Virus Contra

How to Remove Popup Ads Text-Enhance Cookie from Your Computer

noreply@blogger.com (btvideo) — Thu, 10 Nov 2011 13:08:00 +0000

Text-Enhance cookie was appeared at your computer because some reasons:

You have directly visited text-enhance.com or a website that you have visited uses some of the components (pages, files, images, and so on) of the enhance.com website
A software application with Internet-enabled functionality that had previously accessed the enhance.com website was running on your PC (in this case, the text-enhance.com cookie will be saved in Internet Explorer, Mozilla and other browser)

You can detect the presence of the enhance.com cookie in your system using some antimalware application. This way, the detection and removal will be performed automatically. Alternatively, you can choose to perform the following steps, depending on the browser you are using:

Internet Explorer 7 (IE7)

From the Tools menu, or the Tools list in the upper right section, select Internet Options
Under Browsing History, click Settings
Click View Objects or View Files
Check if for the enhance.com cookie is present on the list

Internet Explorer 5.x-6.x (IE5-IE6)

From the Tools menu, select Options or Internet Options
In the General tab, click Settings
Select View Files
You can identify the enhance.com cookie files by checking the file names beneath the Name or Internet Address column. The files will contain the Cookie: enhance.com element.

Mozilla Firefox (FF)

From the Tools menu, select Options
In the upper section of the Options window, click Privacy
In the Cookies tab, click Show Cookies or remove individual cookies link
In the Cookies window, enter enhance.com in the Search field and run a search, or you can scroll down the list to check whether the enhance.com cookie is present there.

And below, you will find instructions on how to block the enhance.com cookie permanently in the different browsers.

To block enhance cookie in Internet Explorer

From the Tools menu of Internet Explorer, select Internet Options
Select the Privacy tab, and then click Sites. The Per site privacy actions window will be displayed
In the Per site privacy actions window, enter enhance.com in the Address of Web site field
Click Block

To block enhance cookie in Mozilla Firefox

From the Tools menu, select Options
In the upper section of the Options window, click Privacy
In the Cookies tab, click Exceptions
In the new Exceptions - Cookies window, enter text-enhance.com and textsrv.com in the Address of Website field and click Disable

Removing Add-Ons/Extensions
In Google Chrome, click on the wrench at the top right, then select Tools->Extensions and remove something called “Facetheme” or “Better Links” there. The add-on called “Facetheme” was the one on my computer that was directly linked to text-enhance.com. “Better Links” was a similar add-on we found on a different computer, but worked essentially the same as text enhance.
In IE, go into Tools->Manage Add-Ons to remove it there. In Firefox, go into Tools->Add Ons. While you’re in there, remove any unwanted add-ons. There’s a good chance you’ll see some you don’t recognize or want.

Add/Remove Programs
We actually found “Facetheme” in our add/remove programs section of Windows. So, remove it from your computer. The removal process seemed to work this way as well.

PCMAV 2.1a (October 2009 Update)

noreply@blogger.com (btvideo) — Fri, 02 Oct 2009 07:21:00 +0000

The new update of PCMAV has been released on this October 2009. In this new version, 2.1a, PCMAV able to detect and remove 2.954 the famous viruses.

Whats new in PCMAV 2.1a:

UPDATED! Added to database, scanner and cleaner of 71 local viruses/new variants that reported by users in Indonesia and Asia. Total 2954 viruses and its variants, including new variant of Conficker virus.
IMPROVED! Added the special cleaner for virus smansa.
IMPROVED! Heuristic engine for detect new variant of some complex polymorphic viruses.
And other bug fixed and some improvisations.

Download this great and small Anti Virus at Here.

PC Media Antivirus (PCMAV) 2.0b - Valkyrie

noreply@blogger.com (btvideo) — Mon, 11 May 2009 02:46:00 +0000

PC Media Antivirus (PCMAV) 2.0b - Valkyrie

New Release May 9, 2009

Kill all Brontok virus, Conficker and all its variants without damaging Operating System and your files

Whats New

a. Improved! Added a database and virus cleaning 60 local / foreign / new variants have been spread. Total 2720 virus with variannya, including virus Conficker sophisticated, a lot of outstanding and has been known in this version 2.0b by core engine PCMAV.
b. BuG fixed! In the previous version of RTP running less perfect in Windows XP / Vista, which in some cases to result in some applications can not run perfectly.
c. BuG fixed! Routine scan memory does not fail again in detecting some types of script viruses.
d. BuG fixed! Heuristic engine is now more accurate in detecting the suspected file.
e. NEW! Additional advanced heuristic engine that can detect polymorphic variants of the virus spread much.
f. BuG fixed! Scan through the right-click "Scan with PCMAV" can now be integrated in Vista without problems.
g. Improved! Display splash screen Realtime Cleaner and Protector.
h. BuG fixed! Error detection (false alarm) heuristik on some programs and scripts.
i. Updated! README.TXT
j. Improved! Several name changes the virus has found a new variant.
k. Improved! Some minor improvements and bug improvised code to ensure that internal PCMAV can still be pride.

Minimal System Requirement

Processor: Pentium
RAM: 256 MB
Operating systems: - Windows XP 32-bit
- Window Vista 32-bit
- Windows 7 32-bit

Download this AntiVirus for free at Here or Here.

Update: PCMAV 1.9

noreply@blogger.com (btvideo) — Fri, 14 Nov 2008 04:33:00 +0000

PCMedia AntiVirus 1.9

The new PCMAV 1.9 has capable to detect and remove new 2254 viruses and its variant that reported and found in the world.

Whats Changed:

Added, cleaner and removal database for new 95 viruses
Added, special cleaner for virus Bungas.vbs
Fixed, false alarm (heuristhic miss detection) for some application and script
Updated, chanhes for virus names according their new variants
Fixed, few minor bugs found and internal code improved.

Download at Here or Here.

W32/Sality Virus: Description and How to Remove It

noreply@blogger.com (btvideo) — Tue, 11 Nov 2008 00:35:00 +0000

Sality is a virus that has backdoor capabilities and executes keylogger and may infect executable files by putting its code to host files. Once it is installed, Sality virus will infect local executable files and delete all files that are associated with anti-virus and anti-spyware applications, as well as firewalls. After this, Sality runs a keylogging module that gathers all system and network information, records passwords and login names, steals all sensitive information and sends all this collected data to a predefined email address.

In addition, Sality opens a backdoor that allows the remote attacker to get the full control over the infected computer and this places any financial or banking information stored on your computer in severe jeopardy and represents a serious security risk.

Also known as: W32/Sality (McAfee), Virus.Win32.Sality.aa (Kaspersky), W32.Sality.AE (Symantec), Virus:Win32/Sality.AM (MS OneCare), PE_SALITY.EM (Trend)

W32/Sality is a parasitic virus that infects Win32 PE executable files. It is a polymorphic virus that attempts to spread by file infection. It looks for Win32 PE executable files with .EXE or .SCR file extensions, and infects any such files found on the system by appending the virus body to the host file.

The virus also attempts to propagate by copying itself with a random filename to network drives, including all removable disk drives. Sality.AA also creates an "autorun.inf" file in these drives so that the virus executes when it is accessed.

Upon execution, it drops the following files into the Windows system directory:

%Windir%\System32\Hdaudprop.dll
%Windir%\System32\Hdaudpropres.dll
%Windir%\System32\Hdaudpropshortcut.exe
%Windir%\System32\drivers\Hdaudbus.sys
%Windir%\System32\drivers\Hdaudio.sys
%Windir%\System32\drivers\portcls.sys

Creates the following registry keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WMI_MFC_TPSHOCKER_80
HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\Root\IPFILTERDRIVER
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline

and it downloads further malware from the following domains:

bpowqbvcfds677.info
aapowqbvcfds677.info
abpowqbvcfds677.info
d98dc9.bpowqbvcfds677.info
bmakemegood24.com
d99395.bmakemegood24.com
bbeakemegood24.com
bperfectchoice1.com
d998b6.bperfectchoice1.com
cbparfectchoice1.com
cbpbrfectchoice1.com
bcash-ddt.net
d9aab7.bcash-ddt.net
pzrk.ru
dbcabh-ddt.net
bddr-cash.net
ebddrbcash.net

It also modifies the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Setting\"GlobalUserOffline" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\"EnableLUA" = "0"

and this virus also deletes entries in the following registry subkeys:

HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

Sality.AA bypasses the system firewall by executing the command:
netsh firewall set opmode disable

It may also disable settings related to system security. It does this by adding the following registry entries:

HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

The virus sets the following registry entry so that hidden folders and files are not displayed in Windows Explorer view:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 2

It also disables Registry Editor and Task Manager by adding these registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001

Sality.AA terminates all anti virus routine services running on the system, and prevent access to Websites that contain its names, like sality_remove, viruscan, sophos, mcafee, eset.com, kaspersky, onlinescan, and more...

The device driver is not dropped and installed onto the system unless there is an active internet connection.

The virus may prevent execution of applications that perform an integrity self-check as a result of them being infected.

So my dear friend the easiest way to tackle this virus is to Remove above mention Virus Entry Doors from registry and Delete those .DLL files from system.

Sality Manual Removal Instructions

Below is a list of Sality manual removal instructions and Sality components listed to help you remove Sality from your PC. Backup Reminder: Always be sure to back up your PC before making any changes.

Note: This manual removal process may be difficult and you run the risk of destroying your computer.

Step 1 : Use Windows File Search Tool to Find Sality Path

Go to Start > Search > All Files or Folders.
In the "All or part of the the file name" section, type in "Sality" file name(s).
To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
When Windows finishes your search, hover over the "In Folder" of "Sality", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Sality in the following manual removal steps.

Step 2 : Use Windows Command Prompt to Unregister Sality DLL Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Sality DLL file is located and press the "Enter" button on your keyboard. If you don't know where Sality DLL file is located, use the "dir" command to display the directory's contents.
To unregister "Sality" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Sality.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
Search and unregister "Sality" DLL files: syslib32.dll, sysdll.dll, oledsp32.dll

Step 3 : Detect and Delete Other Sality Files

To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
To change directory, type in "cd name_of_the_folder".
Once you have the file you're looking for type in "del name_of_the_file".
To delete a file in folder, type in "del name_of_the_file".
To delete the entire folder, type in "rmdir /S name_of_the_folder".
Select the "Sality" process and click on the "End Process" button to kill it.
Remove the "Sality" processes files: syslib32.dll, sysdll.dll, oledsp32.dll, oledsp32.dll, sysdll.dll, syslib32.dll

Other simple way, you can use Sality Removal Tool from Grisoft by downloading at Here.

Autorun Virus Remover v2.3

noreply@blogger.com (btvideo) — Mon, 03 Nov 2008 09:04:00 +0000

Autorun Virus Remover can detect and clean hundreds of usb/autorun viruses and it will block viruses and trojans trying to attack when USB device is inserted.

Autorun Virus Remover provides 100% protection against any malicious programs trying to attack via USB storage(USB driveUSB stickpen drive flash drive flash card secure digital card removable storage portable storage;ipod media player).

Compare Autorun Virus Remover with other antivirus solutions, you will find out its highlights:

Autorun Virus Remover provides 100% protection against any threats via USB drive, however, the majority of other products are unable even to guarantee 90% protection.
Autorun Virus Remover can detect and clean the usb virus/worm/trojan such as Ravmon,auto.exe in your computer or usb drive,it could solve the problem that unable to open a drive by double clicking. It also removes the leftovers of virus by removing the autorun.inf files and cleaning up your system registry, so you won’t see the autoplay item anymore.

Features:

100% protection against any threats via USB drive
The best solution to protect offline computer
The world’s fastest and smallest antivirus software
Require no signature updates
100% compatible with all software
Easy to use

Btw, you can download this antivirus at here or at here.

All You Have Know About Spyware

noreply@blogger.com (btvideo) — Wed, 22 Oct 2008 09:31:00 +0000

There are a lot of PC users that know little about "Spyware", "Mal-ware", "adware", "hijackers", "Dialers" and many more. This will help you avoid pop-ups, spammers and all those baddies.

What is Spy-ware?
Spy-ware is Internet jargon for Advertising Supported software (Ad-ware). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don't have to pay for the software and the developers are still getting paid. If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee.

Known spywares
There are thousands out there, new ones are added to the list everyday. But here are a few:
Alexa, Aureate/Radiate, BargainBuddy, ClickTillUWin, Conducent Timesink, Cydoor, Comet Cursor, Zula/KaZaa Toptext, Flashpoint/Flashtrack, Flyswat, Gator, GoHip, Hotbar, ISTbar, Lions Pride Enterprises/Blazing Logic/Trek Blue, Lop (C2Media), Mattel Brodcast, Morpheus, NewDotNet, Realplayer, Songspy, Xupiter, Web3000, WebHancer, Windows Messenger Service, DownloadAccel, Flyswat, freeNsafe, Naviant, Net Perceptions. You can get more names of spyware at GRC | OptOut.

How to check if a program has spyware?
The is this Little site that keeps a database of programs that are known to install spyware.

If you would like to block pop-ups (IE Pop-ups), there tons of different types out there, but these are the 2 best I think. Try to use Google Toolbar. This program is Freeware or you can use shareware program like AdMuncher.

If you want to remove the "spyware" use this freeware from Lavasoft, Ad-Aware. This software is a multi spyware removal utility, that scans your memory, registry and hard drives for known spyware components and lets you remove them. The included backup-manager lets you reinstall a backup, offers and multi language support. Or you can try to get Spybot-S&D that can be get for free too. This anti malware application will detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer. Blocks ActiveX downloads, tracking cookies and other threats. Over 10,000 detection files and entries, and provides detailed information about found problems.

Or you can try BPS Spyware and Adware Remover. This shareware program have Adware, spyware, trackware and big brotherware removal utility with multi-language support. It scans your memory, registry and drives for known spyware and lets you remove them. Displays a list and lets you select the items you'd like to remove.

Other shareware anti malware is Spy Sweeper v2.2. It can detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer. The best scanner out there, and updated all the time.

The favorite spyware removal utility is HijackThis. HijackThis is a tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect them, and optionally remove selected items.

If you would like to prevent "spyware" being install, you can try SpywareBlaster. This program is Freeware. SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Or you can use SpywareGuard. SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected. Another freeware for this is XP-AntiSpy, a small utility to quickly disable some built-in update and authentication features in WindowsXP that may rise security or privacy concerns in some people.

If you would like more Information about "spyware", you can find at these sites:
Spychecker, Spyware Guide, Cexx and Thief Ware.

All these softwares will help remove and prevent evil spammers and spywares attacking your PC. I recommend getting "spyblaster" "s&d spybot" "spy sweeper" & "admuncher" to protect your PC. A weekly scan is also recommended.

Update: PC Media AntiVirus 1.8 (PCMAV)

noreply@blogger.com (btvideo) — Sat, 18 Oct 2008 17:09:00 +0000

As I wrote on last posts at here and here, PCMAV or PCMedia Antivirus is free antivirus software that made by Indonesian developer. PCMAV support or compatible with engine Clamav 0.93 (the new generation of antivirus clamav engine).

Now, this new version come with more power for attacking and removing the new viruses and trojans.

Download this new version at Here or Here.

Note: No need to install, just extract from archive to your harddisk.

Firewall on Your Computer

noreply@blogger.com (btvideo) — Sat, 18 Oct 2008 13:23:00 +0000

Firewalls are filters that filter any information passing from and into your computer when you are surfing the Internet. It is up to you to set a filtration level where you can say what information gets in and what gets out. Many people believe that the firewalls are the first level of security and they are not far from the truth. There are many benefits of using firewalls.

If you are using a computer at home or office, it is important to have a firewall. The thing is that most large organizations have very complex firewalls which are relatively impenetrable. These firewalls prevent employees from sending out sensitive company data through emails. They also prevent employees from accessing sites which could be harmful to the organization's network or stop the employees from being productive. In addition, firewalls prevent other computers from accessing the company's network.

The benefits of using a firewall are immense for an organization and that is why it is in such great demand. There are many different levels of configuration possible with firewalls and any organization using them would require trained IT employees to oversee and maintain them.

When we talk about computers at home, the firewall used is not as complex as that used in an organization. Here the firewall just has to protect your home PC and network from malicious software like viruses and spyware. A firewall on your home computer does not allow traffic to enter or go out other than what has been programmed. So, if a program entering your computer is infected with virus and does not conform to the preset criteria stipulated on your firewall, it will block it.

Worms that attack instant messenger

noreply@blogger.com (btvideo) — Wed, 24 Sep 2008 17:55:00 +0000

An IRC worm is usually a standalone program that uses IRC networks to spread itself. Such worm either tries to spread itself by establishing connection to an IRC server or it can drop specific scripts to an IRC client directory. The most affected IRC client is mIRC.

Usually an IRC worm replaces some INI files in mIRC directory with its own scripts and when a user connects to an IRC server and joins any channel, these scripts instruct a client to send a worm's executable file to everyone in that channel. Some IRC worms have backdoor and trojan capabilities.

Instant messaging attacks originated in the abuse of the mIRC /DCC Send command. This command can be used to send a file to users connected to a particular discussion channel. Normally, attackers modify a local script file, such as script.ini used by mIRC to instruct the instant messaging client to send a file to a recipient any time a new participant joins a discussion.

Modern implementations of IRC (Internet Relay Chat) worms can connect dynamically to an IRC client and send messages that trick the recipient into executing a link or an attachment. In this way, the attacker can avoid modifying any local files.

For example, the W32/Choke worm uses the MSN Messenger API to send itself to other instant messaging participants as a "shooter game"27. Although several instant messenger software programs require the user to click a button to send a file, worms can enumerate the dialog boxes and "click" the button, so the actual user does not have to click. It is also expected that computer worms will exploit buffer overflow vulnerabilities in instant messenger software. For example, certain versions of AOL Instant Messenger software allow remote execution of arbitrary code via a long argument in a game request function

PCMedia Antivirus 1.7 Update

noreply@blogger.com (btvideo) — Tue, 16 Sep 2008 10:23:00 +0000

Whats changed and added:

Added, 118 new viruses/variant scanner and cleaner.
Fixed, error of rotine buffering when scanning file.
Added, special cleaner for virus VBScript FourTwoOne.vbs.
Added, special cleaner for virus Windx-Maxtrox that infects EXE file.
Added, special cleaner for virus Microso that injects DLL file.
Fixed, false alarm heuristik of any program/script.
Updated, name of some virus according new variants found.
Fixed of some minor bugs improvisation internal code of PCMAV Cleaner & PCMAV RealTime Protector.

Download this new PCMAV at Here or Here.

PCMAV, Free Antivirus from Indonesia

noreply@blogger.com (btvideo) — Wed, 10 Sep 2008 20:43:00 +0000

PCMAV or PCMedia Antivirus now support or compatible with engine Clamav 0.93 (the new generation of antivirus clamav engine). With this engine, Antivirus PCMAV 1.6 capable to scan 3 times more faster than before. Feel the different. PCMAV 1.4 can integrated as usual with engine Clamav 0.93 if your Window OS supported library MSVCRT80 (Microsoft.VC80.CRT.manifest, msvcm80.dll, msvcp80.dll, and msvcr80.dll).

And now, PCMAV RTP (Real Time Protection) works more accurate to block any virus from vbscript type. Included in memory: Special virus cleaner added for virus Revublik.vbs and more improvisation...

Whats changed and added on new version of PCMAV is 1.6 that released on this month:

79 virus cleaner added on local/international/new variant virus in Indonesia. Total 2064 virus.
Bug fixed on engine heuristic.
Wrong detection in several application has been fixed by USB Disk filtering as Virus Suspected.
Bug on engine GetUpdates fixed.
False alarm fixed on several program or script.
Improvisation, engine heuristic for Virus Suspected (RD). Now more accurate.
Improvisation, user-interface from USB Disk Filtering.

You can download PCMAV 1.6 for free at Here or Here.

Virus W32/Alman and its removal

noreply@blogger.com (btvideo) — Wed, 10 Sep 2008 19:51:00 +0000

Beware of new virus W32/Alman. This malware kind virus is not easy to remove or destroy. This virus, size 40kb, run as windows services and run on windows startup too. The virus infects all write accessible Windows executable files (PE-EXE) on all disks on the victim computer and in accessible network folders once it active.

AVG Antivirus can not heal this virus, but Grisoft has released the virus removal application for clean it. The removal has 2 files, rmalman.exe and rmalman.nt, so download these files and save to one folder. You can run rmalman.exe to scan and clean W32/Alman virus.

Malwarebytes' Anti-Malware 1.27

noreply@blogger.com (btvideo) — Tue, 09 Sep 2008 21:08:00 +0000

Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.

Malwarebytes' Anti-Malware monitors every process and stops malicious processes before they even start. The Realtime Protection Module uses our advanced heuristic scanning technology which monitors your system to keep it safe and secure. In addition, we have implemented a threats center which will allow you to keep up to date with the latest malware threats.

Malwarebytes' Anti-Malware is considered to be the next step in the detection and removal of malware. We compiled a number of new technologies that are designed to quickly detect, destroy, and prevent malware. Malwarebytes' Anti-Malware can detect and remove malware that even the most well-known Anti-Virus and Anti-Malware applications on the market today cannot.

Key Features:

Support for Windows 2000, XP, and Vista.
Light speed quick scanning.
Ability to perform full scans for all drives.
Malwarebytes' Anti-Malware Protection Module. (requires registration)
Database updates released daily.
Quarantine to hold threats and restore them at your convenience.
Ignore list for both the scanner and Protection Module.
Settings to enhance your Malwarebytes' Anti-Malware performance.
A small list of extra utilities to help remove malware manually.
Multi-lingual support.
Works together with other anti-malware utilities.
Command line support for quick scanning.
Context menu integration to scan files on demand.

More info about this product can be reached at its site.

Anti-Trojan Elite 4.1.5

noreply@blogger.com (btvideo) — Tue, 09 Sep 2008 20:59:00 +0000

Anti-Trojan Elite™ (ATE) is a malware remover, it can detect and clean malware in disk or memory. Malware is software designed specifically to damage or disrupt a system, such as a trojan horse, a spyware or a keylogger. ATE contains a Real-Time File Firewall, it monitor system and clean malwares immediately. It is also a system security tools, you can view and control processes and TCP/IP network connections.

Anti Trojan Elite provide a real-time malware firewall for user, once a trojan or keylogger would been loaded, the ATE can detect, block and then clean it in time. The ATE can detect more than 35000 trojans, worms and keyloggers currently, and the number of malware ATE could clean is growing up very quickly, we collect world-wide malwares, user can using our auto live update feature to get the power to clean these new malwares in time.

Anti Trojan Elite has some useful utilities especially. The network utility can been used to disconnect suspicious TCP connections; The process utility can been used to kill suspicious processes even the process has the system privilege, even it has the ability to unload suspicious modules in all processes; The registry repair utility can been used to repair registry altered by malware; The registry monitor utility can been used to repair any change of important registry keys and values with real time.

The Reasons Choose Anti-Trojan Elite™:

Real-time malware firewall, protecting user's computer in real-time.
Detecting and cleaning binded malware, doesn't hurt normal file and clean the malware.
Detecting and cleaning no process malware, some malware don't have a EXE file, they are only some DLL files and running as some threads in other process, ATE can detect and clean this type of malware even it's running.
Free tools. View the information of Tcp/Ip states and processes informations.

More Features:

Disk and memory scan supported.
Real-time malware firewall.
Compressed files (RAR ZIP CAB) scan supported.
Backup module: Backup trojan files before killing.
Network Manager. View the tcp/udp states and the processes they belonged to. User can disconnect any tcp connection and stop the opposite process.
Process manager. View the processes and its DLL modules' information. User can terminate any process and unload any DLL module.
Internet Explorer and registry repair utility.
Updating online supported, and auto check updates when ATE starts.
Real-time registry monitor utility.

Anti-Trojan Elite™ works best on Microsoft Windows 98, ME, 2000, XP, 2003 and VISTA.
More info about Anti-Trojan Elite™ can be reached at Here.

The Difference of Virus, Worm and Trojan

noreply@blogger.com (btvideo) — Tue, 09 Sep 2008 19:56:00 +0000

Viruses, worms and Trojan Horses are all malicious programs that can cause damage to your computer, but there are differences among the three, and knowing those differences can help you to better protect your computer from their often damaging effects.

A computer virus attaches itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Much like human viruses, computer viruses can range in severity: Some viruses cause only mildly annoying effects while others can damage your hardware, software or files. Almost all viruses are attached to an executable file, which means the virus may exist on your computer but it cannot infect your computer unless you run or open the malicious program. It is important to note that a virus cannot be spread without a human action, (such as running an infected program) to keep it going. People continue the spread of a computer virus, mostly unknowingly, by sharing infecting files or sending e-mails with viruses as attachments in the e-mail.

A worm is similar to a virus by its design, and is considered to be a sub-class of a virus. Worms spread from computer to computer, but unlike a virus, it has the capability to travel without any help from a person. A worm takes advantage of file or information transport features on your system, which allows it to travel unaided. The biggest danger with a worm is its capability to replicate itself on your system, so rather than your computer sending out a single worm, it could send out hundreds or thousands of copies of itself, creating a huge devastating effect. One example would be for a worm to send a copy of itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself out to everyone listed in each of the receiver's address book, and the manifest continues on down the line. Due to the copying nature of a worm and its capability to travel across networks the end result in most cases is that the worm consumes too much system memory (or network bandwidth), causing Web servers, network servers and individual computers to stop responding. In more recent worm attacks such as the much-talked-about .Blaster Worm., the worm has been designed to tunnel into your system and allow malicious users to control your computer remotely.

A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer. Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate.

Added into the mix, we also have what is called a blended threat. A blended threat is a sophisticated attack that bundles some of the worst aspects of viruses, worms, Trojan horses and malicious code into one threat. Blended threats use server and Internet vulnerabilities to initiate, transmit and spread an attack. This combination of method and techniques means blended threats can spread quickly and cause widespread damage. Characteristics of blended threats include: causes harm, propagates by multiple methods, attacks from multiple points and exploits vulnerabilities.

To be considered a blended thread, the attack would normally serve to transport multiple attacks in one payload. For examplem it wouldn't just launch a DoS attack — it would also install a backdoor and damage a local system in one shot. Additionally, blended threats are designed to use multiple modes of transport. For example, a worm may travel through e-mail, but a single blended threat could use multiple routes such as e-mail, IRC and file-sharing sharing networks. The actual attack itself is also not limited to a specific act. For example, rather than a specific attack on predetermined .exe files, a blended thread could modify exe files, HTML files and registry keys at the same time — basically it can cause damage within several areas of your network at one time.

Blended threats are considered to be the worst risk to security since the inception of viruses, as most blended threats require no human intervention to propagate.

Most Methods of Virus Code

noreply@blogger.com (btvideo) — Tue, 09 Sep 2008 19:34:00 +0000

A virus needs to infect hosts in order to spread further. In some cases, it might be a bad idea to infect a host program. For example, many anti-virus programs perform an integrity check of their own code. Infecting such programs will therefore increase the likelihood that the virus is detected. For this reason, some viruses are programmed not to infect programs that are known to be part of anti-virus software. Another type of host that viruses sometimes avoid is bait files. Bait files (or goat files) are files that are specially created by anti-virus software, or by anti-virus professionals themselves, to be infected by a virus. These files can be created for various reasons, all of which are related to the detection of the virus:

Anti-virus professionals can use bait files to take a sample of a virus (i.e. a copy of a program file that is infected by the virus). It is more practical to store and exchange a small, infected bait file, than to exchange a large application program that has been infected by the virus.

Anti-virus professionals can use bait files to study the behavior of a virus and evaluate detection methods. This is especially useful when the virus is polymorphic. In this case, the virus can be made to infect a large number of bait files. The infected files can be used to test whether a virus scanner detects all versions of the virus.

Some anti-virus software employs bait files that are accessed regularly. When these files are modified, the anti-virus software warns the user that a virus is probably active on the system.

Since bait files are used to detect the virus, or to make detection possible, a virus can benefit from not infecting them. Viruses typically do this by avoiding suspicious programs, such as small program files or programs that contain certain patterns of 'garbage instructions'.

A related strategy to make baiting difficult is sparse infection. Sometimes, sparse infectors do not infect a host file that would be a suitable candidate for infection in other circumstances. For example, a virus can decide on a random basis whether to infect a file or not, or a virus can only infect host files on particular days of the week.

Stealth
Some viruses try to trick anti-virus software by intercepting its requests to the operating system. A virus can hide itself by intercepting the anti-virus software’s request to read the file and passing the request to the virus, instead of the OS. The virus can then return an uninfected version of the file to the anti-virus software, so that it seems that the file is "clean". Modern anti-virus software employs various techniques to counter stealth mechanisms of viruses. The only completely reliable method to avoid stealth is to boot from a medium that is known to be clean.

Self-modification
Most modern antivirus programs try to find virus-patterns inside ordinary programs by scanning them for so-called virus signatures. A signature is a characteristic byte-pattern that is part of a certain virus or family of viruses. If a virus scanner finds such a pattern in a file, it notifies the user that the file is infected. The user can then delete, or (in some cases) "clean" or "heal" the infected file. Some viruses employ techniques that make detection by means of signatures difficult but probably not impossible. These viruses modify their code on each infection. That is, each infected file contains a different variant of the virus.

Encryption with a variable key
A more advanced method is the use of simple encryption to encipher the virus. In this case, the virus consists of a small decrypting module and an encrypted copy of the virus code. If the virus is encrypted with a different key for each infected file, the only part of the virus that remains constant is the decrypting module, which would (for example) be appended to the end. In this case, a virus scanner cannot directly detect the virus using signatures, but it can still detect the decrypting module, which still makes indirect detection of the virus possible. Since these would be symmetric keys, stored on the infected host, it is in fact entirely possible to decrypt the final virus, but that probably isn't required, since self-modifying code is such a rarity that it may be reason for virus scanners to at least flag the file as suspicious.

An old, but compact, encryption involves XORing each byte in a virus with a constant, so that the exclusive-or operation had only to be repeated for decryption. It is suspicious code that modifies itself, so the code to do the encryption/decryption may be part of the signature in many virus definitions.

Polymorphic code
Polymorphic code was the first technique that posed a serious threat to virus scanners. Just like regular encrypted viruses, a polymorphic virus infects files with an encrypted copy of itself, which is decoded by a decryption module. In the case of polymorphic viruses however, this decryption module is also modified on each infection. A well-written polymorphic virus therefore has no parts which remain identical between infections, making it very difficult to detect directly using signatures. Anti-virus software can detect it by decrypting the viruses using an emulator, or by statistical pattern analysis of the encrypted virus body. To enable polymorphic code, the virus has to have a polymorphic engine (also called mutating engine or mutation engine) somewhere in its encrypted body.

Some viruses employ polymorphic code in a way that constrains the mutation rate of the virus significantly. For example, a virus can be programmed to mutate only slightly over time, or it can be programmed to refrain from mutating when it infects a file on a computer that already contains copies of the virus. The advantage of using such slow polymorphic code is that it makes it more difficult for anti-virus professionals to obtain representative samples of the virus, because bait files that are infected in one run will typically contain identical or similar samples of the virus. This will make it more likely that the detection by the virus scanner will be unreliable, and that some instances of the virus may be able to avoid detection.

Metamorphic code
To avoid being detected by emulation, some viruses rewrite themselves completely each time they are to infect new executables. Viruses that use this technique are said to be metamorphic. To enable metamorphism, a metamorphic engine is needed. A metamorphic virus is usually very large and complex. For example, W32/Simile consisted of over 14000 lines of Assembly language code, 90% of which is part of the metamorphic engine.

Computer Virus Definition

noreply@blogger.com (btvideo) — Tue, 09 Sep 2008 19:04:00 +0000

A computer virus is a program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. All computer viruses are man made. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems.

Since 1987, when a virus infected ARPANET, a large network used by the Defense Department and many universities, many antivirus programs have become available. These programs periodically check your computer system for the best-known types of viruses.

Some people distinguish between general viruses and worms. A worm is a special type of virus that can replicate itself and use memory, but cannot attach itself to other programs.

In order to replicate itself, a virus must be permitted to execute code and write to memory. For this reason, many viruses attach themselves to executable files that may be part of legitimate programs. If a user tries to start an infected program, the virus' code may be executed first. Viruses can be divided into two types, on the basis of their behavior when they are executed.

Nonresident viruses immediately search for other hosts that can be infected, infect these targets, and finally transfer control to the application program they infected. Resident viruses do not search for hosts when they are started. Instead, a resident virus loads itself into memory on execution and transfers control to the host program. The virus stays active in the background and infects new hosts when those files are accessed by other programs or the operating system itself.