Dec 6, 2008

Maxtrox Virus (updated)

Have you seen this wallpaper in your pc without even knowing how? then you are a victim of MAXTROX virus, MAXTROX stans for Maximum Troxer. It changes desktop wallpaper in computer to become maxtrox picture. This wallpaper will be active in every date 1 s/d 6 in April, August & December. Our library is a victim of this virus which is alledge to originate in indonesia. Notice than in the picture, the date there is December 6, 2008.

Another picture is used as a wallpaper.

MAXTROX is killing the processes of any antivirus which is known to this virus. This virus also kills the process manager of Windows. Maxtrox also avoids itself from being recognized by heuristics antivirus systems.

How to kill?:

1.) start->type "cmd" without ""->enter

2.) type: cd\ -> press enter cls -> press enter tasklist -> press enter

3.) then look for the process named wvcp.exe

4.) type: taskkill /f /pid -> press enter

note: this set of commands prevents the virus from closing the task manager

Process of removing this virus according to some websites I visited:

1. Best do cleaning in safe mode.
2. Turn off virus process in memory. Use tools successor task manager, like itty bitty process manager that can be downloaded here.
Do kill process, in active virus file that is :
c: \documents and settings\%user%\application data\microsoft\%dsh%. exe (random/random virus name, such asl aizw. exe, scnp. exe, etc).
3. Erase string registry that made by virus. to simplify can use script registry under this :
signature=" chicago$"
provider=vaksincom oyee
hklm, software\classes\batfile\shell\open\command, , , " " " %1" " %*"
hklm, software\classes\comfile\shell\open\command, , , " " " %1" " %*"
hklm, software\classes\exefile\shell\open\command, , , " " " %1" " %*"
hklm, software\classes\piffile\shell\open\command, , , " " " %1" " %*"
hklm, software\classes\regfile\shell\open\command, , , " regedit. exe" %1" "
hklm, software\classes\scrfile\shell\open\command, , , " " " %1" " %*"
hklm, software\microsoft\windows nt\currentversion\winlogon, shell, 0, " explorer. exe"
hklm, system\controlset001\control\safeboot, alternateshell, 0, " cmd. exe"
hklm, system\controlset002\control\safeboot, alternateshell, 0, " cmd. exe"
hklm, system\controlset003\control\safeboot, alternateshell, 0, " cmd. exe"
hklm, system\currentcontrolset\control\safeboot, alternateshell, 0, " cmd. exe"
hkcu, software\microsoft\windows\currentversion\explorer\advanced, showsuperhidden, 0x00010001,1
hklm, software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden checkedvalue, 0x00010001,0
hklm, software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden defaultvalue, 0x00010001,0
hklm, software\microsoft\windows\currentversion\explorer\advanced\folder\showfullpath defaultvalue, 0x00010001,0
hkcr, exefile nevershowext
hklm, software\classes\exefile nevershowext
hklm, software\microsoft\windows\currentversion\run visualstyle
hkcu, control panel\desktop, scrnsave.exe
· Use notepad, then save by the name of" repair. inf" (use choice save axis type be all files so that doesn't happen error).
· Run repair. inf with click right, then choose install.
· Best make file repair. inf at computer clean, so that inactive virus returns.
4. Erase virus mother file that has feature as follows:
· icon" winrar"
· extension. exe, . scr, . msd, . sysm
· size 77 kb
· Best display latent file so that simplifies in course of virus file livelihood.
· To simplify livelihood process best use" search windows" with file filter. exe, . scr, . msd, . sysm that has size 77 kb.
· Erase virus file usually has same date modified.
5. Erase virus duplication file in folder c: \program files (usually virus file is followed file executable original that -rename be exe file by virus).
6. Reconvert file extension executable that -rename by virus in folder c: \program files. use software/tool to simplify rename extension quickly, for example extention renamer.
7. For optimal cleaning and prevent infection repeats, best use antivirus -update can identified virus to simplify virus abolition.

Some tools that can remove registry values caused by MAXTROX

Hijackthis: [link]
viral massacre: [link]
noob killer: [link]

tuneup utilities[link]


clean the registry using these tools and replace your wallpaper