Clean and Removing Worm W32.SillyFDC ( Pendekar Blank )Virus

Here is manual tutorial for cleaning and removing " Pendekar Blank Virus " :
1. You must have PROCEXP and run, can be downloaded http://www.sysinternals.com/
2. Right click and choose suspend@blank.doc, empty.jpg, hole.zip, unoccupied.reg, zero.txt
3. Next go to control --> Folder Options, View tab election and advanced settings : option Show hidden files and folders, Uncheck Hide extensions for known file types, Uncheck Hide protected operating system files (Recommended)

W32.SillyFDC [Symantec] is also known as Threat Alias :

W32/Zaflen.a [McAfee]
Worm.VB.FKF [PC Tools]
Worm.Win32.VB.gr [Kaspersky Lab]
Worm.Win32.VB.ck [Kaspersky Lab]
W32/YahLover.worm [McAfee]
WORM_SOHANAD.FI [Trend Micro]
W32/Autorun.worm.h [McAfee]
Generic!atr [McAfee]
VBS_AUTORUN.DMS [Trend Micro]
PE_FLUENZA.ART-O [Trend Micro]
Virus.Win32.AutoRun.as [Kaspersky Lab]
Generic Packed [McAfee]
WORM_SILLY.DQ [Trend Micro]
PE_ABI.A [Trend Micro]
Worm.Win32.VB.fi [Kaspersky Lab]
Worm.VB.GUE [PC Tools]
Generic.dx [McAfee]
Generic VB.b [McAfee]
WORM_ABI.B [Trend Micro]
W32.SillyDC [Symantec]
Worm.VB.FMU [PC Tools]
IM-Worm.Win32.VB.gd [Kaspersky Lab]
Trojan.Hider.G [PC Tools]
Trojan.Win32.VB.atg [Kaspersky Lab]
Worm.Delf!sd5 [PC Tools]
TROJ_AGENT.SAO [Trend Micro]
Worm.VB.FWG [PC Tools]
Worm.Win32.Delf.aj [Kaspersky Lab]
WORM_VB.EIQ [Trend Micro]
Win32.Drowor.Gen [PC Tools]
New Malware.n [McAfee]
WORM_IMAUT.AA [Trend Micro]
Worm.Win32.Agent.ay [Kaspersky Lab]
W32/Dorcrag.worm [McAfee]
W32/Virut.gen [McAfee]
Worm.AutoIt.DQ [PC Tools]
W32/Autorun.worm.cs [McAfee]
Trojan.Win32.Hider.i [Kaspersky Lab]
Trojan-Downloader.Win32.VB.bbl [Kaspersky Lab]
Worm.VB.GIO [PC Tools]
W32/Autorun.worm.f [McAfee]
WORM_VB.CIU [Trend Micro]
WORM_SILLYDC.AL [Trend Micro]
Trojan.VB.ZBW [PC Tools]
Downloader.gen.a [McAfee]
Virus.Win32.VB.bg [Kaspersky Lab]
Hider [McAfee]
W32/Autorun.worm.n [McAfee]
WORM_VB.FKO [Trend Micro]
Worm.Win32.VB.el [Kaspersky Lab]
W32/Autorun.worm.i.gen [McAfee]
Mal_Otorun5 [Trend Micro]
Worm.AutoIt.S [PC Tools]
Worm.AutoRun.PX [PC Tools]
W32/Autorun.worm.u [McAfee]
WORM_VB.CII [Trend Micro]
Worm.Win32.Delf.ca [Kaspersky Lab]
Trojan.VB.EPP [PC Tools]
Worm.AutoRun.AO [PC Tools]
Trojan.DL.Agent.VRX [PC Tools]
W32/Autorun.worm.ch [McAfee]
W32/Generic!worm [McAfee]
Worm.Win32.AutoIt.i [Kaspersky Lab]
WORM_SILLY.EP [Trend Micro]
Virus.Win32.VB.eg [Kaspersky Lab]
W32/Autorun.worm.b [McAfee]
W32/Hooon.worm [McAfee]
Worm.AutoRun.AIP [PC Tools]
Worm.Win32.AutoRun.cwe [Kaspersky Lab]
TROJ_HIDER.I [Trend Micro]
Worm.AutoIT.V [PC Tools]
PE_VIRUT.XL [Trend Micro]
W32/Autorun.worm.g [McAfee]
W32/USBAgent [McAfee]
Trojan.QQPass.Gen [PC Tools]
W32/Cekar [McAfee]
PE_VIRUT.GEN-2 [Trend Micro]
WORM_AUTORUN.BUK [Trend Micro]
Virus.Win32.Virut.q [Kaspersky Lab]
PE_DROWOR.A [Trend Micro]
Virus.Win32.AutoRun.cb [Kaspersky Lab]
Worm.VB!sd5 [PC Tools]
W32/Autorun.worm.j [McAfee]
Worm.VB.EDCS [PC Tools]
WORM_AGENT.ACCD [Trend Micro]
WORM_VB.ERF [Trend Micro]
Backdoor.VB.ESE [PC Tools]
Trojan.Win32.VB.ayo [Kaspersky Lab]
Virus.Win32.AutoRun.aik [Kaspersky Lab]
W32/Autorun.worm.bl [McAfee]
Virus.Win32.AutoRun.abt [Kaspersky Lab]
Worm.Hamweg.Gen [PC Tools]
WORM_BRONTOK.BW [Trend Micro]
WORM_VB.GAY [Trend Micro]
JS.Chir.B [PC Tools]
TROJ_AGENT.ANAR [Trend Micro]
Trojan.QQPass.Gen.4 [PC Tools]
Trojan.QQPass.Gen.7 [PC Tools]
Trojan-Downloader.Win32.AutoIt.x [Kaspersky Lab]
Virus.Win32.AutoRun.gp [Kaspersky Lab]

W32.SillyFDC [Symantec] is known to be created as :

%AllUsersProfile%\desktop.exe
%AllUsersProfile%\documents.exe
%AllUsersProfile%\drm.exe
%AllUsersProfile%\favorites.exe
%AllUsersProfile%\fotitoella.exe
%AllUsersProfile%\templates.exe
%AppData%\cftmon.exe
%AppData%\flexiblesoft\spirit.exe
%AppData%\microsoft\cd burning\auto.exe
%AppData%\microsoft\cd burning\coolworld.exe
%AppData%\microsoft\cd burning\protector.exe
%AppData%\rocket.exe
%AppData%\spool.exe
%AppData%\spooll.exe
%AppData%\waultc.exe
%AppData%\waults.exe
%CommonAppData%\microsoft.exe
%CommonAppData%\microsoft\crypto.exe
%CommonAppData%\microsoft\crypto\dss.exe
%CommonAppData%\microsoft\crypto\dss\fondo1024x768.exe
%CommonAppData%\microsoft\crypto\dss\machinekeys.exe
%CommonAppData%\microsoft\crypto\dss\machinekeys\img00002.exe
%CommonAppData%\microsoft\crypto\fotocote.exe
%CommonAppData%\microsoft\crypto\rsa.exe
%CommonAppData%\microsoft\crypto\rsa\machinekeys.exe
%CommonAppData%\microsoft\crypto\rsa\mariajose.exe
%CommonAppData%\microsoft\crypto\rsa\s-1-5-18.exe
%CommonAppData%\microsoft\ctfmon.exe
%CommonAppData%\microsoft\fotocote.exe
%CommonAppData%\microsoft\media index\fotomj.exe
%CommonAppData%\microsoft\media player\fondo1024x768.exe
%CommonAppData%\microsoft\network.exe
%CommonAppData%\microsoft\network\connections.exe
%CommonAppData%\microsoft\network\connections\cm.exe
%CommonAppData%\microsoft\network\connections\cm\fotomj.exe
%CommonAppData%\microsoft\network\connections\img000152.exe
%CommonAppData%\microsoft\network\connections\pbk.exe
%CommonAppData%\microsoft\network\scs000132.exe
%CommonAppData%\microsoft\spirit.exe
%CommonAppData%\microsoft\user account pictures\bro_act.exe
%CommonAppData%\microsoft\user account pictures\yoppp_playa.exe
%CommonAppData%\vb.net.exe
%CommonAppData%\vmware.exe
%CommonAppData%\vmware\fotitoella.exe
%CommonAppData%\vmware\vmware tools\fondo1024x768.exe
%CommonDesktopDir%\desktop.exe
%CommonDesktopDir%\files.exe
%CommonDesktopDir%\foto_ella_bikini.exe
%CommonDesktopDir%\newfolder.exe
%CommonDesktopDir%\notepad.exe
%CommonDocuments%\bro_act.exe
%CommonDocuments%\my music\accounting.exe
%CommonDocuments%\my music\bro_act.exe
%CommonDocuments%\my music\fotowena.exe
%CommonDocuments%\my music\my playlists\fotocote.exe
%CommonDocuments%\my music\sample music\bro_act.exe
%CommonDocuments%\my music\sample music\lastscan.exe
%CommonDocuments%\my music\sample playlists\00090beb.exe
%CommonDocuments%\my music\sample playlists\lastscan.exe
%CommonDocuments%\my pictures\bro_act.exe
%CommonDocuments%\my pictures\sample pictures\bro_act.exe
%CommonDocuments%\my pictures\sample pictures\fotitoella_10.exe
%CommonDocuments%\my videos\bro_act.exe
%CommonDocuments%\my videos\fotitoella_10.exe
%CommonFavorites%\img000152.exe
%CommonPrograms%\accessories.exe
%CommonPrograms%\accessories\accessibility.exe
%CommonPrograms%\accessories\accessibility\img000152.exe
%CommonPrograms%\accessories\communications.exe
%CommonPrograms%\accessories\entertainment.exe
%CommonPrograms%\accessories\entertainment\fotitoella.exe
%CommonPrograms%\accessories\system tools\foto_respaldo1.exe
%CommonPrograms%\administrative tools\img000152.exe
%CommonPrograms%\fotobikini.exe
%CommonPrograms%\programs.exe
%CommonPrograms%\startup.exe
%CommonPrograms%\startup\avp.exe
%CommonPrograms%\startup\bro_act.exe
%CommonPrograms%\startup\folderwiz.com
%CommonPrograms%\startup\lsass.exe
%CommonPrograms%\startup\msconfig.exe
%CommonPrograms%\startup\osa.exe
%CommonPrograms%\startup\plus.exe
%CommonPrograms%\startup\setup.exe
%CommonPrograms%\startup\startup.exe
%CommonPrograms%\startup\svchots.exe
%CommonPrograms%\startup\systemil2.exe
%CommonPrograms%\startup\tati.exe
%CommonPrograms%\startup\winlogon.exe
%CommonPrograms%\startup\winsys2.exe
%CommonStartMenu%\programs.exe
%CommonStartMenu%\yoppp_playa.exe
%CommonTemplates%\img00002.exe
%CommonTemplates%\spss.exe
%DesktopDir%\desktop.exe
%DownloadedProgramFiles%\svchost.exe
%Favorites%\links.exe
%FontsDir%\fonts.exe
%FontsDir%\nwlnkfwd.exe
%FontsDir%\nwlnkipx.exe

4. Search and delete file contain of the virus :

c:\aut0exec.bat
c:\windows\system32\dllcache\Regedit32.com
c:\windows\system32\dllcache\Shell32.com
c:\windows\system32\dllcache\rund1132.exe
c:\windows\system32\dllchache.exe
c:\windows\system32\M5VBVM60.exe
c:\(Read Me)Pendekar Blank.txt
c:\windows\system32\dllchache\blank.doc
c:\windows\system32\dllchache\empty.jpg
c:\windows\system32\dllchache\hole.zip
c:\windows\system32\dllchache\msvbvm60.dll
c:\windows\system32\dllchache\unoccupied.reg
c:\windows\system32\dllchache\zero.txt
c:\windows\system32.exe

5. Clean and Repair registry

Delete HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Secure32
Delete HKEY_CURRENT_USER, Software\Microsoft\Windows\CurrentVersion\Run, Secure64
Delete HKEY_LOCALMACHINE, Software\Microsoft\Windows\CurrentVersion\Run, Blank Antiviri
CHANGE & MODIFY @ HKCR, comfile\shell\open\command,,,”””%1″” %*”
CHANGE & MODIFY @ HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
CHANGE & MODIFY @ HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
CHANGE & MODIFY @ HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit,0, “C:\Windows\system32\userinit.exe,”
CHANGE & MODIFY @ HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
CHANGE & MODIFY @ HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Userinit.,0, “userinit.exe”

6. Than Restart yout computer


Source : http://dhuwuh.blogspot.com/2008/08/clean-and-removing-worm-w32sillyfdc.html

Related Posts by Categories :