Pegasus

Black Pegasus Removal Instructions:
(Tools needed HijackThis and RRT)

1. Una sa lahat kailangan nyong i-terminate ang process ng virus using HijackThis’ Process View, dahil kung hindi, babalik at babalik din yung mga virus backup files na idede-delete nyo. Terminate nyo ang process ng virus (c:\Windows\Systen32\SVCHOST.EXE).
2. Use RRT to remove restrictions from your PC, check all check box then press remove button.
3. Pag na end nyo na ang process ng virus… simulan na natin ang pag delete sa mga virus backup files. PLEASE TAKE NOTE OF THE FILE PATH, baka kasi iba ma delete nyong file… it would cause you trouble. Pag di nyo makita ang file na naka lista sa baba… just skip.

• Delete WINLOGON.EXE found in "c:\Program Files\System\" folder.
• Delete SVCHOST.EXE found in "c:\Windows\Systen32\" folder.
• Delete SVHOST.EXE found in "c:\Windows\System32\" folder.
• Delete LSASS.EXE found in "c:\Windows\" folder.
• Delete DRACU.EXE found in "c:\Windows\" folder.
• Delete PROGGY.EXE found in "c:\Program Files\" folder.
• Delete ISETUP.EXE found in "c:\Windows\System32\" folder.
• Delete TRANSMIT.EXE found in "c:\Windows\System32\" folder.
• Delete P364SUS.DAT found in "c:\Windows\System32\" folder.
• Delete DIFFUSE.DAT found in "c:\Windows\System32\" folder.
• Delete ISETUP.EXE, TRANSMIT.EXE and AUTORUN.INF found in the root directory of your local drives (eg. C:\, D:\, E:\.. etc.)
• And you’re done…

May tip lang ako, mostly mga virus ngayon ay transmitted thru USB Flash Disk, ingat kayo sa pag open ng mga files sa USB. Kung mag lagay kayo ng USB sa PC nyo WAG KAYONG mag Double-Click sa My Computer na shotcut sa inyong Desktop. Ang gawin e-right-click nyo lang tulad halimbawa nito:

Then click the Removable Drive….

IMPORTANT: IWASAN NYONG MAG DOUBLE-CLICK SA MGA REMOVABLE DRIVES, AT SAKA INGAT DIN SA RIGHT-CLICK MENU!

Ito Po Ang Process Ng Bl4ck P3g4sUs Virus!

VERSION UPDATE 11-07-07
————————————-

FIRST RUN NG VIRUS:

• Disable Windows Safe Mode (para di maka pag safe mode ang user, sa safe mode kasi, di maka pag start ang p3g4sus)
• Hide Virus From Task List (para di makita ang p3g4sus sa Task Manager)

REGISTRY MANIPULATION:

• Disable FIND feature in Microsoft Windows (para hindi ma search ang p3g4sus)
• Disable RUN feature in Microsoft Windows (para di maka pag DOS command ang user, pag marunong ka kasi sa DOS environment… pwede mong ma kill ang p3g4sus)
• Hide File Extension Of Know Windows Files (gumagamit kasi ako ng EXE replicating method, EXE file na Folder ang ICON, para di mahalatang EXE ang extension nito)
• Hide Hidden Files (naka HIDE kasi ang root file ng p3g4sus, ginawa ko to para di makita ang root file using normal viewing sa Windows Explorer)
• Disable Removable Autorun (para walang mag appear na autorun window)
• Replace Registered Owner (pag nag view ka ng My Computer Properties, ang naka lagay sa Registered User is Bl4ck P3g4sUs)
• Replace Registered Organization (pag nag view ka ng My Computer Properties, ang naka lagay sa Registered Organization is S0ci3ty 0f H4ck3rs Unlimit3d)

WINDOW NAME MONITORING (Minimize):

Ang p3g4sus ngayon ay nagmo-monitor na sa lahat ng naka
open na window, pag may nakita syang text na nag match sa kanyang minimize
list, automatic imi-minimize niya ang window na yun. Sa baba ay mga
listahan na nasa kanyang minimize list:

• antivirus
• anti-virus
• anti
• virus
• anti-malware
• protect
• malware
• antispyware
• spyware
• process
• notepad
• winpatrol
• spy
• adware
• anvir
• heal
• policy
• detector
• remover
• removal
• lavasoft
• pestpatrol
• eliminator
• eliminate
• spycop
• doctor
• spysweeper
• cleaner
• ad-ware
• autorun
• viewer
• blocker
• ahnlab
• sysinternal
• Authentium
• Avast
• AVG
• BitDefender
• CAT-QuickHeal
• ClamAV
• DrWeb
• eSafe
• eTrust-Vet
• Ewido
• FileAdvisor
• Fortinet
• F-Prot
• F-Secure
• Ikarus
• Kaspersky
• washer
• McAfee
• NOD32
• Norman
• Panda
• Sophos
• Sunbelt
• Symantec
• norton
• TheHacker
• VBA32
• VirusBuster
• Webwasher-Gateway
• ATF-Cleaner
• destroy
• scan
• terminat
• task manager
• task
• share
• watch
• alert
• attention
• registry
• wordpad
• folder options
• pegasus
• hex
• wscript
• V3
• Alladin
• alwil
• avira
• Bit9
• fileadvisor
• clam
• dr.web
• doctor web
• grisoft
• nvc
• platinum
• prevx
• firewall
• sunbelt
• system restore

WINDOW NAME MONITORING (Close Window):

Ang p3g4sus ngayon ay nagmo-monitor na sa lahat ng naka
open na window, pag may nakita syang text na nag match sa kanyang close
list, automatic iko-close niya ang window na yun. Sa baba ay mga
listahan na nasa kanyang close list:

• antivirus
• anti-virus
• anti
• virus
• anti-malware
• protect
• malware
• antispyware
• spyware
• process
• notepad
• winpatrol
• spy
• adware
• anvir
• heal
• policy
• detector
• remover
• removal
• lavasoft
• pestpatrol
• eliminator
• eliminate
• spycop
• doctor
• spysweeper
• cleaner
• ad-ware
• autorun
• viewer
• blocker
• ahnlab
• sysinternal
• Authentium
• Avast
• AVG
• BitDefender
• CAT-QuickHeal
• ClamAV
• DrWeb
• eSafe
• eTrust-Vet
• Ewido
• FileAdvisor
• Fortinet
• F-Prot
• F-Secure
• Ikarus
• Kaspersky
• washer
• McAfee
• NOD32
• Norman
• Panda
• Sophos
• Sunbelt
• Symantec
• norton
• TheHacker
• VBA32
• VirusBuster
• Webwasher-Gateway
• ATF-Cleaner
• destroy
• scan
• terminat
• task manager
• task
• share
• watch
• alert
• attention
• registry
• wordpad
• folder options
• pegasus
• hex
• wscript
• V3
• Alladin
• alwil
• avira
• Bit9
• fileadvisor
• clam
• dr.web
• doctor web
• grisoft
• nvc
• platinum
• prevx
• firewall
• sunbelt
• system restore

LOCAL/REMOVABLE DRIVE INFECTION:

• Write TRANSMIT.exe
• Write ISETUP.exe
• Write autorun.inf
• P3g4sus sets mode +Read Only, +System, +Hidden

WRITE TEXT FILE:

• Dump text file named PEGASUS.DOC (naglalaman ng impormasyon tungkol sa akin)

P3G4SUS FINALE:

• Load p3g4sus in startup (hooking registry)
• Loading startup anti deletion key (i-monitor nya kung may nag delete sa p3g4sus auto start key sa registry, pag na delete… ibabalik nya ulit)
• Do mimic (gagayahin nya ang mga ligetimate program ng Microsoft Windows)

LOOP LOOP LOOP LOOP LOOP LOOP LOOP LOOP
END END END END END END END END END END END