Tuesday, May 19, 2009

Worm.Win32.Kido @ Conficker Worm

also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.

check whether Your computers are infected with Conficker Worm

Download Full Virus Report

Download Kido Malware Remover

Sunday, April 26, 2009

Sality Virus Removal

Sality is a family of file infecting viruses that spread by infecting exe and scr files. The virus also includes an autorun worm component that allows it to spread to any removable or discoverable drive. In addition, Sality includes a downloader trojan component that installs additional malware via the Web.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.


- I managed to remove this virus using Kaspersky Virus Removal Tool With Latest Virus Definition.
- U can easily Download this Tools From Kaspersky lab Website Or From Softpedia.com ... It's Free ..
- just install the tools and run it ...
- when it detect the Sality Virus ... Please CHOOSE disinfect.
Never CHOOSE Delete. or else all your program inside your PC will disappear because sality infect all your .EXE program files and system files.
If u choose to delete, nothing is working on ur PC after that...

Friday, April 24, 2009

Restore printer Spool service after Bulubebek Infection

First Of all you need to remove the Bulubebek infection,

Click Here and Please follow this step

then after that,

*let assume that the Bulubebek infection is clean and your PC is not infect with another virus*

to restore your Print spool Service :-

1. click Start > Run
2. type services.msc and hit
3. On right Panel of Services, try to find Print Spooler service and make sure it's Started.
4. If the Print Spooler service is not listed,
5. click Start > Run
6. type regedit and hit
7. On left panel of Registry Editor, Expand
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Spooler

8. on the right panel, you should see Start and Type. Delete both of this key.
9. create new key by right clicking on the right panel, select New
10. Select DWORD Value. rename it as Start.
11. Double click it and add value 2 and base Hex
12. create new key by right clicking on the right panel, select New
13. Select DWORD Value. rename it as Type.
14. Double click it and add value 110 and base Hex
15. you should get like this :

16. Reboot your PC.

Restore Audio after Bulubebek Infection

First Of all you need to remove the Bulubebek infection,

Please follow this step

then after that,

*let assume that the Bulubebek infection is clean and your PC is not infect with another virus*

to restore your PC's audio :-

1. click Start > Run
2. type services.msc and hit
3. On right Panel of Services, try to find Windows Audio service and make sure it's Started.
4. If the Windows Audio service is not listed,
5. click Start > Run
6. type notepad and hit
7. Copy the Script below and save it as audio.reg (save it on c:\):-

Windows Registry Editor Version 5.00

"Description"="Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
"DisplayName"="Windows Audio"



8. Run the file by double click it (
9. click Yes
10. Reboot your PC

Download Audio.Reg

Saturday, April 11, 2009

2.BAT Cloaked Malware

File Behavior

• The Process is packed and/or encrypted using a software packing process
• Executes a Process
• Writes to another Process's Virtual Memory (Process Hijacking)
• This process creates other processes on disk
• This Process Deletes Other Processes From Disk
• Creates a new Background Service on the machine
• Injects code into other processes
• Copies files
• Registers a Dynamic Link Library File

2.BAT also:

• Created as a process on disk
• Deleted as a process from disk
• Executed as a Process
• Has code inserted into its Virtual Memory space by other programs
• Added as a Registry auto start to load Program on Boot up

also using the following file names:

• 1.BAT
• 44546234.SVD
• 3.BAT
• 52632502.SVD
• 32616742.SVD

File Activity

One or more files with the name 2.BAT creates, deletes, copies or moves the following files and folders:

• Creates c:\windows\system32\drivers\klif.sys
• Deletes c:\windows\system32\drivers\klif.sys
• Deletes c:\windows\system32\olhrwef.exe
• Deletes c:\windows\system32\nmdfgds0.dll
• Creates c:\windows\system32\nmdfgds0.dll
• Deletes c:\2.ba
• Copies filec:\windows\system32\olhrwef.exe to c:\2.ba
• Deletes c:\autorun.in
• Creates c:\autorun.in
• Deletes d:\2.ba
• Copies filec:\windows\system32\olhrwef.exe to d:\2.ba
• Deletes d:\autorun.in
• Creates d:\autorun.in
• Deletes c:\docume~1\user\locals~1\temp\help1.rar
• Creates c:\docume~1\user\locals~1\temp\help1.rar
• Creates c:\docume~1\user\locals~1\temp\help.exe
• Deletes c:\docume~1\user\locals~1\temp\help.exe
• Copies filec:\docume~1\user\locals~1\temp\help.exe to c:\windows\system32\olhrwef.exe
• Deletes c:\windows\system32\nmdfgds1.dll
• Creates c:\windows\system32\nmdfgds1.dll

Registry Activity

One or more files with the name 2.BAT creates or modifies the following registry keys and values:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden value:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden value:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NoDriveTypeAutoRun [REG_DWORD, value: 00000091]

Website Activity

One or more files with the name 2.BAT interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

• TCP: Port:17
• Port 80 IP:
• TCP: Port:17

Friday, April 3, 2009


Also Known as Internet Protocol suite or Networking Model. TCP/IP model Is Set of communications protocols used for the Internet and other similar networks. Divided to 4 layer protocol.

Application Layer Protocol

* Computer program will talk to the Application layer. Each kind of program talks to a different Application protocol, depending on the program purpose such as SMTP or FTP.

* After processing the program request, the protocol on the Application layer will talk to another protocol from the Transport layer, usually TCP.

Transport Layer

* Transport Layer in charge of getting data sent by the upper layer, dividing them into packets and sending them to the layer below.

* Also, during data reception, this layer is in charge of putting the packets received from the network in order and also checking if the contents of the packets are intact.

Internet Layer

* IP (Internet Protocol) gets the packets received from the Transport layer and adds virtual address information.
- the address of the computer that is sending data.
- the address of the computer that will receive this data.

* Then the packet is sent to the lower layer.

Network Access

* The Network Access Layer will get the packets sent and send them over the network.


* Receive the packets from the network and send it to Internet Layer.

Computer Operating System


Koleksi program2 komputer yg menyatukan sumber2 hardware komputer tersebut (tetikus, pencetak, peranti storan dan ingatan) & membolehkan sumber2 hardware sentiasa bersedia digunakan oleh pengguna.

Membenarkan pengguna mengakses komputer secara produktif, tepat pada masa & efisyen.

Dgn kata lain, bertindak sbg org tengah di antara pengguna dgn sistem komputer.


Berfungsi sbg pengurus sistem, mengawal setiap h/ware & software serta bertindak sbg antaramuka antara pengguna & sistem.

OS mengandungi koleksi2 program di mana ianya bekerjasama secara berkumpulan utk m’laksanakan pelbagai jenis tugas.

Fungsi OS

Menyediakan antaramuka kpd penggun utk menggunakan komputer.

Terdpt 2 jenis antaramuka : antaramuka baris-perintah dan antaramuka grafik.

a)Antaramuka baris-perintah : pengguna perlu menaip perintah. OS yg b’asaskan baris perintah ialah MS-DOS.

 Cth : C:\> copy c:\myfile a:\yourfile

 Baris perintah mengarahkan komputer utk menyalin satu fail dr cakera keras C ke cakera liut A.
 Antaramuka baris perintah lebih sesuai utk pengguna mahir.
 OS spt Unix dan Linux juga menggunakan baris perintah.
 Antaramuka baris perintah semakin kurang digunakan ttp masih digunakan dlm sistem kerangka utama * sistem pelayan yg menggunakan platform Unix.

b)Antaramuka grafik : bergantung kpd perisian berasaskan grafik yg membolehkan teks disepadukan dgn imej grafik.

 Antara komponen dlm antaramuka grafik ialah icon, kotak dialog & menu.
 Cth perisian yg menggunakan antaramuka grafik ialah BeOS, Macintosh dan Windows.
 Pengguna GUI berinteraksi dgn OS dan lain2 pakej perisian dgn menggunakan peranti penuding spt tetikus dan papan kekunci utk memasukkan arahan.
 GUI byk memudahkan pengguna krn tdk perlu utk menghafal dan memasukkan semua arahan rumit spt antaramuka baris perintah.

Mengurus Perkakasan :

Perkakasan adalah seperti peranti input (tetikus, papan kekunci, pengimbas), peranti output (pencetak, skrin, audio, video), storan sekunder (cakera keras) dan ingatan utama (RAM)

OS berfungsi utk menyelaras dan menjejaki/mengikuti aturcara mana yg memerlukan perkakasan mana.

Menguruskan sistem fail cakera keras

OS menguruskan perjalanan data dari komponen input (papan kekunci) kepada output (monitor)

OS menguruskan perjalanan data dari storan sekunder kepada ingatan utama serta dari ingatan utama ke storan sekunder.

Menguruskan proses atau perjalanan perisian lain :

Andaikan perlaksanaan satu perisian sbg satu proses. Jika pengguna menggunakan 3 perisian serentak (cth menghasilkan grafik dgn Adobe Photoshop, melayari Internet dgn IE & mendengar muzik menggunakan Windows Media Player) maka terdapat 3 proses yg berbeza sedang dilaksanakan dlm komputer.

OS bertanggungjawab agar ketiga-tiga proses tersebut berjalan lancar dan tdk berlaku apa2 yg boleh menyebabkan pemprosesan komputer tergantung.

 Fungsi OS yang lain :

1. Utk membantu interaksi antara komputer dan pengguna.
2. Utk membantu komunikasi antara komponen2 komputer
3. Utk mengurangkan masa bg menjalankan arahan pengguna.
4. Utk mengoptimakan penggunaan sumber sistem komputer
5. Utk menjejak semua fail dlm storan cakera
6. Utk memastikan keselamatan kpd sistem komputer
7. Utk memantau semua aktiviti sistem dan memberi amaran kpd pengguna tentang sebarang masalah pd sistem.

Ciri-ciri OS

1. Multitugasan
2. Multipengguna
3. Multipemproses
4. Kelompok/Batch
5. Ingatan Maya


 Keupayaan sesuatu sistem komputer utk mengendalikan lebih dr satu tugasan pd satu masa scr serentak.
 Membolehkan seorg pengguna melaksanakan tugasan baru tanpa perlu keluar dr tugasan yg sedang dilaksanakan dan menggunakan hasil dari tugasan kedua dalam tugasan pertama.
 Cth : pengguna boleh menghasilkan carta dlm MS Excel semasa menggunakan MS Word dan memasukkan carta tersebut dlm dokumen yg sedang ditulis iaitu dlm MS Word.

Computer External Storage


• Optical Drive
• Hard Drive
• Floppy Drive
• Network Attachment Storage (NAS)


• CD-R

Both technologies (CD-R and CD-RW) use a small laser in the drive to record.

New on the market are CD-Rs that burn reliably at up to 16X speed and discs that can hold up to 700MB of data, rather than the more common 650MB.

When buying media, make sure that you match the media speed to that of your drive. Trying to burn an 8X CD-R at 12X is a sure way to ruin a disc.

Most CD-RW drives come with both software to burn a CD-R and packet-writing software, which lets you use a CD-RW just the same way that you use a hard or floppy disk, dragging and dropping files to the disc.


• uses laser technology.
• It contains of text, graphic, video and sound.
• Read Only means that data cannot be erased or modified.
• For a computer to read the items on a CD-ROM, you must place it into a CD-ROM drive.
• A CD-ROM can hold up to 700 MB of data.
• CD-ROM drive speed influence the quality of display and it is measured by its data transfer rate, which is the time it takes the drive to transmit data from CD-ROM.


• Allows the user to read data on all format CD.
• Allows user to write on a compact disc using own computer.
• Data can be written on discs in stages.
• Stored data cannot be deleted. User must have CD-R software and also CD-R drive to use it.


• Allows the user to read data on all format CD.
• Allows the user to write on multiple times.
• To use it user must have CD-RW software and CD-RW drive.


• A high-capacity compact disc ranges 4.7 GB to 17 GB data. Suitable to store large items such as video.
• In order to read a DVD-ROM the user must have a DVD-ROM drive or DVD player.

• Finally, some DVD- ROMs are double-sided. The user must remove the DVD-ROM and turn it over to read the other side.
• Available in a variety of formats, one of which stores digital or audio data.


• Allows user write once on it and read it many times.
• Specifications (e.g)
• Capacity - 4.7GB
• Speeds (DVD) - 2x write/ 1x rewrite/ 6x read
• Speeds (CD) - 8x write/ 8x rewrite/ 24x read
• Interface - IEEE 1394
• Buffer Size - 2 MB
• Access Time - 180-200 ms
• Warranty - 1 Year

System Requirements:
For Windows Users
• 800 MHz processor or greater
• 128MB of RAM
• Built-in FireWire port

For Macintosh Users
• G4
• 128MB of RAM
• Built-in FireWire port


• Hard disks store the majority of information on today's modern computer.
• Can be stored and delete.
• The hard disk retains information stored on it, with or without power.
• Hard Drive capacity is measured in GigaBytes, or 1 million megabytes (MB).
• Hard Drives connect to the motherboard (or sometimes an expansion card) through one of two special interfaces:
1. Integrated Drive Electronics (IDE)
2. Small Computer Systems Interface (SCSI, pronounced "scuzzy").

How a hard disk works

• Most hard disks have multiple platters stacked on top of one another and each platter has two read/write heads, one for each side.
• The hard disk has arms that move the read/write heads to the proper location on the platter.
• The location of the read/write heads often is referring to by its cylinder. Cylinder is the location of a single track through all platters.
• While the computer is running, the platters in the hard disk rotate at a high rate of speed. Usually 5,400 to 7,200 revolutions per minute.
• Access time is from 5 to 7 milliseconds, can be increased with disk caching. Cache Disk is a portion of memory that the CPU uses to store frequently accessed items.


• Can be inserted and removed from a hard disk drive
• Advantages:
– Used to store larger files
– To do backup
– For data security issue, user can remove the hard disk and leaving no data on the computer for secret files.
• Networks, minicomputers and mainframe computers often use disk packs.
• Disk Packs is a collection of removable hard disks mounted in the same cabinet.

Maintaining data stored on a hard disk

• Hard disk came lasts somewhere between three and five years, although many last much longer with proper care.
• To prevent the loss of items stored on a hard disk, you should perform preventative maintenance such as defragmenting or scanning the disk for errors.
• Operating systems such as Windows XP provides many maintenance utilities.


• A floppy or diskette is a portable, inexpensive storage medium that consists of a thin, circular, flexible plastic disk enclosed in a square-shaped plastic shell.
• The term portable means the storage medium can be moved from one computer to another computer.
Floppy disk drive is a device that can read from and write to a floppy disk.


• Can store large files containing graphics, audio or video.
• To make a backup. Backup is a duplicate of an original file and can be used if the original is lost or damaged.
• SuperDisk™ drive with capacity 120MB is developed by Imation.
• Sony Electronics Inc. has developed HiFD™ (High Capacity FD) with capacity 200 MB.
• Zip® drive developed by Iomega Corporation, with capacity 250 MB.

Network Attachment Storage (NAS)

• Traditional methods of solving a problem of shortage of disc space (extension of a capacity of a server's disc subsystem or a purchase of a new server)
• The NAS technology was developed as an alternative to universal servers carrying a lot of functions (printing, applications, fax server, e-mail etc.).

• NAS servers implement only one function - a file server function, thus fulfilling it better, simpler and faster.
• Advantages of the NAS:
1. Easy installation and administration
2. Lower cost
3. Access restriction standards support
4. Universality for clients (one server can service MS, Novell, Mac, Unix clients)
5. Support for the most of backup copying programs
6. Possibility to access data in case a master server is out of order
7. Transmission of huge amount of information (multimedia, presentations etc.)

• Data Replication & Mirroring
• Email Archiving
• Hot Failover
• IP Based Storage


• An e-mail archive is a repository kept in a non-production environment to provide secure retention of messages for compliance and operational purposes.
• It is not good policy to treat backups made for disaster recovery as archives.
• It makes sense to establish the difference between archives and backups in everyone's mind and in day-to-day practice.
• Use backups to restore e-mails at users' request
• Keep backups for long periods of time
• To search tapes in response to an opponent's discovery request.
• On the other hand, backups used solely for business continuity and routinely overwritten at short intervals — say, 90 days or less — have a fighting chance to be excluded from legal discovery.


• Failover is a backup operational mode in which the functions of a system component (such as a processor, server, network, or database, for example) are assumed by secondary system components when the primary component becomes unavailable through either failure or scheduled down time.

• Used to make systems more fault-tolerant, failover is typically an integral part of mission-critical systems that must be constantly available.

• The procedure involves automatically offloading tasks to a standby system component.

• Failover can apply to any aspect of a system:

1. Personal computer : for example, failover might be a mechanism to protect against a failed processor

2. Network; failover can apply to any network component or system components, such as a connection path, storage device, or Web server.

Computer Server

Merupakan computer software application yang menjalankan beberapa tugas(i.e. menyediakan perkhidmatan)

Khusus untuk penyimpanan data

Menyediakan kemudahan yang mahal. Cth : pencetak pantas, e-mail, remote login

Direka untuk menyediakan prosesan maklumat kepada berbilang pengguna dan melaksanakan berbilang aplikasi program secara serentak.
Membenarkan > 100 pengguna untuk berinteraksi dengan sistem komputer secara serentak.

Kelebihan :
1.Kurangkan kos keseluruhan pusat komputer utk membeli peranti dan persisian komputer.
2.Komputer pelayan tidak memerlukan sebarang peranti I/O sekiranya terdapat penyambungan ke rangkaian.

Client Server

 Komputer Pelanggan & Pelayan (client/server) diperlukan dlm rangkaian Pelanggan/Pelayan.

 Satu atau lebih komputer sebagai komputer pelayan (server). Selebihnya sbg komputer pelanggan (client).

 Komputer pelayan mengawal capaian ke atas perkakasan & perisian termasuk perkongsian ruang storan untuk menyimpan data & maklumat.

 Setiap komputer perlu ada NIC (Network Interface Card) utk membolehkan setiap komputer dihubungkan di antara satu sama lain.

 Komputer pelayan perlu dipasang sistem pengendalian rangkaian. Cth : Window Server 2003, Window NT

Local Area Network

Server Type

 Jenis-jenis komputer pelayan :
1. Pelayan Aplikasi
2. Pelayan Tahap Masukan
3. Pelayan Web
4. Pelayan E-mel
5. Pelayan Kerangka Utama
6. Pelayan Kerangka Pertengahan.

Pelayan Aplikasi (Application Server)

 Merupakan pelayan dalam rangkaian komputer untuk melarikan (running) beberapa aplikasi perisian.

 Bertindak sebagai perantara (middleware) kepada program lain

 Berkomunikasi dengan web pada borang HTML dan XML, menghubungkan beberapa database dan menghubungkan sistem dgn peralatan yang tidak dapat diwarisi oleh pelayan aplikasi.

 Cth : Portal adalah mekanisma pelayan aplikasi yg paling biasa di mana orgn tersebut yg akan mengurus maklumat.

Pelayan Mel Elektronik (E-mail Server)

 Set up sistem mesej yang membenarkan pengguna untuk menggunakan aplikasi mel elektronik over LAN atau Internet

 Contoh :Yahoomail, Hotmail

Pelayan Web (Web Server)

 Merupakan host apabila menggunakan/melarikan salah satu daripada multiplatform servers.

 Contoh : Apache HTTP Server

 Contoh client : IE,Netscape, Mozilla Firefox

Pelayan Kerangka Utama (Mainframe Server)

 Merupakan komputer pelayan yang sangat besar dan berkuasa tinggi.

 Digunakan untuk mengawal urusan perniagaan yang besar.

 Juga dipanggil "Enterprise Servers" atau "Super Computers."

 Mengandungi bebrapa CPU, memory, dan disk drive.

 hot-swapable power supplies (mudah alih power supply) , and uninterrupted power supplies yang semuanya terpasang terus pada mesin.

 Syarikat yang terlibat dalam mengeluarkan pelayan jenis ini ialah IBM, Sun Microsystems, HP, SGI

Pelayan Julat Pertengahan

 VAX (Virtual Address eXtension) ialah pelayan yang dilancarkab oleh Digital Equipment Corporation (DEC).
 VAX mengandungi pemproses 32-bit dan virtual memory.
 Bersaing dengan Hewlett-Packard dan IBM computers dalam small enterprise dan pasaran university-scientific.
 Pada masa sekarang, pelayan jenis ini lebih dekenali sebagai minicomputer.
 Kini, VAX dan pesaing-pesaingnya menjual "servers" untuk tujuan rangkaian perniagaan yang menggunakan client/server computing model.

Pelayan Tahap Masukan

 Contoh Server Matrix
 Lebih berkeupayaan untuk mengendalikan high traffic websites dan processor intensive applications
 Mampu menyelesaikan masalah datacenter facilities dan tier-one network.

Computer RAID


 RAID is an acronym for "Redundant Array of Inexpensive Disks".

 Configuration for multiple hard drives which provide fault tolerance and improved data access times.

 RAID was traditionally only found in the domain of servers

 But inexpensive IDE RAID solutions now mean many desktop computers can benefit from the same data redundancy, and performance increases for applications like video editing.

Implement RAID

 RAID is a technology that uses multiple hard drives to increase the speed of data transfer to and from hard disk storage.

 Also to provide instant data backup and fault tolerance for any information you might store on a hard drive.

 The hard drives are joined in an array (a single logical drive, as far as the operating system is concerned) and all disks share the data written to them in some form.

 There are several different implementations, or 'levels' of RAID, ranging from RAID 0 to RAID 53.

RAID array:

 A group of hard drives linked together as a single logical drive.

 Must be connected to one or more hardware RAID controllers

 or be attached normally to a computer using a RAID capable operating system, such as Windows XP Professional.

 A procedure in which data sent to a RAID array is broken down and portions of it written to each drive in the array.

 This can dramatically speed up hard drive access when the data is read back, since each drive can transfer part of the data simultaneously.

 Striping data on two or more drives actually reduces reliability

 If a single drive in the array fails, all data is lost as each physical hard disk only contains a fragment of the data which is useless without the rest.

 A procedure in which data sent to a RAID array is duplicated and written onto two or more drives at once.

Parity & Common Types of RAID

 In the majority of RAID implementations, a whole drive, or an area of one or more of the drives in the array is dedicated to storing parity information.

 Each time a bit of information (a digital 1 or 0) is written to every drive in a striped RAID array, an additional parity bit is generated and stored.

 If one of the data drives fails, a new drive can be added and by comparing the information present on the surviving data drive with the corresponding parity information from the parity drive,

 The missing information can be written onto the replacement drive a bit at a time.

 RAID technology began as a method to provide additional data security to business servers

 Many of the RAID levels are still almost exclusively used in the business domain, due to the cost of the required hardware.

 Since the lower levels of RAID are easily implemented on modern computers and need only a pair of drives and a RAID-capable drive controller (hardware) or operating system (software)

 RAID 0 and RAID 1 implementations have become common in the high end desktop/PC

 RAID 0 is used to gain additional performance from conventional drives by pairing them up

 While RAID 1 provides a very simple and effective form of backup by duplicating or 'mirroring' all data on a second drive.

Types of RAID

 Most Hardware RAID controllers intended for the enthusiast or small business markets support only three levels of RAID; RAID 0, 1 and 0+1.

 These are the only levels of RAID that do not require the use of parity, as this feature adds greatly to the complexity and expense of the controller.


• RAID 0 uses multiple hard drives to stripe data over one large logical drive.

• While there are physically two drives, the computer logically sees just one.

• The RAID 0 configuration is typically used when there are data-intensive applications because it offers the fastest data access, though no redundancy

 RAID 0 can essentially combine two hard drives into one using striping, and greatly increase the speed that the drives transfer data.

 This has one obvious disadvantage. There is no fault tolerance.

 If any drive fails, all the data is lost.


• Fault tolerance is the cornerstone of RAID 1.

• In this configuration, two identical physical drives are used, with one drive mirroring the information on the other.

• A RAID 1 configuration is ideal for data redundancy, though storage is more costly as only 1/2 the total drive space of both hard drives is available.

 A mirrored disk array is composed of a set of two physical hard drives, each of which contains a full copy of all data sent to the logical drive that represents the array.

 This has a couple of advantages :

1. Any data stored on a RAID 1 array is completely and automatically backed up, and in the event of the failure of one drive, the other can be substituted without a hitch.

2. Secondly, data can be read from both drives simultaneously, increasing the speed of data retrieval.

 In the event one of the drives in the array fails, a new drive can be added, the array rebuilt, and the RAID controller will duplicate the information onto the new blank drive.

 The disadvantage of RAID 1 is that unlike striping, a mirrored array can use only half of its total free space for storage, since one disk is an exact duplicate of the other.

RAID 1+0

 This RAID level combines the best features of RAID 0 and 1. (Striped array with mirroring)

 It requires a minimum of four physical drives to implement, so it is not cheap.

 Essentially, two pairs of striped drives are mirrored together to provide fault tolerance.

 The mirroring provides the fault tolerance, though if any drive is lost, it must be immediately replaced and the array rebuilt, since it cannot handle the loss of more than one drive.

 Intended for business use, these levels of RAID use the parity system as explained above to provide varying levels of fault tolerance.

 RAID solutions at this level generally come as an add-in controller card or a dedicated storage rack and are intended to work hand-in-hand with hot-swappable hard drive mountings.

 With this setup, any failed drives can be swapped out for new ones on the fly, and the missing data quickly restored by using the parity data.

Hardware & Software RAID

 Depends on your means and expectations.

 Windows XP Pro at least, much easier to set up and much more flexible in terms of disk use than a hardware based system.

 A second factor to consider is whether you want your operating system disk to be part of the RAID array you create?

 The software solution provided by Windows 2000 or XP as it is easier and cheaper.

Using RAID :

 To store a high capacity of data

 Suitable for server

 A system back up

 Many level of RAID from RAID 0 to RAID 53

Computer Sound & Graphic Card

What is sound card

• Sound cards are special expansion cards enabling computers to play audio.

• Consist of one or more chips used to convert digital sound data to analog sounds played through the speakers.

• 2 types of sound card :

a. built-in sound card

b. sound card in the motherboard.

Built-in sound card

• Built-in on the computer system.

• External speakers are not required.
Sound card on the motherboard

• And external speaker are required.

• The sound jack(PS/2 for speaker) are needed to connect the external speaker and the motherboard.

• All the PCs used these sound cards.

• Used for laptop/notebook

Graphic Card

• Enable to use Graphic Standard.

• To appear the video graphic on the screen

What is a Bus?

• Signal Pathways

• A way of passing information between components inside and outside the computer.

• A modular way of expanding the functions or capabilities of the computer.

PC Bus Architectures

• VL-Bus
• PC Card

Peripheral Component Interconnect (PCI)

• Developed for Pentium-class processors
• 32-bit and 64-bit data path versions
• 33-MHz Clock
• Processor Independent
• Plug and Play with Bus Mastering

Accelerated Graphics Port (AGP)

• Developed for high speed graphics cards
• Frees the PCI bus from making video transfers
• Used only for video cards
• Considered a port rather than a bus
• 66 MHz, 32-Bit

Computer Cooling

• Cooling vents are usually in the front and rear of the case, but in some newer cases can be elsewhere as well.

• These allow air to be circulated by the power supply fan and any auxiliary fans used by the case.

• The most common location of additional cooling fans is the front of the case, opposite the main power supply fan, but some larger cases have cooling fan mounting locations in many places.

• These cases use plastic ducts or tubes to concentrate air flow in a specific direction, which may help the fans do a better job than would be accomplished through standard case air convection.

• The devices that require the cooling aspects :

1. Processor
2. Computer case

Your PC

Windows vs. Mac vs. Linux - Windows vs. Mac has long been a perennial debate, and it's still a personal decision as to whether that OS is right for you. But now desktop Linux is on the rise, complicating things even further. It's all very confusing, but here's some advice: Don't jump from Windows to a Mac or Linux without spending a little hands-on time with the OS, either at a physical store or a friend's house. Both are very similar to Windows in many ways, but some substantial differences remain. I regularly recommend both alternatives for readers, but not unless they've experienced Mac OS or Linux in the flesh first.

Desktop vs. Laptop - Most people know this answer coming in, but many are still confused about whether they should go portable. A key issue is price: Expect to pay an extra $500 for a comparably equipped laptop vs. a similar desktop (sans monitor). Is that premium worth it to you for the extra mobility? If so, make the jump to laptop. Don't forget, though: Your laptop will be dead after anywhere from one to three years of use, depending on how rough you are with it. A good desktop PC will last you five years or more, and even longer with appropriate upgrades.

CPU - I'm assuming we're talking a Windows Vista or XP PC from here on out, as that represents the vast majority of computer buyers. (Linux and Mac PCs have far fewer choices when it comes to specs, so just roll with what's available.) As for CPU, right now Intel Core 2 Duo is the way to go, especially on laptops. The AMD Athlon 64 or Phenom are still solid choices for desktops, especially if you're on a budget. Don't get Celeron- or Sempron-based systems if you can help it. Also, it's not worth buying the very fastest CPU on the market. A good rule of thumb is to get a CPU that is two rungs down from the top, speedwise. You'll be getting great performance at a very good price.

RAM - This one's easy. In the Vista world, you need 2GB of RAM. Less will slow down your computer. More will do you no additional good. Don't worry about the speed of the RAM, cache, front side bus, or any of that stuff.
Hard Drive - Even an entry-level drive is more than enough for most people, unless you do loads of video editing on your computer. Even starter computers usually come with 250GB of hard drive space or more now. Upgrade as you need it.

Optical Drive - Unless you are set on high-definition DVD, a dual-layer DVD writer (standard on most machines now) is all you need.

Graphics - Unless you're spending under about $1,000 (laptops) or $600 (desktops), avoid integrated or "shared" graphics. They will noticeably slow your system under Vista and any gaming will be impossible. You don't need to break the bank to get a good graphics card; an Nvidia GeForce 8500GT supports DirectX 10 and can be found for a mere $70, for example. PC makers tend to offer only a couple of video card options with new computers, so get what you can afford, Nvidia or ATI, as long as it's DirectX compatible.

Laptop Screen Size - 15.4-inch laptops are the mainstream now. You'll find the best deals on machines at this size. However, plenty of smaller options abound, at 14 inches, 13.3 inches, and even smaller, but I personally find the lack of screen real estate makes me less productive below 15.4 inches. Again, it's up to you... and remember that those sexy ultraportables have stripped-down components (to keep them light) and can cost much more than larger laptops. 17-inch laptops (aka "desktop replacements") are another option, but they are not terribly feasible if you travel with them.

Choosing Your Computer

How to Choose a PC
In today's market, there are almost infinite variables when choosing a PC. How can you choose a PC when you walk into any computer store and there are 5-10 major brands that all seem similar other than slight appearance and incentives? As I stated in the processors article, most of the big guys use proprietary equipment that is slow, detrimental to your computers longevity and does not leave cost effective options for upgrading. I will be ignoring any and all computers with proprietary equipment. I feel they are an insult to consumers and take advantage of an overcrowded market with underhanded marketing tricks. Most do not even offer support anymore, they outsource it to the lowest bidder, usually overseas. Choosing a PC can be tricky because of all the confusing information made available. I know most of you are not going to read all my articles on components, but I suggest reading Buss Speed and Motherboards, as they are very relevant and informative to choosing a new PC. Your goal is a well balanced PC. By balance I mean that the transfers inside the computer are all the correct speeds to make sure the information from component to component can flow smoothly and not get stuck, causing bottlenecks, backups and lag. Picture your PC as a network of pipes. What will happen if you have a big 4" pipe flowing at full capacity into a small 2" pipe? It will not slow down for the 2" pipe, it will backup and flood. Same with PCs, the data will flood the components and finally cause them to freeze, cause blue screens and other critical errors. I’m going to teach you two things:One of them is that ANY PC can do the basic features. Trading pictures, photo editing, music etc... I will show you the statistics that determine how well they do these functions and what software and operating systems control the features. Also a PC, even purpose built, can and will do other things, it just may perform better at its purpose.The other is how to identify and buy a well balanced PC that will lower the total cost of ownership. What this means is that I will show you how to build a PC that will last upwards of five to seven years (over the two year average of most proprietary builders) before it becomes "to slow". We will start with a question.

What do you use your PC for?

Gaming Computers:
This is the majority of our customers. You want fast, high resolution gaming for cheap. But you also seem to want bragging rights. We see the component lists and wish lists on the forums from retailers showing your builds and the choices are made almost strictly on model numbers and marketing, instead of performance. This is bad. We also see you make huge cuts in components to make room for a video card that is way too large for the PC. This will not get you more performance. It will actually overwork the rest of your choking components and lag you more. We constantly see computers with some fast components built at home that score lower then our Gamer LvL 1 in Future Mark tests. This is because of the dangers of a build at home environment versus a clean room, and the fact that you are not choosing balanced components.

Business Computers:
This were we see a lot of people get victimized. Business PCs do not have to be that powerful in most cases, but they need to be reliable and able to stand up to constant data changing, long hours and multiple users with little or no updates. You want a tank, not a Ferrari. Keep in mind tanks can cruise at 40-60 miles per hour on any terrain, so they are not slow. You also want to lower your total cost of ownership with low electric usage from computers that will last for years and offer low cost upgrading options.

Home Computers:
Home users actually have it easy. Most component makers are so caught up in the war to be the fastest, you can use almost anything and be very happy with the performance. The problem lies when companies sell low priced stuff targeted to your market. This is usually "to good to be true" items. There is a minimum cost for building a PC, anything less is a lot less then you want. Component prices usually only change three times. They come out priced high, then settle when their competitor releases a competing product, then finally go to their final pricing when newer technology replaces it. Thats where they sit for about a year or two until they become obsolete. When this happens any leftover components are sold at an extremely reduced cost to free up space. This is not a bargain sale! This is outdated stuff that cannot survive in todays environment, if it could, it would still be on the shelf! I know it sounds like I contradicted myself because L2 claims our computers last 5-7 years, but our components choice usually stay on the shelf for 3-5 years. See the problem here? You are buying almost a decade old component!

Now You are ready to choose your PC
The basis for any good PC is a solid motherboard and PSU (power supply unit). You should demand a specification sheet on the motherboard to see if supports the processor that is included with the PC. Motherboards will run faster processors then they can support, but only at the maximum supported speed. So if you buy a computer with 3.2MHz processor and a 1333FSB (Front Side Buss) and the motherboard only supports 2.8 with a 1066FSB, it will run the 3.2, but at 2.8/1066. Is the PSU that important if I don't plan to upgrade? Yes! This is a common belief that is very wrong. While it is true you should plan ahead if you ever want to upgrade, making sure the PSU has enough power and the proper connections, it is also true you should check it out even if you don't plan to upgrade. A lot of companies just assume you will never push your PC hard enough make the PSU work. But over time as the PC gets bogged down and/or the internet updates the latest java or flash programs you use every day while browsing, the PSU is now stressed all the time. As the PSU becomes stressed it will cause locking, freezing, lagging etc., and it is extremely hard to trace these symptoms back to the PSU. This will seriously decrease the time you own the PC. Look for a PSU that is 80+ certified, or use the Thermaltake power supply calculator HERE and add about 40% if it's not 80+ certified (80+ means that is 80% efficient or better). So if it says 500watts you get 400, unlike some lesser quality PSUs that will give much less. Other notable statistics:Processing power measured in MHz. For example: 3.2MHz.How important is processing power? The sad answer is not very for most users. While it is the heart of the computer because everything does need to be processed at some point, it is not what I call a "choke point". A choke point is my name for the weakest part of the component or PC, that part that is most likely to cause lag and delays. Processing speed has not changed for some time. What has changed is how many cores (or mini processors are inside one physical chip). We see dual and quad core a lot now. So that same 3.2 MHz processor is essentially two 3.2 MHz processors or a 6.4 in the case of dual core. This is still not the most important statistic. The FSB (Front Side Buss) is by far the most important and most crucial decision. Also the cache (pronounced cash) will speed up processes, but only if your RAM can support it (I will explain later).The FSB is how much information your processor can accept at one time. The more information that comes in, the more information that is processed and sent out, then the faster the rest of your components can do their job. The processor can be as fast as it wants, but if you can't get the information into the processor then you are wasting your money.

measured in MB or GB (GB = 1000MB)

This is the director of traffic for your PC. This has to be fast enough to transfer all the internal information to where it needs to go, while having enough power to make sure it reads the data and sends it to the right place. This is where a lot of people get cheap, especially gamers. People want the highest quad core processor, with a massive FSB and cache, but no RAM to get the data to it. The most notable statistics of RAM are the MHz, CL and DDR rating (example: 2 GB of 800 MHz CL3 DDR2). Ram is extremely technical, so I will oversimplify this. The DDR can be thought of as a bandwidth benchmark. DDR stands for double data rate, so it is essentially double the bandwidth, or transfer rate, of the previous model that was SDR (Single Data Rate). DDR2 is another improvement to bandwidth, as is DDR3. There are changes to voltage and architecture, but for the sake of just choosing a PC, I will stick to the easy meat and potatoes of the deal. So the higher the DDR number and the MHz the better right? No, sorry, not that easy. There is the CL to consider also. The CL is the amount of time it takes to get information into the chip, process it and get it back out. So we need to factor four variables. Cost, bandwidth, processing power and CL. Best general advice is to have enough of it. This would be a budget minded decision. Gamers need to pay closer attention to CL, although it still should be a factor for everyone else. I usually recommend half of the motherboards maximum RAM. So if your motherboard can handle 8GB, I would recommend 4GB. This is very general, but a good guideline.

Video Card
Is a video card is necessary? The answer is no. If your processor and RAM are strong enough and your onboard video chip has the proper drivers, shaders, DX level etc., you can replicate the results of a video card. Gamers and home users are the ones that get victimized by this the most. Yes, home users. Just because you don't play games, doesn't mean you don't want to pay attention to graphics, and gamers put all their emphasis on the video card, which is also wrong. A video card is a small computer that is dedicated to rendering video and video effects. The problem is that this information must be still be processed by the rest of the computer. If you were to take the fastest video card out and put it in a mid level computer, your PC would choke and be very slow. The key to choosing the proper video is balance. For a home user, you want to make sure you have good drivers, features and capable resolution. Think about how many monitors you will be running also, make sure your video can handle it and can handle the resolution. For gamers. Pay attention to the specs, not the model number. Stop buying a video card that is more than the PC can handle. Pick a budget and pay attention to RAM and the FSB of the processor, not the processing power itself as this means very little to a gamer. Then fit a video card with good transfers into the budget last to assist those components. A video card is made to assist, not dominate.

Hard Drive
Hard drive usually gets some attention because most people want to be able to store all their information. However, even the most famous online builders, ignore speed. The things we pay attention to are the RPMs of the drive (7200RPM for example), but ignore the transfer rate and cache of the drive. Everything you load comes from the HDD and goes into the RAM, no exceptions. Look for a fast transfer and nice buffer on the HDD, this, in some cases, will be faster than platter speed.

We hope this has been informative. The market is dominated by lies, deception and marketing to the point where even benchmark software can be a lie. A computer can be programmed to do anything, even appear more than it is. Your only defense is education. I know, who wants to learn everything?!

But look at this way: You do own and will buy another computer. Compare our computer to a proprietary build of the same price. Not only will our computer runs circles around it in performance, you will (on average) keep our computer 150% longer then the proprietary. We look at that as 150% cheaper.

There are very few of us left that haven't been run out, bought up or simply bullied off the net by the powers that be. If you don't like us, please contact us so that we may refer you to another boutique company and help keep freedom of industry truly free.

How To Choose Your Computer

First, you should decide what you are going to use the computer for. Then, you need to mind the configurations and your budget.

Computers are getting really inexpensive these days. Buy the most powerful computer your budget allows is always a good idea.

Computer prices do go down with time. However, that doesn't mean that you should wait forever to use it, to learn from it, and, most of all, enjoy it. Computer is the best investment money can buy now! Why do I say that, knowing that the value of a computer goes down significantly with time? What a computer can help you is limitless.

The most powerful computers these days are for gamers, servers, and rocket scientists. The priority is probably true in that order.

Do not buy a so-called "name-brand" or "major-brand" if upgrading may be on your mind a couple of years down on the road. These brands are specifically designed to hook you on buying only their highly priced components to maximize their 40-60% profit margin. Most "clone" makers are operating only with a 5-25% margin. Go figure where you could save money. Besides, most major PC makers are not really "manufacturers." They are just "box-makers" -putting components together- like every body else.

Clone or house-brands are often based on open structures, which means easier and cheaper upgrading, using "universal" components. You pretty much can go anywhere to have the computer served, upgraded, or repaired.

You should consider putting a computer together yourself only if you have some computer knowledge and some spare time. It is not that easy the first time. However, it does get easier once you have started. The satisfaction you get from putting a computer together is difficult to describe with words. Besides, you could sell a few of them and try to become the next Michael Dell. Who knows…

Rule of thumb: It is a better deal to buy a new one instead of upgrading an old one if the old one is more than three years old.

If all you need to do is word processing, spreadsheet, home finance, some basic windows games, e-mails, and browsing the Internet, you are an average user. Nothing really "high end" is needed. Consider a mid-grade computer that includes 350-500MHz microprocessor, 32 or 64 MB of memory, 8MB video, 4-8GB hard drive, 56K Modem, and any sound card. A 15” or larger monitor is recommended.

Servers are a lot more complex than any other computer systems. Normally servers should have as high a CPU speed as possible, preferably Pentium III microprocessor with 512K cache, a minimum of 128MB memory and 9.1GB or higher hard disk drives, often SCSI along with a network adapter. SCSI hard drives are better designed for simultaneous data access and not limited to just four hard drives as their IDE counterpart. Since servers rarely deal with a complex graphics, a 4 or 8MB video card would do the job, unless it is a Terminal Server. Use a large case with tons of cooling. Don't forget an uninterruptible power supply (UPS) and a tape backup drive to protect your data and investment. Well, the price tag could go up quickly.

Designing a gaming computer is more fun than anything. Currently high-end and hardware-demanding games include QuakeII, QuakeIII, Hexen, StarCraft and Half-Life. These games run well only on intense gaming engines. Go with top of the line processor, such as 500-600MHz, Pentium III or AMD K6-3. Take a minimum of 128MB Memory and at least 8.4GB hard drive. IDE with ultra DMA/ATA66 is OK. The deciding factor is the video card for all the 3D actions. You need the best video card your budge allows! Examples are STB Voodoo3 3500, ATI-128, and Matrox G400 with 16-32MB video memory. A DVD drive is a must these days. Depending on how the end-user plans to game you might need a network adapter or a modem. PC gaming is a lot of fun, so be sure design a computer that you can enjoy it for a long time. Do get a nice sound card. For game machines, do not even think about systems with integrated components such as video and audio. You will hate it when the next version of your favorite game is released.
If you are choosing a computer for normal office work, only the mid-range computer is necessary. I actually recommend Intel Celeron for workstations. Celeron is quite more inexpensive with less cache than their Pentium cousins but is almost equally powerful. You really do not need that much cache for word processing, spreadsheet, and e-mail. Consider 350-500MHz, 64MB, 4-8GB hard disk drive and 4-8GB video card

Tuesday, March 31, 2009

1 April Worm Attack (this is not april fool)


Nama dan Jenis Ancaman
Worm W32.downadup.KK [Trend Micro]
W32.Downadup.C [Symantec]
Worm:W32/Downadup.DY [F-Secure]
Win32/Conficker.C [Computer Associates]
Mal/Conficker-B [Sophos]

Tarikh Dikesan
18 Mac 2009

Bilangan Agensi Terlibat

Semua agensi yang menggunakan sistem pengoperasian Microsoft Windows
Sistem Pengoperasian/Aplikasi Berisiko

* Ms Windows 95
* Ms Windows 98
* Ms Windows NT
* Ms Windows Me
* Ms Windows XP
* Ms Windows 2000
* Ms Windows Vista
* Ms Windows Server 2003

Kaedah Serangan

i. Worm W32.downadup.KK merebak dengan mengeksploitasi kelemahan pada
sistem pengoperasian Microsoft Windows yang tidak dilengkapi dengan
tampalan keselamatan (security patch) MS08-067.
ii. Worm ini dipercayai akan mula aktif pada 1 April 2009. Ia akan
menyerang komputer dengan cara:
a. Connects to various time servers to determine the current date and
b. Register itself as a system service to ensure auto execution every
c. Deletes a registry key to prevent system startup in safe mode.
d. Terminates security-related processes (i.e. procexp, regmon,
autoruns, gmer etc.)
e. Blocks access to security and antivirus websites.
f. Generates 50,000 malicious URLs and attempts to connect to
around 500 random generated URLs at a time.

Kesan Serangan

i. Worm ini boleh menyebabkan serangan/pencerobohan yang lebih parah ke
atas komputer/server memandangkan ia mampu mematikan ciri-ciri keselamatan
pada komputer/server.

Cadangan Tindakan Pengukuhan

i. Memasang patch MS08-067 dari Microsoft
ii. Memastikan perisian antivirus dilengkapi dengan virus signature yang
terkini dan jalankan full system scan.
iii. Memastikan semua storan mudah alih (removable storage) di imbas
terlebih dahulu sebelum digunakan; cth: USB drive, mobile hard disk, dll.
iv. Memastikan HIPS dan perlindungan buffer overflow diaktifkan.
v. Memastikan imbasan masa sebenar (real-time scanning) dan imbasan 'on
write' diaktifkan

Maklumat Lanjut


Monday, March 23, 2009

Virus Bulu Bebek Removal

Bulubebek Virus
Main File :


Virus Running Process


Virus Simptom

Duplicate every folder on Drive and change it to .EXE file with ‘folder’ Icon.
Hide the origin folder on Drive.
Hide Task Manager & Folder Option on your PC.

Remove Bulubebek Virus.
* Assume that your PC is infected by bulubebek virus Only(this step is useless if your PC is infected with multiple virus infection)

1. Disconnected From Internet (LAN or Wireles)
2. Turn Off System Restore
3. Use Third party software such as Process Explorer or Security Task Manager, to View and Kill process tree for LSASS.exe and Script.exe.
- c:\windows\LSASS.exe
- c:\windows\LSASS.ini
- c:\windows\system32\SCRIPT.exe
- c:\windows\system32\SCRIPT.ini

4. Repair Windows registry using this script:

Provider=Vaksincom Oyee


HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
HKCU, Software\Microsoft\Command Processor, AutoRun,0,

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PAYXX.exe
HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\HideFileExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPath
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\ShowFullPathAddress
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SuperHidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

5. Copy and paste this script into Notepad and save it as Removebulubebek.inf.
6. Right Click Removebulubebek.inf and Click install.
7. LogOff and Logon Computer.
8. ‘Show Hidden file and folder’ on your Folder Option.
9. Delete autorun.inf and bulubebek.ini on your drive (Drive C, Drive D, Removable Drive)
10. Search and remove virus duplication file by using ‘Windows Search”.
Duplication file always
• using ‘folder’ icon,
• 53Kb in size,
• .EXE file,
• File Type ‘Application’

11. To unhide the origin folder on your drive (Drive C, Drive D, Removable Drive)

• Use ATTRIB –s –h –r /s /d On Command Prompt,

c:\ ATTRIB –s –h –r /s /d
d:\ ATTRIB –s –h –r /s /d
:\ ATTRIB –s –h –r /s /d

its done ... as simple as that .. unless u'r facing a multiple virus infection

there is a few time, im facing a multiple virus infection (bulubebek,sality & 2.bat) .. its a bit disaster but i managed to remove it by using safemode or administrator account.

for Vista user,
if bulubebek infected ur pc, u will not enter ur desktop(u will only see dark screen), it is because ur system cannot run 'explorer.exe' after the virus added value 'SCRIPT.exe' at the back of it on winlogon shell. so what i always do is :-

1. press CTRL-ALT-DEL and run task manager,
2. on menu bar, click FILE -> NEW TASK (RUN)
3. type explorer.exe to enter your desktop
4. after entering ur desktop, follow the step i show u earlier ...

Download RemoveBulubebek.inf

Download process explorer.exe

Wednesday, February 25, 2009



This malicious program exploits the MS08-067 vulnerability to spread via network resources and removable storage media.

This modification of the worm is a Windows PE DLL file. The file is 158110 bytes in size. It is packed using UPX.


The worm copies its executable file with random names to the following directories:

%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll

is a random string of symbols.

In order to ensure that the worm is launched next time the system is started, it creates a system service which launches the worm’s executable file each time Windows is booted. The following registry key will be created:


The name of the service will be created from combining words from the list below:


The worm also modifies the following system registry key value:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs" = " %System%\.dll"

The worm hides its files in Explorer by modifying the registry key value shown below:

[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"

"CheckedValue" = "dword: 0x00000000"

The worm flags its presence in the system by creating the unique identifier shown below:



In order to spread quickly via networks, the worm uses tcpip.sys functions to increase the number of potential network connections.

The worm connects to the servers shown below in order to determine the external IP address of the victim machine:


The worm then launches an HTTP server on a random TCP port; this is then used to download the worm's executable file to other computers.

Copies of the worm have the extensions listed below:

The worm gets the IP addresses of computers in the same network as the victim machine and attacks them via a buffer overrun vulnerability (MS08-067) in the Server service. The worm sends a specially crafted RPC request to TCP ports 139 (NetBIOS) and 445 (Direct hosted SMB) remote machines on remote machines. This causes a buffer overrun when the wcscpy_s function is called in netapi32.dll, which launches code that downloads the worm's executable file to the victim machine and launches it. The worm is then installed on the new victim machine.

The worm then hooks the NetpwPathCanonicalize API call (netapi.dll) to prevent buffer overruns caused by the absence of a check on the size of outgoing strings. By doing this, the worm makes repeat exploitation of the vulnerability impossible.

In order to speed up propagation, the worm modifies the following registry value:

[HKLM\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"TcpNumConnections" = "dword:0x00FFFFFE"

In order to exploit the vulnerability described above, the worm attempts to connect to the Administrator account on the remote machine. It searches the network for an appropriate machine and gets a list of users.

In order to gain administrator access, the worm copies itself to the following shared folders:


The worm can then be launched remotely or scheduled for remote launch using the following commands:

rundll32.exe ,

Spreading via removable storage media

The worm copies its executable file to all removable media under the following name:
%d%>-%d%>\.vmx, rnd is a string of random lower case letters; d is a random number; X
is the disk

In addition to its executable file, the worm also places the file shown below in the root of every disk:

This file will launch the worm's executable file each time Explorer is used to open the infected disk.

When launching, the worm injects its code into the address space of one of the “svchost.exe” system processes. (The worm may also write its code to the “explorer.exe” and “services.exe” processes.) This code delivers the worm's main malicious payload and:

1. disables the following services:
2. Windows Automatic Update Service (wuauserv)
3. Background Intelligent Transfer Service (BITS)
4. Windows Security Center Service (wscsvc)
5. Windows Defender Service (WinDefend, WinDefender)
6. Windows Error Reporting Service (ERSvc)
Windows Error Reporting Service (WerSvc)
7. blocks access to addresses which contain any of the strings listed below:
8. nai
9. ca
10. avp
11. avg
12. vet
13. bit9
14. sans
15. cert
16. windowsupdate
17. wilderssecurity
18. threatexpert
19. castlecops
20. spamhaus
21. cpsecure
22. arcabit
23. emsisoft
24. sunbelt
25. securecomputing
26. rising
27. prevx
28. pctools
29. norman
30. k7computing
31. ikarus
32. hauri
33. hacksoft
34. gdata
35. fortinet
36. ewido
37. clamav
38. comodo
39. quickheal
40. avira
41. avast
42. esafe
43. ahnlab
44. centralcommand
45. drweb
46. grisoft
47. eset
48. nod32
49. f-prot
50. jotti
51. kaspersky
52. f-secure
53. computerassociates
54. networkassociates
55. etrust
56. panda
57. sophos
58. trendmicro
59. mcafee
60. norton
61. symantec
62. microsoft
63. defender
64. rootkit
65. malware
66. spyware

In Windows Vista, the worm will disable autoconfiguration of the TCP/IP stack in order to speed up propagation via network channels by using a fixed window size for TCP packets:

netsh interface tcp set global autotuning=disabled
The worm also hooks the following API calls (dnsrslvr.dll) in order to block access to the list of user domains:


The worm may also download files from links of the type shown below:

rnd2 is a random number; URL is a link generated by a special algorithm which uses the current date. The worm gets the current date from one of the sites shown below:


Downloaded files are saved to the Windows system directory under their original names.

Removal Guide

If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
More details about the vulnerability can be found here:
Or follow the instructions below:

1. Delete the following system registrykey:

2. Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]

3. Revert the following registry key values:
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000002"
"SuperHidden" = "dword: 0x00000000"
[HKCR\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "dword: 0x00000001"
"SuperHidden" = "dword: 0x00000001"
"CheckedValue" = "dword: 0x00000000"
"CheckedValue" = "dword: 0x00000001"

4. Reboot the computer.

5. Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).

6. Delete copies of the worm:

7. %System%\dir.dll

8. %Program Files%\Internet Explorer\.dll

9. %Program Files%\Movie Maker\.dll

10. %All Users Application Data%\.dll

11. %Temp%\.dll

12. %System%\tmp
is a random string of symbols.

13. Delete the files shown below from all removable storage media: