Now down load, extract and double click on this file Restore Hidden shortcuts

Malware hide files and move desktop shortcuts and Programs startmenu shortcuts into this folder --> %temp%\smtmp, it then creates 4 subdirectories:

%Temp%\smtmp\1\ => Allusers Start Menu
%Temp%\smtmp\2\ => Allusers Quick Launch
%Temp%\smtmp\3\ => Quick Launch\User Pinned\TaskBar
%Temp%\smtmp\4\ => AllUsers Desktop

The malware checks whether the date is April 1; if so, it runs the file %temp%\v.doc, using the following command three times:
• notepad.exe /p %temp%\v.doc

The malware then takes a number of actions involving:
• All found drives
• Folders under that drive
• Folders under that drive
• %MyDocuments%
• Folders under %MyDocuments%
• %MyNetworkPlaces% shares
• Folders under %MyNetworkPlaces% shares

First, it drops the following files to these locations:
• thumb.db
• autorun.inf
• Microsoft.lnk

The shortcut file link text is named after the folder name.

If the date is April 1, it also drops:
• A copy of %temp%\v.doc
• Baca AQ.rtf
• My name is Yuyun.rtf

It may also create one of the following shortcut file links "[drive]:\thumb.db" to these locations:
• New Harry Potter and....lnk
• New Folder.lnk
• SuratQ.lnk
• Rahasia.lnk
• Game.lnk
• Zvnita.lnkv
• Download.lnk
• DataQ.lnk

Run this Tool to clean this Trojan and all instances and exes on file system created by it.

1) Download the MaxTrojanScanner.exe
2) Execute the file MaxTrojanScanner.exe

1) Download the MaxKhatraClnr.exe
2) Execute the file MaxKhatraClnr.exe

Features of Max Khatra Cleaner:
• It suspends handle of all malicious Khatra files running in memory.
• It stops all unwanted process and prevent virus to spread while cleaning.
• You need to run Max Spyware Detector to remove this virus completely.

Khatra Virus Summary:
• The problem with the khatra virus or ghost.exe virus is that it creates multiple copies of the EXE Trojan virus inside every folder using the folder’s name itself. These virus infected applications could be misunderstood to be a folder since it has the same looks and a user might double click on them, again executing the virus itself. It’s a smart virus, and starts by disabling your Regedit, msconfig and in some cases control panel as well as your folder options.

This virus has some symptoms whenever you try to open browser and search remove khatra.exe the browser will automatically close, also you cannot delete khatra.exe or gHost.exe or Xplorer.exe which are created by the same virus as these processes will keep running. It also disables the security option in windows vista and also the control panel is remains inaccessible. It tries to hack your outlook express for harvesting email address and attaches itself to your mails.

Procedure to remove Khatra.exe virus manually (for those who would not like to use the tool and o it manually)
1) Go to task manager and select regsvr.exe (if found), gHost.exe , khatra.exe , Xplorer.exe rt click and select end process tree.
press WIN+r or start>RUN
2) Type cmd and hit enter
3) GO to the the drive where your OS is installed
4) In the command prompt make sure you get the command line as c:\ or d:\ (this can be achieved by the command "cd .." without quotes)
5) Type attrib -s -h -r khatra.exe
Repeat the same process for the location c:\windows\system32
6) Type del khatra.exe
7) Follow the same process for gHost.exe & Xplorer.exe as they are also part of the virus.

To make sure that the virus is out of your pc, check your registry
1) win+R type regedit
2) ctrl+F type in search one by 1 the names of the 3 processes i.e khatra, gHost, Xplorer
3) Search the entire registry and go-on deleting the values you find.
 

Important Note : After completion of Khatra Virus Cleaner scanning, scan your PC with updated Max Spyware Detector with Rootkit and Deep scan option.

Tool to clean Virus Nimnul.A/ Ramnit Infection from Memory and Files

1) Download the MaxNimnulClnr.exe
2) Execute the file MaxNimnulClnr.exe

Features of Nimnul Cleaner:
• It closes handle of all malicious file running in memory.
• It stops all unwanted process and prevent virus to spread while cleaning.
• It cleans Nimnul infected PE files and Dll files.

Nimnul Virus Summary:
• It infectsts PE, dll, .html files and spreads to removable drives.
• It drops two file or may be one file
  C:\Program Files\Microsoft\WaterMark.exe
  C:\Program Files\Microsoft\DesktopLayer.exe
• It also creates Random name folder to Program files folder and drops one file. The name of this file is random.
• It infects html files. In this type of infection it drops Svchost.exe in Windows Directory.
• It opens handle one of the above mentioned files into Svchost.exe Process.
• It adds this file names to following key in Registry.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ Winlogon]
Valu Name:Userinit
ValueData : C:\WINDOWS\system32\userinit.exe,C:\ProgramFiles\Microsoft\WaterMark.exe,
C:\Program Files\Microsoft\DesktopLayer.exe,C:\Program Files\Random name\Random name.exe

Important Note : After completion of Nimnul Cleaner scanning, scan your PC with updated Max Spyware Detector with Rootkit and Deep scan option.

We have noticed that some malware will remove your network icon and will not allow you  to reinstate it. Download and run this file to fix Network Icon in system tray issue.

Tool to un-install Virtual Network Adapter (added by virus). If after virus removal, you loose internet connectivity then try this tool:

1) Download the Maxnetcfg
2) Execute the file maxnetcfg.exe. It will create MaxNetCfg.log file in same folder from where maxnetcfg.exe is executed.
3) If you find any dirver file (.sys) below “Files not found” section (at the end of the log file), use the name after the .sys to uninstall the virtual adapter added by virus.

Example:
Files not found:
------------------------------------------------------------
C:\WINDOWS\system32\drivers\ndisvvan.sys - ms_passthru

Uninstall command:
maxnetcfg.exe -u ms_passthru

Help command:
maxnetcfg.exe -h

Tool to clean all infections of Sality and Virut

1) Download the Maxsalcln
2) Execute the file Maxsalcln.exe

Tool to block File creation , where spyware creates lots of folders and files in every folder on your PC.

1) Download the DirMon32
2) Execute the file DirMon32.exe
3) See readme.txt for full instructions.

Please Note :
1) readme.txt is present in install folder. (C:\DirMon32)
2) Administrator Rights are required to run this tool on Windows Vista and later version, right click and run as admin.

Boot Virus Scanner Tool, if your boot sector of your hard disk is infected

1) Download the MaxBootVirusScanner
2) Execute the file MaxBootVirusScanner.exe
3) Click on Scan button to scan for boot virus.
4) Follow instructions to remove virus if found.
5) Click on Cancel button to exit tool if not virus found.

Please Note : Administrator Rights are required to run this tool on Windows Vista and later version.

Disinfection from Kido virus (aka Conficker, Downadup)

1) Download the MaxKidoFix
2) Extract it into a folder on the infected (or potentially infected) PC.
3) Execute the file MaxKidoFix.exe
4) Wait for the scan and disinfection process to be over. Infections found will be shown on screen. You may have to reboot the PC to complete disinfection.

Please Note : Administrator Rights are required to run this tool on Windows Vista and later version.

This virus is able to spread copies of itself over a network using three different methods: file sharing, exploitation of a vulnerability and exploitation of Windows Autorun. In addition to attempting to connect to remote sites, it uses stealth techniques to hide its actions, and makes a number of changes to the Windows Registry.

It creates files autorun.inf and RECYCLED\{SID<....>}\RANDOM_NAME.vmx on removable drives (sometimes on public network shares). It stores itself in the system as a DLL file with a random name, for example, Upon execution, Downadup creates copies of itself in:

• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp

It registers itself in system services with a random name, for example, knqdgsm
It tries to attack network computers via 445 or 139 TCP port, using MS Windows vulnerability MS08-067.

It tries to access the following websites in order to learn the external IP address of the infected computer (we recommend configuring a network firewall rule to monitor connection attempts to these websites):
http://www.getmyip.org
http://getmyip.co.uk
http://www.whatsmyipaddress.com
http://www.whatismyip.org
http://checkip.dyndns.org

The worm then attach itself to the following processes:
• svchost.exe
• explorer.exe
• services.exe

The worm disables a number of system features, in order to facilitate its activities. It disables the following Windows services:
• Windows Automatic Update Service (wuauserv)
• Background Intelligent Transfer Service (BITS)
• Windows Security Center Service (wscsvc)
• Windows Defender Service (WinDefend)
• Windows Error Reporting Service (ERSvc)
• Windows Error Reporting Service (WerSvc)

In addition to disabling these services, it checks to see whether it is running on a Windows Vista machine; if so, it also runs the following command to disable Windows Vista TCP/IP auto-tuning:
• netsh interface tcp set global autotuning=disabled

The worm also hooks the following API's in order to block access when the user attempts to access a long list of domains:
• DNS_Query_A
• DNS_Query_UTF8
• DNS_Query_W
• Query_Main
• sendto

It also blocks access to primarily security-related domains.

Disinfection of an infected system

1) Download the SDFujacksRemover
2) Extract it into a folder on the infected (or potentially infected) PC.
3) Execute the file SDFujacksRemover.exe.
4) Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over. Scan window will show you any infections are found.
5) A log is generated with utility scan details along the utility by name: SDFujacks.Log

This tool is a fix for malware programs which do not allow security software like Spyware Detector to get installed on the compromised computer. User may see software installation window suddenly disappearing. It blocks the sites of security software.

It also infects system file like beep.sys.

To fix the issue do the following,
1) Download the SDFraudToolFix.
2) Execute the downloaded file.
3) Click on Scan button. It will report infection present on the computer.
4) Restart the computer and then execute Spyware Detector.

The tool is a fix for the Fake Anti Spyware Windows Police Pro. This Fake Anti Spyware executes the Spyware exe when any other application is launched. It displays the message that the application is corrupt. The screenshot is as follows.





To fix the issue do the following,
1) Download the Windows Police Pro Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report infection present on the computer.
4) Restart the computer and then execute Spyware Detector.

The tool is a fix for the Fake Anti Spyware Total Security. This Fake Anti Spyware does not allow any application to be executed and displays the message that the application is infected. The screenshot is as follows.




To fix the issue do the following,
1) Download the Total Security Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report infection present on the computer.
4) Restart the computer and then execute Spyware Detector.

The tool is a fix for the Fake Anti Spyware WinAnti Virus Pro. This Fake Anti Spyware blocks the application from getting executed. The screenshot is as follows.





To fix the issue do the following,
1) Download the WinAnti Virus Pro Fix
2) Execute the downloaded file.
3) Click on Scan button. It will report infection present on the computer.
4) Restart the computer and then execute Spyware Detector.