Remove Virus Amburadul ( W32/Amburadul or W32/Agent.EQXM )

Remove Virus Amburadul ( W32/Amburadul or W32/Agent.EQXM )

He never ceases to disseminate their knowledge and never leave them alive forever. This article is how to remove the virus amburadul Varian for all without antivirus program can be cleaned simply by using the technical manual.

The easy way to tell if your computer infected by this virus will be JPEG files with the extension application. Now let's start removing!

1. Unplug your computer infected its network to stop the spread of this virus.

2. Turn off "System Restore" when in the cleaning process.

3. Killing the virus process using power tools "currprocess" kill all processes with JPG icon.

4. Repair registration that has already changed by the virus using this code and save as
repair.inf :





[Version]

Signature="$Chicago$"

Provider=Vaksincom



[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del





[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0,
"Explorer.exe"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
UncheckedValue,0x00010001,0

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
CheckedValue,0x00010001,0

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
DefaultValue,0x00010001,0

HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "about:blank"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
type,0, "checkbox"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
type,0, "checkbox"

HKCU, Control Panel\International, s1159,0, "AM"

HKCU, Control Panel\International, s2359,0, "PM"

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
ShowSuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
SuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HideFileExt,0x00010001,0



[del]

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspoold.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspool.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rstrui.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\wscript.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmc.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HokageFile.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rin.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SMP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskkill.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\tasklist.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Obito.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KakashiHatake.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-CLN.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-RTP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\boot.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HOKAGE4.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansav.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Setup.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Instal.exe, debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Install.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\procexp.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msiexec.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskmgr.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansavgd.exe

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer,
LimitSystemRestoreCheckpointing

HKCR, exefile, NeverShowExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore


5. Remove virus captain in %systemroot%\system32\~A~m~B~u~R~a~D~u~L~ before doing so you have to make hidden files are made visible.

Then, delete the file from this list:



csrcc.exe

smss.exe

lsass.exe

services.exe

winlogon.exe

Paraysutki_VM_Community.sys

msvbvm60.dll

Drive: \ autorun.inf

Drive: \ FoToKu xx-x-*. exe, where "x" indicates the date on which the virus
active

Drive: \ Friendster Community.exe

Drive: \ J3MbataN K4HaYan.exe

Drive: \ MyImages.exe

Drive: \ PaLMa.exe

Drive: \ Images


6. Don`t forget to install anti virus up to date.


Source : http://dhuwuh.blogspot.com/2008/08/virus-amburadul-w32amburadul-or.html



Related Posts by Categories :


21 comments:

Anonymous said... on September 13, 2008 at 11:15 PM  

I have written a step by step guide for removing winlogon virus. You may find it helpfull.
http://snsays.com/26/removing-winlogon-virus/

Anonymous said... on October 24, 2008 at 12:14 AM  

any idea how to restore safe mode function that was deleted in registry by this virus ? i still haven't figure how to restore the safe mode function..can we just imported eksported key from fresh machine to ours ? please advise.. nietz92@yahoo.com

wisata seo sadau said... on June 12, 2009 at 3:14 AM  

Mas Dhuwuh, kayaknya Saya lebih seneng dg langkah yang ke enam tu,,he,,he,,

unique health info said... on July 7, 2009 at 2:40 PM  

tadinya saya gak ngerti registry tapi berkat bantuan anda saya jadi ngerti dikit deh

Work At Home said... on August 5, 2009 at 5:53 PM  

Saya sering kena virus ketika melawat sesuatu laman web. Kalau ade antivirus, loading lambat. Terpakasa gunakan juga, biar lambat asalkan selamat.

Mengembalikan Jati Diri Bangsa said... on August 10, 2009 at 11:57 PM  

Wah ini yang saya cari. Beberapa kali saya pernah terkena nih virus. Kayaknya tips dan trik ini sangat berguna bagi saya. Thank's bro

stop dreaming start action said... on September 2, 2009 at 11:17 AM  

kalau system registry yang rusak bisa nggak ya mas pakai tips di atas.. thanks

Free AVG Internet Security said... on October 9, 2009 at 6:41 PM  

You can use AVG Internet Security or AVG Anti Virus last version. I see on news AVG site, the last product is AVG Internet Security 9.0 and AVG Anti-Virus 9.0.
Thanks.

anto said... on November 25, 2009 at 10:42 PM  

Apa ada yang lebih sederhana langkahnya. Pake anti virus apa gitu.

Post a Comment

"Using DOFOLLOW System. Pease don`t SPAM!!!"

Thanks To Comment My Articles. God Bless You People.

Add to Technorati Favorites

Technorati Ping To Your Blog
Including Yours E-Mail Address To Subscribe New Tricks