GAYUS HALOMOAN TAMBUNAN.... DARI KORUPTOR MENJADI SELEBRITI

Begitu fenomenal Nama Gayus Halomoan Tambunan seakan menjadi buah bibir disetiap perbincangan apalagi yang menyangkut korupsi, pasti tidak terlewatkan nama itu disebut. Prosentase yang saya yakini lebih besar menginginkan sepertinya, meski tidak menutup kemungkinan juga, ada yang tidak.

Laksana pejabat, usai sidang menggelar konferensi pers. Berjajar dibelakangnya praktisi-praktisi hukum senior yang dengan bangganya siap memback-up kesalahan Gayus dengan pembenaran-pembenaran yang dikaiteratkan dengan Undang-undang dan seolah tak terbatahkan. Sontak saja pernyataan Gayus membakar jenggot pihak-pihak yang sempat disebutkan dalam konferensi pers tersebut.

Betapa menyedihkan negeri ini,
Anda ku Gayus Tambunan, takkan pernah betah aku tinggal disini. Lebih baik ke Guyana atau Singapura. Bolehlah sesekali menonton tenis di Bali. benar-benar menyebalkan tinggal di negeri para koruptor, pembohong, sejujurnya hati ini menangis, bahkan mungkin jutaan rakyat di nusantara yang pernah jaya.

Langkah mudah menangani virus SERVIKS

This is a new stupid virus/trojan that will redirected all your traffic to google.com (209.85.225.99) infected my client on 01-01-2010, This virus was made using visual basic with size around 212-233KB. If active it has another supported files with random size.



How to know if you’re infected?

It’s very easy, if you browsing on internet or opening antivirus website then your page always redirected to google website that mean you’re infected by this virus.



Master Files

When this virus active it will created some master files and downloading some another supported files from internet. It will spreading files in different location to make it hard to cleaned. This virus also hiding as windows service and windows drivers.

This is a list of virus master files:

wmispqd.exe
Wmisrwt.exe
qxzv85.exe
qxzv47.exe
secupdat.dat
%systemroot%\Documents and Settings\%user%\%xx%.exe, Where xx is random character with size 6KB (example: rclxuio.exe).
%systemroot%\windows\system32\drivers
Kernelx86.sys
xx%.sys, where xx is random character with size 40KB (example: cvxqkopsd.sys)
Ndisvvan.sys
krndrv32.sys
%systemroot%\Documents and Settings\%user%\secupdat.dat
%systemroot%\Windows\inf
Netsf.inf
Netsf_m.inf
Spreading Technique and Virus Affect

This virus will spreading in your network or using any removable disk using a autorun technique. If we look in the back mostly all virus using this same technique to spreading, Maybe a good option to modify your windows to disable autorun.

Virus will blocking some windows function like: System Restore, Windows Firewall, RPC DCOM, etc. Virus will also redirected mostly antivirus or security website into google.com using hosts file.



How to Remove W32/SmallTroj.VPCG

1. Deactivated “System Restore” when in cleaning progress.

2. Disconnected your computer from Network/LAN.

3. Rename msvbvm60.dll (%systemroot%\Windows\system32\msvbvm60.dll) to backup.dll This step to prevent virus active because this virus was made using visual basic, virus will need msvbvm60.dll to run, when you rename it virus can’t active. After you cleaned this virus I recommended you to rename backup.dll back to msvbvm60.dll.

4. Deleted virus master files using Mini PE2XT, Because some rootkit hidden as windows service and driver you need to boot your computers using Mini PE2XT then follow the step:

Menu -> Programs -> File Management -> Windows Explorer

Then deleted files “Virus Master Files” (check in this article).



5. Deleted registry made by virus using Mini PE2XT

Menu -> Programs -> Registry Tools -> Avast! Registry Tools

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
* %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
* Change string value Userinit to = userinit.exe

ATTENTION: %xx% is random character, this key created to run .SYS with size 40KB.



6. Restart your computer then use this repair-inf (rename it to repair.inf) right click on it then choose install.

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, software\microsoft\ole, EnableDCOM,0, “Y”
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0×00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0×00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0

[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe

7. Deleted all temporary internet files using ATF Cleaner.

8. Restore your hosts files using HostsXpert.



9. To make sure your system totally clean and to prevent virus from coming back please scan full your system using Norman Malware Cleaner, If you don’t like Norman I would recommended you to use AVIRA.

Good luck!