Probably you will be wondering what is the meaning of the title above. K4l0n6 is local virus developed by an Indonesian (in his blog he also put the antivirus) which will disabled:
1. Task Manager - you won't be able to invoke the task manager using Ctrl-Alt-Del. It will say that the task manager has been disabled by your administrator. Although you've logged in as a user who has the administrator rights it will also display that message.
2. Regedit - if you run regedit.exe/regedit32.exe, it will be debugged with notepad.
3. It will disabled the cmd.exe, msconfig.exe, folder options and many more.
Symptoms:
1. If you do a double click on C drive or any drive, it won't show the contains of the folder (unfortunately you have just activated the virus).
2. You can't run regedit, cmd, msconfig, instead it will show notepad.
3. You can't see the folder options.
How to remove:
1. Kill the process of WScript.exe (you won't be able to use the task manager, so you need another program to do it. ProcessXP is one of the softwares you can use. Download it here.)
2. Run Autoruns (if you don't have it already, download it here). Go to Image Hijacks sections. Delete all entries there except the last (it is related to file ntsd.exe, don't delete it as it is needed by windows).
3. Copy this code below and save it as "antivirus.vbs":
[Version]
Signature=”$Chicago$”
Provider=Fariskhi
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCU,Software\Microsoft\Internet Explorer\Main, Window Title,0, “INTERNET EXPLORER”
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKLM, Software\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistryEditor.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe, Debugger
4. Search and delete these two files: autorun.inf and k4l0n6-x.dll.vbs.
After you have done all the steps above, you should be able to see the folder options again and run cmd or msconfig. Note: if you have opened an explorer before doing the cleanup just close and reopen. All options are now back where it belongs.
For the full information about this virus please refer to the author's blog. It is really amazing what he can do, but although he has put a disclaimer to his post, I am still convince that this is wrong. Sharing knowledge is one thing but if the use of knowledge for wrong purposes that is really destructive. My advise to the author is please be careful with what you are posting because your blog can be read by many people of which we can't control all of them.