7 Step Removing Virus' K0pL4xZ '

Virus "K0pL4xZ" that are detected as VBWorm.QTT take computer users, particularly those that have a lot of Office files, by changing the file type icon and Microsoft Office.

However, for, the virus is not to destroy files Office. The virus is created by using Visual Basic. So that the chance the virus, putting it by using the icon "Windows Media Player Classic" with the type of application files (exe). To clean up, follow these steps:

1. Disconnect the computer that will be cleaned from the network (LAN).
2. Turn off "System Restore" during the cleaning process.
3. Turn off the virus is active in memory. Use the tools to turn KillVB process in memory. Please downlod tools are in: http://www.compactbyte.com/brontok/killvb.zip

4. Fix registry that has been altered by a virus. To expedite the repair process registry copy the script under this program in notepad, then store with the name "Repair.inf." Run the file by:

- Click the right repair.inf
- Click Install

[Version]
Signature = "$ $ Chicago"
Provider = Vaksincom Oyee

[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del

[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SOFTWARE \ Classes \ exefile, application
HKCU, Software \ Microsoft \ Internet Explorer \ Main, the start page, 0, "about: blank"
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Search Page, 0, "about: blank"
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, UncheckedValue, 0x00010001, 0
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOrganization, 0, "Organization"
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOwner, 0, "Owner"
HKLM, SOFTWARE \ Classes \ txtfile, FriendlyTypeName, 0, "@ C: \ Windows \ system32 \ notepad.exe, -469"
HKLM, SOFTWARE \ Classes \ Word.Document.8, "Microsoft Word Document"
HKLM, SOFTWARE \ Classes \ Word.Document.8 \ DefaultIcon, "C: \ Windows \ Installer \ (90110409-6000-11D3-8CFE-01500 48383C9) \ wordicon.exe, 1"
HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8, "Microsoft PowerPoint Presentation"
HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8 \ DefaultIcon, "C: \ Windows \ Installer \ (90110409-6000-11D3-8CFE-015 0048383C9) \ pptico.exe, 1"
HKLM, SOFTWARE \ Classes \ Excel.Sheet.8, "Microsoft Excel Worksheet"
HKLM, SOFTWARE \ Classes \ Excel.Sheet.8 \ DefaultIcon, "C: \ Windows \ Installer \ (90110409-6000-11D3-8CFE-01500483 83C9) \ xlicons.exe, 1"
HKLM, SOFTWARE \ Classes \ Access.Application.11, "Microsoft Office Access Application"
HKLM, SOFTWARE \ Classes \ Access.Application.11 \ DefaultIcon, "C: \ Windows \ Installer \ (90110409-6000-11D3-8CFE-01 50048383C9) \ accicons.exe, 1"
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0x00010001, 1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0x00010001, 0
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, WarningIfNotDefault, 0, "@ shell32.dll, -28964"

[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableTaskMgr
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DIsablecmd
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window Title
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer, NoFolderOptions
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableRegistryTools
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableTaskMgr
HKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, System
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop
HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, shell
HKCU, Software \ Policies \ Microsoft \ Windows \ System, DisableCMD
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Run, Haha
HKLM, SOFTWARE \ Classes \ exefile, FriendlyTypeName

5. Delete the file "C: \ Windows \ desktop.ini" (the file which function to change the icon into the Windows Control Panel icon). Use a dos prompt to delete the file.

6. Find and delete files parent virus in the Hard Disk and Flash Disk with the first show hidden files. To accelerate the search function use the "Search Windows."

Here are some master file that will be made by Koplaxz:

* C: \ Documents and Settings \% user% \ Start Menu \ Programs \ Startup

Winhelp.exe

* C: \ Documents and Settings \% user% \ Start Menu \ Programs

Hellloo_Gheea.exe

* C: \ Documents and Settings \% user% \ My Documents

Jangan_Dihapus_Apalagi_Dibuka.exe

* C: \ Documents and Settings \% user% \ Start Menu

Koplaxz Kudo Shop.exe

* C: \ Documents and Settings \% user% \ Start Menu \ Programs

Exe Hellloo_Gheea ..

* C: \ Windows

TourWindowsXP.exe

svchost.exe

Kudo.com

command32.pif

KopLaXz@KudoShop.exe

* C: \ F4HM1_KudO_M4n4j3r.exe
* C: \ G0d3G.exe
* C: \ Ghe@_i_miss_u.3gp.exe (All Drive)
* C: \ K0pL4xZ.exe
* C: \ K 0 P L 4 X Z.exe
* C: \ KopLaXz@KudoShoP.exe (All Drive)
* C: \ R0n13G4N_G3Ndut_S3xY.exe
* C: \ R3eve5.exe
* C: \ K0pL4xZ @ KudoShop (All Drive)

folder.htt

msvbvm60.dll

K0pL4xZ.exe

* C: \ K0pl4xZ @ KudoShop \ K0pL4xZ.exe
* C: \ [space] Windows \ System_FriendZ_KopLaXz32

F4HM1_KudO_M4n4j3r.exe

G0d3G.exe

K 0 P L 4 X Z.exe

R0n13G4N_G3Ndut_S3xY

R3eve5.exe

* C: \ [space] Windows \ Zx4Lp0K.html
* C: \ Windows \ system32 \ smkn2majalengka.scr
* C: \ Windows \ system32 \ PCMAV.exe
* C: \ Windows \ system32 \ Asholest.exe
* C: \ Documents and Settings \% user% \ SendTo \ KoPLaXzKudo (e-mail). Exe
* C: \ Autorun.inf (all drives)
* C: \ Desktop.ini (all drives)
* C: \ A Letter Ghe @ 4. Txt (all drives)
* C: \ K0pL4xZ@kUdO_5h0P.txt
* C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf file
* C: \ Windows \ desktop.ini


Then delete the file parent virus that has characteristics:

* Icon "Windows Media Player" clasic / 3GP Video Format
* The size of 31 KB
* Extension EXE, PIF, COM and SCR
* Type the file "Application"


Delete the following files:

* C: \ Autorun.inf (the root of each drive: c: \ or D: \)
* C: \ Desktop.ini (the root of each drive: c: \ or D: \)
* C: \ A Letter Ghe @ 4. Txt (the root of each drive: c: \ or D: \)
* C: \ K0pL4xZ@kUdO_5h0P.txt (the root of each drive: c: \ or D: \)
* C: \ K0pL4xZ @ KudoShop (in the root drive and Flash Disk)
* C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf file
* C: \ [space] WINDOWS
* C: \ [space] Windows \ Zx4Lp0K.html


7. For optimal cleaning and prevent re-infection, a scan by using anti-virus up-to-date.