Friday, October 12, 2007

WebSpyShield - Be careful!



WebSpyShield is a new rogue antispyware on the block.

hxxp://www.webspyshield.com/

It changes homepage startup and more. As of now, detections are still not very good and google hits are not good either. So please be careful everyone.

Imgkulot infection.

I've seen a lot of removal techniques posted in the internet for this infection and most of the victims returned unsatisfied because of manual registry editing of a very very crucial system key --userinit.

In these instructions, file deletions are manual but registry fix is automated --that way, errors can be minimized and success rate is higher.

How to remove Imgkulot:

Note: Be sure to insert your flashdrives before we begin!

Configure your machine to view hidden files:

Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
 
Open my computer and open the drive of your flashdrive (ie. E:\) After you have opened it, search for autorun.inf and any imgkulot.* files then delete all of them.

*= any extension

After that,

Click Start > Search > Click "All Files and Folders".

Under look in: make sure it's in "my computer"

Under "Advanced Options", make sure the following are checked:
*Search System Folders.
*Search Hidden Files And Folders.
*Search Subfolders.
Then into the search box, copy and paste each of these:

imgkulot.*

autorun.inf

Then, click Search after you copy and paste each of those. After that, delete all instances of those files.

empty your recycle bin.
______

Open notepad.
Copy and paste the bolded green text below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type fix.reg in the File name and save it to your desktop.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
;

 
Make sure there are NO blank lines before REGEDIT4
 
Find the fix.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer Yes.

Reboot.

Hope this helps.

Should the problems persist, use the malware removal forums links on the right side for help.

Flashdrive infections

As I live in the South East Asia region, I notice that there are thousands of variants of flash drive infections.

In a nutshell, these infections spread through flashdrives, Ipods, 

external hardrives, digicams etc. --Basically, any removable drive could get infected.

Once an infected flashdrive is inserted in the pc's usb port, the pc itself is immediately infected and any other removable drives inserted in the infected machine becomes infected too. That's what's so annoying with these. When you disinfect, you need to disinfect both at the same time or you risk re-infection. Moreover, most of these flashdrive infections tend to add some restrictive policies like disabling your registry, disabling folder options and more.

One sign that the machine is infected is that when a user tries to double click the removable drive through windows explorer, error messages like "Can't find ??.vbs" "G:\ is not accessible" etc. Also, the presence of a file called autorun.inf in the root directory of every partition the system has shows that the machine is infected. 

How to clean the infection or at least add preventive measures to your machine?

Well, a known Security Expert built this tool to clean some variants or at least add some preventive measures so the machine doesn't get infected when a infected flashdrive is inserted.

The following tool basically cleans some of these flashdrive infection variants and it adds a certain policy in the system. This policy is the "Nodrivetypeautorun" policy which stops the machine from autplaying inserted removable drives. Therefore, if autoplay is disabled, infection is not possible. It also fixes some "bad" policies that are added by some flashdrive infections.

At the end of the run, you may also notice autorun.inf folders in the root of your partitions. This is so that you can prevent future flashdrive infections in that machine.

Tool: Flash_Disinfector