Read1st! Classified.exe... Virus!

[nikkipotz]

lol., n_n

[nikkipotz]

nga pala.,

"The term "computer virus" is SOMETIMES used as a catch-all phrase to include all types of malware, including true viruses"

hehehe., n_n quote ko lang.,

[Karl80]

Yup tama ka jan. Kapag cnabi mo na virus, included na ang worm. Pero meron debate sa exact meaning ng virus eh. Kahit mga experts nagde-debate...

What is love nga!? Hehehe

[skye]

I'm having the same virus sa external hdd ng brother ko. Hopefully ma-solve ng solution na andito yung problem. I will try it later and will update if naging okay na siya

[theeye23]

Manual removal of CLASSIFIED:

1. Click START + RUN.

2. Type CMD /D and click OK

3. Sa Command Prompt, type taskkill /im services.exe /im system.exe /im lsass.exe /im nthlpsvc1.exe /im nthlpsvc2.exe /im dirlock.exe /t press ENTER

4. Repeat step 3 as many times and as fast as you can (press nyo lang po ang UP ARROW para automatic na maulit ang command line), hanggang sa ganito na ang lumalabas:

ERROR: The process with PID 3892 child of PID 732 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 732 child of PID 560 could not be terminated.
Reason: One or more child processes of this process were still running.
ERROR: The process with PID 792 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 860 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 944 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 1096 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 1244 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 1280 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 1300 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
SUCCESS: The process with PID 1988 child of PID 560 has been terminated.
ERROR: The process with PID 2024 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 2240 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 3848 child of PID 560 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process with PID 560 child of PID 516 could not be terminated.
Reason: One or more child processes of this process were still running.
ERROR: The process with PID 572 child of PID 516 could not be terminated.
Reason: This process can only be terminated forcefully ( with /F option ).
ERROR: The process "system.exe" not found.
ERROR: The process "nthlpsvc1.exe" not found.
ERROR: The process "nthlpsvc2.exe" not found.
ERROR: The process "dirlock.exe" not found.

5. Type the following commands or just put it on a BATCH PROGRAM and run it:

for %%i in (C D E F G H I J) do del /f /a %%i:\autorun.inf
DEL /F /A %systemdrive%\Classified.exe
RD /S /Q "%AllUserprofile%\Application Data\Microsoft\Keyboard"
RD /S /Q "%AllUserprofile%\Application Data\PolariSys"
RD /S /Q %Windir%\classified
DEL /F /A "%AllUserprofile%\Desktop\Classified.exe"
DEL /F /A "%AllUserprofile%\Documents\Classified.exe"
DEL /F /A "%AllUserprofile%\Documents\My Music.exe"
DEL /F /A "%AllUserprofile%\Documents\My Pictures.exe"
DEL /F /A "%AllUserprofile%\Documents\My Videos.exe"
DEL /F /A "%AllUserprofile%\Start Menu\Programs\Startup\Classified.exe"
DEL /F /A "%Userprofile%\My Documents\Classified.exe"
DEL /F /A "%Userprofile%\My Documents\My Music.exe"
DEL /F /A "%Userprofile%\My Documents\My Pictures.exe"
DEL /F /A "%systemdrive%Documents and Settings.exe"
DEL /F /A %systemdrive%\Inetpub.exe
DEL /F /A %systemdrive%\goats.exe
DEL /F /A "%ProgramFiles%\Classified.exe"
DEL /F /A "%systemdrive%\Program Files.exe"
DEL /F /A %systemdrive%\Read1st!.exe
DEL /F /A %Windir%\addins\Classified.exe
DEL /F /A %Windir%\addins.exe
DEL /F /A %Windir%\AppPatch\Classified.exe
DEL /F /A %Windir%\AppPatch.exe
DEL /F /A %Windir%\classified\Classified.exe
DEL /F /A %Windir%\Classified.exe
DEL /F /A %Windir%\Config\Classified.exe
DEL /F /A %Windir%\Config.exe

reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v Sessionmngr /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v LSAShell /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v WinSys /f
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /t REG_SZ /d Explorer.exe /f
reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v AppData /t REG_SZ /d "%WinDir%\system32\config\systemprofile\Application Data" /f
reg add "HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v Cache /t REG_SZ /d "%SystemDrive%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files" /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f

6. Click START + SEARCH

7. Click All files and folders

8. At the filename box type *.EXE

9. Click More Advance Options.

10. Put a check on the first 3 items and click SEARCH.

11. Kung makakakita po kayo ng mga EXE (Application) na mukang folder, i-delete nyo po.

12. Install an ANTI-VIRUS and UPDATE it then full SCAN your PC then use CCLEANER.


WARNINGS:
- Wag po kay maglalagay ng /F sa taskkill command (step 3).

- Step 12 is optional but very very very important and useful.

- Please don't launch the Task Manager or Registry Editor until you full scan the PC w/ AV.

- Please don't reboot the PC until you full scan the PC w/ AV.


Hope this helps you because this helps me a lot and this is the method i am always using for this trojan/worm.

[Karl80]

hmmm... not effective para sa worm_autorun.fly 'yong classified.exe + sality!
kahit na class-x.bat wala magawa sa worm_autorun.fly!

kelangan talaga boot sa live cd na may updated avira at ito lng ang pinaka the best
na paraan matanggal ang worm_autorun.fly.

Refs.:

http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.FLY&VSect=T
http://en.wikipedia.org/wiki/Daprosy_Worm

[theeye23]

hmmm... not effective para sa worm_autorun.fly 'yong classified.exe + sality!
kahit na class-x.bat wala magawa sa worm_autorun.fly!

kelangan talaga boot sa live cd na may updated avira at ito lng ang pinaka the best
na paraan matanggal ang worm_autorun.fly.

Refs.:

http://www.trendmicro.co.jp/vinfo/virusencyclo/default5.asp?VName=WORM_AUTORUN.FLY&VSect=T
http://en.wikipedia.org/wiki/Daprosy_Worm

It's because of the SALITY.

[/]

Uu nga, dito naman sa office namin karamihan ng spywares galing china.

[Karl80]

tama ka theyeye23 dahil sa sality nagmukhang malakas classified.exe. salot talaga 'yang sality na yan.

[Karl80]

@theeye23

thanks sa info at nalaman ko na cossta family of worms pala ang kbdrv16.com dati kc tinatawag lang namin 'yang scrap worm! hehe.

[theeye23]

tama ka theyeye23 dahil sa sality nagmukhang malakas classified.exe. salot talaga 'yang sality na yan.

Actually, every Trojan's main programs can be infected with Sality, like for example the Borontok's Sempalong.com file can be infected by Sality.

For me the most powerful and annoying trojan/worm+virus is the combination of Borontok WORM and SALITY virus.

[theeye23]

@theeye23

thanks sa info at nalaman ko na cossta family of worms pala ang kbdrv16.com dati kc tinatawag lang namin 'yang scrap worm! hehe.

Your welcome po

[Karl80]

@theeye23

yup, dalawang beses na ko nag-format ng computer dahil sa sality. dati kc sobrang inosente ako at kaka-format lng ng computer sinalpakan ko kaagad ng usb kc nagbase lng ko sa autorun.inf at laman nito. d ko alam ang mga files pala mga virus na! ngaun gumagamit ako ng mga updated na on-demand scanner tulad ng norman malware cleaner. ganda kc hindi na kelangan install.

sa palagay ko lang, ang classified.exe na worm ay tanga yan eh tapos na-infect ng sality kaya hirap na tanggalin! clone lang siya ng brontok kaya brontok mas mahirap tanggalin.

[theeye23]

sa palagay ko lang, ang classified.exe na worm ay tanga yan eh tapos na-infect ng sality kaya hirap na tanggalin! clone lang siya ng brontok kaya brontok mas mahirap tanggalin.

Hindi sa pangmamaliit, but that Trojan is kinda weak for me. I can remove that 100% completely wipe-out using only the Command Prompt.

The other thing about that, it is created using Visual Basic 6 with Vb-scripting function to search folders and copy itself to the folders, process enumerate function to close programs that is not part of Windows core system so only Windows critical system files will be left, and execute its own copy with a different name so you can't terminate its programs one at a time, it should be at the same time (look at the step 3 above on my manual removal of Classified to see what I mean), lastly, some registry control functions.

[Karl80]

yup, agree ako jan. applicable 'yang sinasabi mo sa lahat ng trojan worms. para sa akin, maraming mga trojan worms gawa ng mga estudyante na nagpapayabang. nakapag-aral lng ng kaunting VB6 eh gusto na gumawa ng worm para sikat.

tingnan mo mga conversation ng mga IT students makakarinig ka talaga na sila daw gawa ng "ganitong" trojan at "ganyang" trojan.
ang yayabang!!! kala nila wala penalty sa mahuling gumagawa ng mga trojan at worms!

[theeye23]

yup, agree ako jan. applicable 'yang sinasabi mo sa lahat ng trojan worms. para sa akin, maraming mga trojan worms gawa ng mga estudyante na nagpapayabang. nakapag-aral lng ng kaunting VB6 eh gusto na gumawa ng worm para sikat.

tingnan mo mga conversation ng mga IT students makakarinig ka talaga na sila daw gawa ng "ganitong" trojan at "ganyang" trojan.
ang yayabang!!! kala nila wala penalty sa mahuling gumagawa ng mga trojan at worms!

Hayaan na lang natin sila, may mga ganyang tao talaga. Murahin man natin yan ng murahin, di rin hihinto yan Nandito naman tayong mga taga-tanggal ng mga kalokohan nila, eh! Whehehe!

[Karl80]

hmmm... after ma-analyze namin ang ginagawa ng classified.exe sa operating system ng windows, ang conclusion namin ay "hindi" amateur VB programmers gumawa ng worm na ito. try nyo delete ang shutdown.dll sa root ng drive c: at mag-restart ang computer. posible team ng mga hackers ang gumawa ng classified.exe --- gusto nila magnakaw ng mga password!!!!

kelangan pa natin makahanap pa ng magaling na pantanggal sa trojan worm na ito! ang lufet!

[Karl80]

uy!

para sa mga nangangailangan "step by step" guide sa pagtanggal ng classified.exe worm visit kayo YouTube
Classified.exe (Daprosy) Remover 2

follow lng video (pause kung kelangan) para tanggal trojan worm!

yu!

[vbignacio]

pag updated ba anti-virus, di ma-affect nyang daprosy na yan?

[bebeth]

Good news po!

Meron na ko link para matanngal classified.exe sa inyong computer!
Follow nyo lng po ito:

http://digg.com/security/Classified_exe_Remover

Good luck!

ano po password? asking for password kasi when i tried it