Remove Virus Amburadul ( W32/Amburadul or W32/Agent.EQXM )

He never ceases to disseminate their knowledge and never leave them alive forever. This article is how to remove the virus amburadul Varian for all without antivirus program can be cleaned simply by using the technical manual.

The easy way to tell if your computer infected by this virus will be JPEG files with the extension application. Now let's start removing!

1. Unplug your computer infected its network to stop the spread of this virus.

2. Turn off "System Restore" when in the cleaning process.

3. Killing the virus process using power tools "currprocess" kill all processes with JPG icon.

4. Repair registration that has already changed by the virus using this code and save as
repair.inf :

[Version]

Signature="$Chicago$"

Provider=Vaksincom

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"

HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""

HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0,
"Explorer.exe"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
UncheckedValue,0x00010001,0

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0x00010001,1

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
CheckedValue,0x00010001,0

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
DefaultValue,0x00010001,0

HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "about:blank"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
type,0, "checkbox"

HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
type,0, "checkbox"

HKCU, Control Panel\International, s1159,0, "AM"

HKCU, Control Panel\International, s2359,0, "PM"

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
ShowSuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
SuperHidden,0x00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HideFileExt,0x00010001,0

[del]

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspoold.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspool.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rstrui.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\wscript.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmc.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HokageFile.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rin.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SMP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskkill.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\tasklist.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Obito.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KakashiHatake.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-CLN.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-RTP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\boot.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HOKAGE4.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansav.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Setup.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Instal.exe, debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Install.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\procexp.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msiexec.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskmgr.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansavgd.exe

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer,
LimitSystemRestoreCheckpointing

HKCR, exefile, NeverShowExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

5. Remove virus captain in %systemroot%\system32\~A~m~B~u~R~a~D~u~L~ before doing so you have to make hidden files are made visible.

Then, delete the file from this list:

csrcc.exe

smss.exe

lsass.exe

services.exe

winlogon.exe

Paraysutki_VM_Community.sys

msvbvm60.dll

Drive: \ autorun.inf

Drive: \ FoToKu xx-x-*. exe, where "x" indicates the date on which the virus
active

Drive: \ Friendster Community.exe

Drive: \ J3MbataN K4HaYan.exe

Drive: \ MyImages.exe

Drive: \ PaLMa.exe

Drive: \ Images

6. Don`t forget to install anti virus up to date.

Source : http://dhuwuh.blogspot.com/2008/08/virus-amburadul-w32amburadul-or.html

21 comments:

Anonymous said... on September 13, 2008 at 11:15 PM: I have written a step by step guide for removing winlogon virus. You may find it helpfull.
http://snsays.com/26/removing-winlogon-virus/
Anonymous said... on September 15, 2008 at 10:30 AM: Ok thanks sir.
Anonymous said... on October 24, 2008 at 12:14 AM: any idea how to restore safe mode function that was deleted in registry by this virus ? i still haven't figure how to restore the safe mode function..can we just imported eksported key from fresh machine to ours ? please advise.. nietz92@yahoo.com
350-029 said... on June 6, 2009 at 6:54 PM: thanks atas ilmunya...
wisata seo sadau said... on June 12, 2009 at 3:14 AM: Mas Dhuwuh, kayaknya Saya lebih seneng dg langkah yang ke enam tu,,he,,he,,
seo beginner said... on July 7, 2009 at 2:19 PM: virusnya emang rewel
SEO pemula said... on July 7, 2009 at 2:22 PM: bzz virus rese
wii game said... on July 7, 2009 at 2:38 PM: wah saya juga sering bermasalah dengan yang satu ini
unique health info said... on July 7, 2009 at 2:40 PM: tadinya saya gak ngerti registry tapi berkat bantuan anda saya jadi ngerti dikit deh
Work At Home said... on August 5, 2009 at 5:53 PM: Saya sering kena virus ketika melawat sesuatu laman web. Kalau ade antivirus, loading lambat. Terpakasa gunakan juga, biar lambat asalkan selamat.
Stop Dreaming Start Action said... on August 5, 2009 at 11:16 PM: thank tipsnya, sy bookmark dulu kali aja suatu saat perlu.
Mengembalikan Jati Diri Bangsa said... on August 10, 2009 at 11:57 PM: Wah ini yang saya cari. Beberapa kali saya pernah terkena nih virus. Kayaknya tips dan trik ini sangat berguna bagi saya. Thank's bro
Dofollow said... on August 11, 2009 at 7:39 PM: Thanks for your tips Sir, thats very helpfull..
Blogger Indonesia said... on August 11, 2009 at 7:40 PM: Mantap tips nya pak.. tenks deh..
stop dreaming start action said... on September 2, 2009 at 11:17 AM: kalau system registry yang rusak bisa nggak ya mas pakai tips di atas.. thanks
Kenali dan Kunjungi Objek Wisata di Pandeglang said... on October 3, 2009 at 5:22 PM: regedit jg kena serang mas :(
Free AVG Internet Security said... on October 9, 2009 at 6:41 PM: You can use AVG Internet Security or AVG Anti Virus last version. I see on news AVG site, the last product is AVG Internet Security 9.0 and AVG Anti-Virus 9.0.
Thanks.
Mengembalikan Jati Diri Bangsa said... on October 19, 2009 at 12:34 PM: Infonya menarik sekali mas, sangat berguna bagi saya... cintai juga dan Kenali dan Kunjungi Objek Wisata di Pandeglang
anto said... on November 25, 2009 at 10:42 PM: Apa ada yang lebih sederhana langkahnya. Pake anti virus apa gitu.
android said... on January 26, 2012 at 5:50 PM: kenapa pake bhsa inggris sih??
SeoWaps said... on April 24, 2013 at 2:20 PM: SeoWaps