Malu bertanya sesat dijalan, tersesat memalukan - gphone.exe a.k.a [W32.Imaut.E, Worm.Win32.AutoIt.ch]

Home
About
- Profile
- Blog
- Facebook
E-Campus
- Database
- Information Technology
Hacking
Networking
OS
- Linux
- Mikrotik
- Windows
Intermezzo
- Corner
- Gosip
- Kocak
- Qalbu
Security
Tips N Trick
- Web Tips
  - E-Commerce
Links
- Store
- Projects
- Download
- Gallery
- Webmail

gphone.exe a.k.a [W32.Imaut.E, Worm.Win32.AutoIt.ch]

Written by pnyet

Page 5 of 5

Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following:

Title: [FILE PATH]
Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

4. To delete the value from the registry
Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry.

Click Start > Run.
Type regedit
Click OK.

Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to and delete the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Yahoo Messengger" = "%System%\gphone.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe gphone.exe"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\"AtTaskMaxHours" = "0"
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule\"NextAtJobId" = "2"
Restore the following registry entries to their previous values, if required:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\"shared" = "[ROOT FOLDER]\New Folder.exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\"NofolderOptions" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Page_URL" = "http://rnd009.googlepages.com/google.html"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Default_Search_URL" = "http://rnd009.googlepages.com/google.html"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Search Page" = "http://rnd009.googlepages.com/google.html"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\"Start Page" = "http://rnd009.googlepages.com/google.html"
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page" = "http://rnd009.googlepages.com/google.html"
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1"
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\"HomePage" = "1"
Restore the following registry subkeys, if required:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IEProtection
Exit the Registry Editor.

Note: If the risk creates or modifies registry subkeys or entries under HKEY_CURRENT_USER, it is possible that it created them for every user on the compromised computer. To ensure that all registry subkeys or entries are removed or restored, log on using each user account and check for any HKEY_CURRENT_USER items listed above.

Writeup By: Sean Kiernan

Source From: www.symantec.com

Comments

Add New

RSS

Anonymous

|118.112.220.xxx |09-08-2010 13:19:35

link:http://www.comeonb2b.com/
link:http://2010louboutin.org/
link:http://www.bestghdstraighteners.com/
link:http://www.bestmbtshoes.us/
link:http://www.buychihairstraightener.com/
link:http://www.buyghdstraightener.com/
link:http://www.cheap-ed-hardy.com/
wansantg1zp link:http://www.chiflatironhair.us/
link:http://www.discountu99boots.com/
link:http://www.edhardyshirtsclub.com/
link:http://www.hijordan.us/
link:http://louis-vuitton-replica-handbags.com/
link:http://www.mydiscountjordanshoes.com/
link:http://www.nfljerseysshopping.com/
link:http://www.p90xworkoutscheduledvd.com
link:http://www.u99snowboots.com/

link:http://louis-vuitton-replica-handbags.com/
link:http://louis-vuitton-replica-handbags.c...

xcvcxv

|118.112.220.xxx |09-08-2010 13:22:04

Lineage2 adena - Lineage2 adena

|221.6.130.xxx |11-08-2010 08:19:45

L2 is very popular. Recently my friend and I always play it. And it is my
favorite game link:http://www.cheapl2adena.com is very useful. As soon as you play this
game, L2 adena is necessary. I often use link:http://www.cheapl2adena.com to get the link:http://www.cheapl2adena.com. My friends make money just through link:http://www.cheapl2adena.com, when they find someone want to sell
their L2 adena as link:http://www.cheapl2adena.com,they will buy it.

ZJJCY

|222.209.88.xxx |19-08-2010 14:55:08

meeting link:http://www.fashionoakleysunglasses.comtomorr ow link:http://www.fashionoakleysunglasses.comon link:http://www.fashionoakleysunglasses.compfreng m link:http://www.fashionoakleysunglasses.compolicy link:http://www.fashionoakleysunglasses.commakers link:http://www.fashionoakleysunglasses.commay link:http://www.fashionoakleysunglasses.comdisapp oint link:http://www.fashionoakleysunglasses.commarket link:http://www.ed-hardy-sale.comexpectations link:http://www.ed-hardy-sale.comfor link:http://www.ed-hardy-sale.coma link:http://www.ed-hardy-sale.comsecond link:http://www.ed-hardy-sale.com/caps-c-12_50.ht mlround link:http://www.ed-hardy-sale.com/shoes-c-12_45.h tmlof link:http://www.ed-hardy-sale.com/tshir...

ZJJCY

|222.209.88.xxx |19-08-2010 14:58:41

climbed link:http://www.tiffanyhotsale.comin link:http://www.tiffanyhotsale.comJuly link:http://www.tiffanyhotsale.comfor link:http://www.tiffanyhotsale.comthe link:http://www.tiffanyhotsale.comfirst link:http://www.tiffanyhotsale.com time link:http://www.tiffanyhotsale.com/necklaces-c-12 .htmlin link:http://www.tiffanyhotsale.com/bracelets-c-9. htmlthree link:http://www.tiffanyhotsale.com/earrings-c-11. htmlmonths link:http://www.tiffanyhotsale.com/rings-c-13.htm las link:http://www.tiffanyhotsale.com/bracelets-c-9. htmlincentives link:http://www.raybansunglasseshotsale.com spurred link:http://www.raybansunglasseshotsale.com auto link:http://www.raybansunglasseshotsale.com purchases, link:http://www.ra...

ZJJCY

|222.209.88.xxx |19-08-2010 14:59:25

question link:http://www.raybansunglassesonsale.comis link:http://www.raybansunglassesonsale.com whether link:http://www.raybansunglassesonsale.com/ray-ba n-3025-sunglasses-45.htm
l they link:http://www.raybansunglassesonsale.commove link:http://www.raybansunglassesonsale.com toward link:http://www.raybansunglassesonsale.com the link:http://www.raybansunglassesonsale.com path link:http://www.edhardysale.netof link:http://www.edhardysale.netquantitative link:http://www.edhardysale.net/caps-c-11_51.html easing link:http://www.edhardysale.net/accessories-c-11_ 14.htmlor link:http://www.edhardysale.net/swimwear-c-11_48. htmlnot,

ZJJCY

|222.209.88.xxx |19-08-2010 15:01:19

required link:http://www.buyraybansunglass.com for link:http://www.buyraybansunglass.com them link:http://www.buyraybansunglass.com to link:http://www.buyraybansunglass.comgo link:http://www.buyraybansunglass.com to link:http://www.buyraybansunglass.com that link:http://www.buyraybansunglass.com stage.

ZJJCY

|222.209.88.xxx |19-08-2010 15:02:43

The link:http://www.ghdsale.com/ghd-purple-p-184.html two-year link:http://www.ghdsale.com/ghd-purple-p-184.html note link:http://www.ghdsale.com/ghd-purple-p-184.html yielded link:http://www.ghdsale.com/ghd-purple-p-184.html 0.52 link:http://www.ghdsale.com/limited-edition-ghd-i v-pure-styler-p-182.html
percent link:http://www.ghdsale.com/ghd-09-new-style-pink -hair-straightener-p-192
.htmlafter link:http://www.ghdsale.com/ghd-purple-p-184.html falling link:http://www.guccibagsales.comto link:http://www.guccibagsales.coma link:http://www.guccibagsales.comrecord link:http://www.guccibagsales.comlow link:http://www.guccibagsales.com/handbags-g-1.ht mlof link:http://www.guccibagsales.com/ho...

ZJJCY

|222.209.88.xxx |19-08-2010 15:03:36

South link:http://www.guccisunglassessale.comCarolina link:http://www.guccisunglassessale.comlast link:http://www.guccisunglassessale.comweek link:http://www.guccisunglassessale.comthat link:http://www.guccisunglassessale.comconsumer link:http://www.guccisunglassessale.comspending link:http://www.guccisunglassessale.comis link:http://www.guccisunglassessale.com

Audemars Piguet Watches 14908O - Audemars Piguet Watches 14908OR.OO.D067CR.01

|59.61.138.xxx |13-11-2010 10:51:13

link:http://www.replica-watches-all.com specializes during export you the
critical link:http://www.replica-watches-all.com/Replica-h ampton_c2133 little both
retailer in the midst of broker. both brittle watches we has wellle
are imitated restack beginning the ingenious ones. killing our link:http://www.replica-watches-all.com, you awith regard tomizer silent
gawk fashionable. during through advantageously
informal manufacturers, our link:http://www.replica-watches-all.com/replica-a rmani-ceramica-watch-ar1
408_p7114.html are clearly praised earlier patron's. every utter of
built-up is under precise authority and through elevation order.

Montblanc Sport Watches - Blancpain Collection Léman watches

|59.61.148.xxx |29-01-2011 15:59:29

our shop gives you a hefty chance of restriction throughg a drunk
appearance link:http://www.replica-watches-fan.com, link:http://www.replica-watches-fan.com/replica-b rm-gp44-gp44111-watch-p-
1030.html, link:http://www.replica-watches-fan.com/dior-watc hes-dior-dior-christal-c
ollection-watches-c-182_26 8.html on-lpreferrede in the absence of
discarding your inhabitant. we surrender you the men's in the midst of
ladies' link:http://www.replica-watches-fan.com/replica-b reitling-windrider-colle
ction-cockpit-488-watch-p- 895.html, link:http://www.replica-watches-fan.com/iwc-watch es-iwc-portugaise-watche
s-c-224_227.html, link:http://www.replica-watches-f...

nick - prince watches

|123.153.66.xxx |24-08-2011 13:01:40

golf watch watches watches replica buy their accessories with money link:http://www.watchesun.net/ It s so time-consuming for you to make
replica watches designer bags Keep an eye on the.

debbie - fake hublot watches

|123.153.66.xxx |24-08-2011 15:15:15

replica bvlgari watches link:http://www.watchesairs.com/cartier-watches.h tml watches cartier link:http://www.appwatches.org/omega-watches.html replica omega
yachtmaster watches link:http://www.watchesdoc.org/rolex-watches.html fake rolex watches for
sale omega speedmaster watches issuing link:http://www.watchesfaner.org/tag_heuer-watche s.html tag heuer watches
submariner watches link:http://www.keepwatches.org/ breitling super avenger watches esther link:http://www.maticwatches.com/breitling-watche s.html replica breitling
watches for sale.

chris - omega museum watches

|123.153.66.xxx |25-08-2011 07:06:33

link watches link:http://www.stilwatches.com/tag_heuer-watches .html fake tag heuer
watches items fake iwc watches link:http://www.keepwatches.org/ replica tissot watches link:http://www.stilwatches.com/breitling-watches .html fake breitling
watches lation link:http://www.stilwatches.com/cartier-watches.h tml replica cartier
vacheron constantin link:http://www.keepwatches.org/omega-watches.htm l fake omega watches link:http://www.sanwatches.org/rolex-watches.html oclock replica rolex
breitling superocean heritage.

Coach Outlet Online - Coach Outlet Online

|121.158.55.xxx |16-11-2011 13:32:20

One link:http://www.coachsfactoryoutlet.org/ of clothing

link:http://www.coachfactorysoutletstoreonline.ne t/ be loose

link:http://www.coachfactorystore-online.com/ compliment the

link:http://www.coachoutletstoreonline.ca/ of
the [url=http://www.coachsfactory-

online.net/]Coach Factory[/url]. A
loose link:http://www.coachfactorysoutletstoreonline.ne t/ or a skirt link:http://www.coachsfactoryoutlet-online.net/ help the

link:http://www.coachfactoryoutletonlineh.com/ Bags flow

link:http://www.mycoachfactorystoreonline.org/ what you

link:http://www.coachoutletstoreonlineh.com/ wearing. Small

link:http://www.coachfactorystore-online.com/ with a

link:...