I. Brief of "Blue Fantasy"
Maybe you've heard before or even been a user of the computer who are victims of malignancy virus or My My Rose Lorenz. The virus is better known as KillAV in Indonesian language is anti-virus killer. Well, recently has emerged virus symptom similar to KillAV, except that this virus is not installed in order to block all the existing anti-virus. Actually, when examined again, this virus is not too dangerous because he did not do destruction on windows system. But we made enough to make my nerves.
II. The characteristics of this virus and How it Works
Lunge kick from this virus are basically the same as other viruses which mostly based on Visual Basic programming language. By creating a duplicate folder and hide the original folder either from our data, as well as supporting folders other windows. It is very spit us, because when we open the duplicate folders created by the virus, then we might as well help to broaden the spread of the virus itself. Please note the virus blue fantasy (there is also a call virus breakup) will create a folder with the same name as the original folder which he hid. How do we know if we only duplicate folders? that is the way to see the attributes of the folder. Choose a view on the toolbar menu and then select details. From here you can see that all folders in the window the same size, namely 40 Kb with the extension scr.
Another feature of this virus is to always display the message (message box) when you first logon windows that contain the word "Surabaya in Happy Birthday. (Do not kill me, I'm just send message from your computer. Thank you for menamaniku although only moment, but to me very significant.'m sorry if happiness is all I ask is a friend along hidupku.Seharusnya I understand that my existence is not disismu, just a reverie in regret. For that is not my lover I've ever had 3r1k1m0) "
This virus spreads very fast through your storage media, such as floppy disks or USB flash. So be careful when you work on computers that are infected with this virus. Once the flash is connected, then we can be sure your flash is infected. Why? one of the characteristics of the virus in general is to be as smart as possible to spread from one computer to another. This is the basis of why they should automatically direct spread to flash or floppy disk without having you to click though. If the virus has been entered into the windows system, then he will run the program from its parent files automatically without we can see and realize before. With skill-doer virus, the master file is put himself in the location where we rarely open. Examples of viral Blue Fantasy parent file pathname found in the location C: \ Documents and settings \ Alluser \ STARTMENU \ Adobe online.com and Adobe Update.com. The two files are hidden so it can not dilihat.Biasanya to display hidden files or folders, we always use the option Folder Options and then Show hidden files. But do not be excited because this virus also disable the option.
III. How Extermination
Noteworthy in the process of cleaning this virus is as follows:
1. Decide first of all access networks connected to infected computers both local network (LAN) or internet.
2. Turn off system restore option windows by clicking on Start-Allprogram-Accessories-System Tools-System Restore.
3. Try cleaning done in Safe Mode (this option only to process a virus scan using the anti-virus up to date)
After that you can begin to stop the service or the hidden virus program first. Because even if you've managed to find the master files from this virus, you will not be able to delete the file because windows will reject any exe files that are working to be removed.
How to stop it is to use an additional tool in the form of task manager (the default Windows task manager can not recognize this service and even viruses can also be blocked)
But do not worry because there are tools that can overcome this problem, an example program or CProcess Security Task Manager. We suggest you use CProcess because this software can also stop the service that are stored in memory though.
Once you have successfully downloaded, do the installation. When finished, you try to run it. On the list of process list, you can see some program or service that is active. Stop (Kill) the Adobe Online and Adobe Update. After that, close the program.
Next is the process of identification of the virus file and folder duplicate results by using the menu on the Start menu Searching windows by setting the All files and folders, type: *. com *. scr, setting the size of the file select at most to the size of 41 Kb, the more advanced settings check the box hidden files and folders, and click search ...
In the search results there are the folders size 40 Kb with the extension *. scr.Adobe Online.com, Adobe Update.com, Thumbs. db danThumbs.com, Delete files and folders are blocked by the right-click-delete. Do not forget to also empty the recycle bin it.
Then search also searches the autorun.inf file with the settings like diatas.Hapus file located at C: \, D: \, E: \ etc..
Well, after you perform the above steps, it's time to restore the registry settings in windows that randomly by the virus ini.Agar quickly without having you sort out the registry setting anywhere in the defective virus, copy the script below and save it with the name of repair. inf. How to use it is to the right on repair.inf mengkilk and select "install ".
The script is as follows:
[Version]
Signature="$Chicago$"
Provider=PCNUSANTARA
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0
HKLM, SOFTWARE\Classes\scrfile,,,"Screen Saver"
[del]
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, LegalNoticeText
HKLM, SOFTWARE\Classes\scrfile, InfoTip
HKLM, SOFTWARE\Classes\scrfile, NeverShowExt
HKLM, SOFTWARE\Classes\scrfile, TileInfo
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
To ensure the persistence of the virus or not, you can perform the scan with the latest anti-virus updates, for example: AVG, Norman, etc.. For AVG Anti-virus updates as of March 31, 2007 was able to identify this virus. Remember, try the scan is done in Safe Mode by restarting your computer then before booting tap the F8 key on the keyboard (not all products or notebook PC supports this way, but most of the same)
Then how do you restore the folders are hidden. Easy, by way of calling a command prompt via the Start menu-Run-and type "cmd" and then enter.Setelah command prompt window open, move the cursor at the location of "drive": \>. "Drive" means that the drive letter where your data folder berlokasi.Setelah it type the command "attrib-s-h / s / d" then enter.Tunggu to appear "drive": \> lagi.Sekarang try to check the folders in windows explorer.
Good luck ...