ninja hokage virusSomeone, who is a fan of the Japanese manga Naruto, and has the ability to make viruses, has made the Ninja Hokage computer virus. Yes, Ninja Hokage is taken from Naruto, which is very popular these days in Indonesia.

You can see if your computer is infected by this virus when your flash disk’s icon has changed to winamp icon. This virus is easy to remove. Here are how to remove the virus, which is also known as VBWorm.Gen16:

  1. Shut Windows XP’s System Restore down on the process of removing the virus (if you’re using Windows XP).
  2. Shut the virus’ process down by using Currprocess. Run Currprocess, then select all files that has winamp’s icon (Rin.exe, Obito.exe, KakashiHatake.exe dan Hokage4.exe).
  3. Delete registry entries made by the virus. To make it easier for you, copy the script below into Notepad, and save it as repair.inf, then run repair.inf by right clicking on the file, then click install. Here’s the script:


    [Version]
    Signature=”$Chicago$”
    Provider=Vaksincom Naruto
    [DefaultInstall]
    AddReg=UnhookRegKey
    DelReg=del
    [UnhookRegKey]
    HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
    HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
    HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
    HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
    HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
    HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
    HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
    [del]
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NOFind
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NORun
    HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
    HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Hokage 4
    HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Kakashi Hatake
    HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Obito Uchiha
    HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Rin
  4. Search and delete the files made by the virus. Just use Windows’ search feature. Before you do the search, you should show all the hidden files. Here’s how to do it:
    • Open Windows Explorer.
    • Click the menu “Tools”, and then click “Folders Options”.
    • On the “Folders Options” window, click the “View” tab.
    • On the “Hidden files and folders” folder, uncheck “Hide extensions for known file types” and “Hide protected operating system files (recomended)”.
    • Click OK

    To search and delete the virus files:

    • Click “Start” -> “Search” -> “For Files or Folders”.
    • At the “Search Result” window, click the “All files and folders” menu.
    • At the “All or part of the file name” textbox, fill in with *.exe.
    • At the “Look in” combo box, make sure you have selected the drive to be searched, including the flash disk.
    • Click “What size is it”, then select “Specify size (in KB)”. Select “at most”, fill in with “42″.
    • Click “More Advanced option”, then select “Searh system folders”, “Search hidden files and folders”, and “Search subfolders”.
    • Click the “Search” button to begin searching.
    • Delete all the files in all drives including your flash disk (in the search result ) which has the winamp icon, with size of 42 KB, file type of “Application” and the extension of .EXE
  5. Delete desktop.ini, folder.htt, Autorun.inf dan anbu.txt on your flash disk.
  6. Scan your computer with your updated anti virus software. Make sure your anti virus software can recognize this virus.
  7. It’s better to turn off the autoplay function so that the virus won’t be activated automatically.
  8. To avoid re-infection by the virus, although you already have the updated anti virus software, you can use the script below to shut down the virus’ process when it tries to be active in your computer’s memory. Copy the script below, and save it as RemoveHokage.reg. Then run the file by double clicking it, click “Yes” for confirmation to add it to the registry.


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe]
    “Debugger”=”cmd.exe /c del”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe]
    “Debugger”=”cmd.exe /c del”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe]
    “Debugger”=”cmd.exe /c del”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe]
    “Debugger”=”cmd.exe /c del”

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe]
    “Debugger”=”cmd.exe /c del”

Related Posts
Your Ad Here