CISCO • CMD. • CNET • COMMAND COMMAND PROMPT • CONTOH • CONTROL •
•
CRACK • DARK • DATA • DATABASE • DEMO • DETIK • DEVELOP • DOMAIN • DOWNLOAD • ESAFE • ESAVE • ESCAN • EXAMPLE • FEEDBACK • FIREWALL • FOO@ • FUCK • FUJITSU • GATEWAY • GOOGLE • GRISOFT • GROUP • HACK • HAURI • HIDDEN • HP. • IBM. • INFO@ • INTEL. • KOMPUTER • LINUX LOG OFF WINDOWS • LOTUS • MACRO • MALWARE • MASTER • MCAFEE • MICRO • MICROSOFT • MOZILLA • MYSQL •
•
NETSCAPE • NETWORK • NEWS • NOD32 • NOKIA • NORMAN • NORTON • NOVELL • NVIDIA • OPERA • OVERTURE • PANDA • PATCH • POSTGRE • PROGRAM • PROLAND • PROMPT • PROTECT • PROXY • RECIPIENT • REGISTRY • RELAY • RESPONSE • ROBOT • SCAN • SCRIPT HOST • SEARCH R • SECURE • SECURITY • SEKUR • SENIOR • SERVER • SERVICE • SHUT DOWN • SIEMENS • SMTP • SOFT • SOME • SOPHOS • SOURCE • SPAM •
SPERSKY • SUN. • SUPPORT • SYBARI • SYMANTEC SYSTEM CONFIGURATION • TEST • TREND • TRUST • UPDATE • UTILITY • VAKSIN • VIRUS • W3. WINDOWS SECURITY.VBS • WWW • XEROX • XXX • YOUR • ZDNET • ZEND • ZOMBIE •
•
•
10. May also launch a ping flood attack on the following sites: • •
israel.gov.il playboy.com
11. Gathers email addresses from files with the following extensions on all local drives from C to Y: • • • • • • • • •
.asp .cfm .csv .doc .eml .html .php .txt .wab
12. Avoids sending itself to email addresses that contain any of the following strings in the domain name: PLASA • TELKOM • INDO • .CO.ID • .GO.ID • .MIL.ID • .SCH.ID • .NET.ID • .OR.ID • .AC.ID • .WEB.ID • .WAR.NET.ID • ASTAGA • GAUL • BOLEH • EMAILKU • SATU •
13. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers: •
smtp. mail. • ns1.
•
14. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics: From: [SPOOFED] Subject: [BLANK] Message: BRONTOK.A [ By: H[REMOVED]Community ] -- Hentikan kebobrokan di negeri ini -1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN") 2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar. 4. SAY NO TO DRUGS !!! -- KIAMAT SUDAH DEKAT -Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --
Attachment: Kangen.exe
Solution
1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions if you have any anti-virus program. 3. Run a full system scan and delete all the files detected. 4. Use the Security Response "Tool to reset shell\open\command registry subkeys." 5. Delete any values added to the registry. 6. Delete the scheduled task.
1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
How to disable or enable Windows Me System Restore Turning off System Restore deletes all previous restore points. You must create new restore points once you turn System Restore back on. 1 Click Start > Settings > Control Panel. 2 Double-click System. If the System icon is not visible, click View all Control Panel options. 3 On the Performance tab, click File System. 4 On the Troubleshooting tab, check Disable System Restore. 5 Click OK. 6 When you are asked to restart Windows, click Yes. How to turn off or turn on Windows XP System Restore •
Click Start. •
Right-click My Computer, and then click Properties. •
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator. •
Click Apply. •
When you see the confirmation message, click Yes. • Click OK.
2. To update the virus definitions Update your definitions with any anti-virus program you have.
3. To scan for and delete the infected files a. Run a full system scan. b. If any files are detected, click Delete.
4. Using the Security Response "Tool to reset shell\open\command registry subkeys." This risk makes changes to the Windows registry that may prevent you from running executable files. Security Response has developed a tool to reset these values to the default settings. This tool is the easiest way to fix this. Info: As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files. For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this. They may also change a registry value so that you cannot run the Registry Editor at all.
FOLLOW THESE STEPS: 1. Download the file UnHookExec.inf and save it to your Windows desktop. (If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.) Note: The tool has a .inf file extension. 2. Locate the download file, either on the Windows desktop or the floppy disk. 3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
4. Follow any other instructions for the threat that you are trying to remove.
5. To delete the value from the registry
Important: We strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.
Manual steps to export registry subkeys You can follow these steps to export a registry subkey before you edit it. Note Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead. 1. 2. 3. 4.
Click Start, and then click Run. In the Open box, type regedit, and then click OK. Locate and then click the subkey that contains the value that you want to edit. On the File menu, click Export. In the Save in box, select a location where you want to save the Registration Entries 5. (.reg) file, type a file name in the File name box, and then click Save.
Modify the specified subkeys only. a. Click Start > Run. b. Type regedit c. Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
d. Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e. In the right pane, delete the value: "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"
f. Exit the Registry Editor.
6. To delete the scheduled tasks added by the worm Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane, matches the following: %UserProfile%\Templates\A.kotnorB.com Posted by Dr.vamsi at Wednesday, February 28, 2007 Labels: Computers Newer Post Home
About Me Dr.vamsi View my complete profile
•
Labels Cell Phones (1) • Computers (2) • Downloads (1)
•
Blog Archive • • • •
Mar 06 (1) Mar 03 (1) Mar 01 (1) Feb 28 (1)
Enter your search terms Submit search form Web
drvamsikrishna.blogspot.com
Wednesday, February 28, 2007 Solution for Folder options missing , Registry editing disabled by Adminstrator Information about Virus Solution to resolve your problem How to disable or enable Windows Me System Restore How to turn off or turn on Windows XP System Restore
Tool to reset shell\open\command registry subkeys
Infected by virus name RontokBro@Mn W32.Rontokbro@mm is a mass-mailing worm that causes system instability Details of this Virus : When W32.Rontokbro@mm is executed, it performs the following actions: 1. Copies itself as the following files: C:\Windows\PIF\CVT.exe • %UserProfile%\APPDATA\IDTemplate.exe • %UserProfile%\APPDATA\services.exe • %UserProfile%\APPDATA\lsass.exe • %UserProfile%\APPDATA\inetinfo.exe • %UserProfile%\APPDATA\csrss.exe • %UserProfile%\APPDATA\winlogon.exe • %UserProfile%\Programs\Startup\Empty.pif • %UserProfile%\Templates\A.kotnorB.com • %System%\3D Animation.scr •
Note: • %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). • %UserProfile% is a variable that refers to the current user's profile folder. By default, this is C:\Documents and Settings\[CURRENT USER] (Windows NT/2000/XP). 2. Creates the folder: %UserProfile%\Local Settings\Application Data\Bron.tok-24 3. Overwrites C:\Autoexec.bat with the following text: "pause"
4. Adds the value:
"Tok-Cirrhatus" = "%UserProfile%\APPDATA\IDTemplate.exe"
to the registry subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts. 5. Adds the value: "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"
to the registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that it runs every time Windows starts. 6. Modifies the value: "DisableRegistryTools" = "1" "DisableCMD" = "2"
in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System
7. Modifies the value: "NoFolderOptions" = "1"
in the registry subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer\
8. Adds a task to the Windows scheduler to execute the following file at 5:08 PM every day: %UserProfile%\Templates\A.kotnorB.com
9. Reboots the computer when it detects a window whose title contains one of the following strings: .. • .@ • @. • .ASP • .EXE • .HTM • .JS • .PHP • ADMIN • ADOBE • AHNLAB • ALADDIN • ALERT • ALWIL • ANTIGEN • APACHE • APPLICATION • ARCHIEVE • ASDF • ASSOCIATE • AVAST • AVG • AVIRA • BILLING@ • BLACK • BLAH • BLEEP • BUILDER • CANON • CENTER • CILLIN • CISCO • CMD. • CNET • COMMAND COMMAND PROMPT • CONTOH • CONTROL •
•
CRACK • DARK • DATA • DATABASE • DEMO • DETIK • DEVELOP • DOMAIN • DOWNLOAD • ESAFE • ESAVE • ESCAN • EXAMPLE • FEEDBACK • FIREWALL • FOO@ • FUCK • FUJITSU • GATEWAY • GOOGLE • GRISOFT • GROUP • HACK • HAURI • HIDDEN • HP. • IBM. • INFO@ • INTEL. • KOMPUTER • LINUX LOG OFF WINDOWS • LOTUS • MACRO • MALWARE • MASTER • MCAFEE • MICRO • MICROSOFT • MOZILLA • MYSQL •
•
NETSCAPE • NETWORK • NEWS • NOD32 • NOKIA • NORMAN • NORTON • NOVELL • NVIDIA • OPERA • OVERTURE • PANDA • PATCH • POSTGRE • PROGRAM • PROLAND • PROMPT • PROTECT • PROXY • RECIPIENT • REGISTRY • RELAY • RESPONSE • ROBOT • SCAN • SCRIPT HOST • SEARCH R • SECURE • SECURITY • SEKUR • SENIOR • SERVER • SERVICE • SHUT DOWN • SIEMENS • SMTP • SOFT • SOME • SOPHOS • SOURCE • SPAM •
SPERSKY • SUN. • SUPPORT • SYBARI • SYMANTEC SYSTEM CONFIGURATION • TEST • TREND • TRUST • UPDATE • UTILITY • VAKSIN • VIRUS • W3. WINDOWS SECURITY.VBS • WWW • XEROX • XXX • YOUR • ZDNET • ZEND • ZOMBIE •
•
•
10. May also launch a ping flood attack on the following sites: • •
israel.gov.il playboy.com
11. Gathers email addresses from files with the following extensions on all local drives from C to Y: • • • • • • • • •
.asp .cfm .csv .doc .eml .html .php .txt .wab
12. Avoids sending itself to email addresses that contain any of the following strings in the domain name: PLASA • TELKOM • INDO • .CO.ID • .GO.ID • .MIL.ID • .SCH.ID • .NET.ID • .OR.ID • .AC.ID • .WEB.ID • .WAR.NET.ID • ASTAGA • GAUL • BOLEH • EMAILKU • SATU •
13. May append the following prefixes to domain names in an attempt to find Simple Mail Transfer Protocol (SMTP) servers: •
smtp. mail. • ns1.
•
14. Uses its own SMTP engine to send itself to the email addresses that it finds. The email has the following characteristics: From: [SPOOFED] Subject: [BLANK] Message: BRONTOK.A [ By: H[REMOVED]Community ] -- Hentikan kebobrokan di negeri ini -1. Adili Koruptor, Penyelundup, Tukang Suap, Penjudi, & Bandar NARKOBA ( Send to "NUSAKAMBANGAN") 2. Stop Free Sex, Absorsi, & Prostitusi
3. Stop (pencemaran laut & sungai), pembakaran hutan & perburuan liar. 4. SAY NO TO DRUGS !!! -- KIAMAT SUDAH DEKAT -Terinspirasi oleh: Elang Brontok (Spizaetus Cirrhatus) yang hampir punah[ By: H[REMOVED]unity --
Attachment: Kangen.exe
Solution
1. Disable System Restore (Windows Me/XP). 2. Update the virus definitions if you have any anti-virus program. 3. Run a full system scan and delete all the files detected. 4. Use the Security Response "Tool to reset shell\open\command registry subkeys." 5. Delete any values added to the registry. 6. Delete the scheduled task.
1. To disable System Restore (Windows Me/XP) If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations. Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.
How to disable or enable Windows Me System Restore Turning off System Restore deletes all previous restore points. You must create new restore points once you turn System Restore back on. 1 Click Start > Settings > Control Panel. 2 Double-click System. If the System icon is not visible, click View all Control Panel options. 3 On the Performance tab, click File System. 4 On the Troubleshooting tab, check Disable System Restore. 5 Click OK. 6 When you are asked to restart Windows, click Yes. How to turn off or turn on Windows XP System Restore •
Click Start. •
Right-click My Computer, and then click Properties. •
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives. If you do not see the System Restore tab, you are not logged on to Windows as an Administrator. •
Click Apply. •
When you see the confirmation message, click Yes. • Click OK.
2. To update the virus definitions Update your definitions with any anti-virus program you have.
3. To scan for and delete the infected files a. Run a full system scan. b. If any files are detected, click Delete.
4. Using the Security Response "Tool to reset shell\open\command registry subkeys." This risk makes changes to the Windows registry that may prevent you from running executable files. Security Response has developed a tool to reset these values to the default settings. This tool is the easiest way to fix this. Info: As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files. For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this. They may also change a registry value so that you cannot run the Registry Editor at all.
FOLLOW THESE STEPS: 1. Download the file UnHookExec.inf and save it to your Windows desktop. (If you cannot connect to the Internet from the infected computer, download to an uninfected computer then save it to a floppy disk. Then take the floppy disk and insert it in the floppy disk drive of the infected computer.) Note: The tool has a .inf file extension. 2. Locate the download file, either on the Windows desktop or the floppy disk. 3. Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
4. Follow any other instructions for the threat that you are trying to remove.
5. To delete the value from the registry
Important: We strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.
Manual steps to export registry subkeys You can follow these steps to export a registry subkey before you edit it. Note Do not follow these steps to export a whole registry subtree. (HKEY_CURRENT_USER is an example of such a subtree.) If you must back up whole registry subtrees, back up the whole registry instead. 1. 2. 3. 4.
Click Start, and then click Run. In the Open box, type regedit, and then click OK. Locate and then click the subkey that contains the value that you want to edit. On the File menu, click Export. In the Save in box, select a location where you want to save the Registration Entries 5. (.reg) file, type a file name in the File name box, and then click Save.
Modify the specified subkeys only. a. Click Start > Run. b. Type regedit c. Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
d. Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e. In the right pane, delete the value: "Bron-Spizaetus" = "C:\WINDOWS\PIF\CVT.exe"
f. Exit the Registry Editor.
6. To delete the scheduled tasks added by the worm Click Start, and then click Control Panel. (In Windows XP, switch to Classic View.) In the Control Panel window, double click Scheduled Tasks. Right click the task icon and select Properties from pop-up menu. The properties of the task is displayed. Delete the task if the contents of the Run text box in the task pane, matches the following: %UserProfile%\Templates\A.kotnorB.com Posted by Dr.vamsi at Wednesday, February 28, 2007 Labels: Computers Newer Post Home
About Me Dr.vamsi View my complete profile
Related Documents
Tech No Blog
October 2019 12
Philosophy Educational Tech Blog
May 2020 7
Tech No Hazards
May 2020 2
Tech No Sex
November 2019 10
Tech No 1
November 2019 12