Abs.Net web Page

Share Your Knowledge, Build your Network..

There's Weird title like "Hokage" in your title bar?. It's Ikarus

Posted by absnet on 23 February 2009


INDONESIAN VIRUS

So, something weird in your explorer bar?. There’s  a Title like “Hokage…”. 

I suddenly see my desktop is blank, My Wallpaper turn blue. At first I suspect it’s Hanjian, a virus that make our desktop black, but still, I can see the Task manager when I push CTRL + ALT + Delete.

First look on my Task manager, I found smss.exe process, but it’s icon is winamp. So, this is a virus, I think. Checking the internet, I found name Ninja Hokage virus, a virus from Sampit, Central Kalimantan. I don’t know if it’s true, but in my opininion, the virus maker is Banjar, because I found words like Ikam Bungul (You stupid) and Bungas Banar (Very Pretty). Whatever!. So, here’s my steps.

TOOL

  1. Total Commander
  2. Autoruns
  3. Free Extended Task Manager
  4. My Steps Picture (so you can see clear picture of my steps)
  5. AntiHokage4 (it’s inf file to repair your registry)

STEPS

  1. Run Extended Task Manager, go to process, and you can see smss.exe process with winamps icon. (Step1 in picture)
  2. Explore this virus to know it’s location, by right click and choose Open file location (see Step2 in picture). Memorize it’s place.
  3. Open Total Commander. Go to virus place you’ve memorize, and gather information about this file on it’s size. Well; 49,152 bytes. I try to search all file with the size 49,152 bytes and return many files in it. You can see my result in picture step3).  Wow, the virus is only winamps icon, so I’ll try to refine the result, because not all 49,152 bytes file is virus.
  4. In Step4, I see the virus program by pressing CTRL + Q in right panel, and, I found unique string : Richosi (Step4). You can specify another string, but make sure that you copy that string (don’t write it, because it’s character can’t be the same as you see) and you think that this is an unique string. So we order Total Commander to find files with 49,152 bytes length with Richosi String in it. Picture step5 and step6 showing you the find configuration. 
  5. And the result is Step7 picture. See, there’s only winamp icon in it. Most interesting is, There’s hidden file in C:/windows/system (instead of system32). This is virus process. Now Back to Free Task Manager and Kill the virus process like smss.exe; Gazerock, Gazette, Nugen, Virgen.exe (see hidden files).
  6. You can Mark all this virus found and then delete it with no mercy. Actually your virus is gone by applying this process. The rest is just registry repairing.
  7. Open your Autoruns, select Everything tab, and see picture 8. This is virus process. Just delete it but one in the bottom : Your Image file
  8. Slide your button  up, and see picture 9.  Delete safely the registry with File not found sign (hehe.. we just delete it). 
  9.  Unzip and right click your Antihokage4.inf to repair your registry. Choose Install.
  10. Restart or logoff and logon again to see your repair result

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: