|
cradle of filth remover. Patch for the virus cradle_of_filth.vbe
|
|
Written by Administrator |
Friday, 18 September 2009 04:13
|
|
A rather awkward virus, prohibits certain programs, prohibits the access to certain menus and functionalities of Windows such as the stop button, the access to the registry, thes task manager, the desktop, the files’ options etc…
Open also notepad with each starting of Windows and registered there a parody of "notre Père qui est aux cieux". Notre Gates qui est à Seattle...
The virus cradle of filth is propagated through removable drive, the virus copies periodically there two files autorun.inf and cradle_of_filth.vbe, if you remove them, these two files will go back to their places few seconds after their suppression.
The virus puts two files in all removable drive
- autorun.inf
- cradle_of_filth.vbe
The virus puts also a file in the System repertory:
- <system>\cradle_of_filth.vbe
Creates the registry entry
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoChangeStartMenu
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoComputersNearMe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrive
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveAutoRun
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoHardwareTab
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoResolveSearch
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoShellSearchButton
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\UncheckedValue
Creates the registry entry
- HKLM\Software\Microsoft\Command Processor\AutoRun
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR
Replaces the userinit's value
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Userinit C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe cradle_of_filth.vbe Must be C:\Windows\userinit.exe,
This virus launches out automatically each time you open a removable disk, it is thus preferable to download this patch and to decompress it on the desktop and to launch it.

|
Comments
To run it in Safe Mode, as soon as your computer turns on hit the F8 key (repeatedly) until a screen comes up
Choose Start computer in SAFE MODE.
Now, run the patch!!
Good luck
bst rgds
jm
RSS feed for comments to this post.