Remove BRONTOK Virus

Start ur computer in safe mode with command prompt and type the followinf command to enable registry editor:-

reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"
and run HKLM\software\microsoft\windows\currentversion\policies\system /v "DisableRegistryTools"

after this ur registry editor is enable
type explorer
go to run and type regedit
then follow the following path :-
HKLM\Software\Microsoft\Windows\Currentversion\Run

on the right side delete the entries which contain 'Brontok' and 'Tok-' words.

after that restart ur system
open registry editor and follow the path to enable folder option in tools menu

HKCU\Software\Microsoft\Windows\Currentversion\Policies\Explorer\ 'NoFolderOption'
delete this entry and restart ur computer

and search *.exe files in all drives (search in hidden files also)
remove all files which are display likes as folder icon.

your computer is completely free from brontok virus..!!enjoy!

Disable and Remove Windows Genuine Advantage Notifications Nag Screen part 3

The “Windows Genuine Advantage Notification” (KB905474) cannot be uninstalled by Add/Remove Program in Control Panel by default, contrary to the claim in the knowledge base article. To enable the removal of KB905474 WGA Notification tool, follow the below steps:
Note: It seems like it’s not possible to uninstall WGA Notifications from Add/Remove Program. Cobolhacker has details on why KB905474 cannot be uninstalled. Suggested steps to “uninstall” are search and delete all WgaTray.exe and WgaLogon.dll files in your boot drive (if you using search, check the “Search system folders”, “Search hidden files and folders” and “Search subfolders” checkboxes), delete all the register keys in the following tree: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon, and to remove the entry from Add/Remove Programs list, delete the registry key in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Uninstall\WgaNotify. With uninstallation, WGA Notifications will try to install again next time.

Click on Start.
Click on Run.
Type in regedit in the Run text box.
Click OK or press Enter.
In Registry Editor, browse the the following registry key branch:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WgaNotify
On the right panel, modify the value of NoRemove (by right clicking on the key and choose Modify) to 0.
Exit the Registry Editor.
Re-launch the Add/Remove Program, and Windows Genuine Advantage Notifications (KB905474) is now removable.
Prevention is always better than cure. So the best to avoid the the KB905474 Windows Genuine Advantage Notification application to be automatically downloaded and applied by Automatic Updates is to disable Automatic Updates. Go to Automatic Updates in Control Panel and disable it by selecting Turn off Automatic Updates, or if you still want to receive the critical patches from Microsoft, select Download updates for me, but let me choose when to install them or Notify me but don’t automatically download or install them. Remember to uncheck (deselect) Windows Genuine Advantage Notification (KB905474) when prompted to install any updates.
If you have already install the WGA update, you can use the hacked/cracked version of LegitCheckControl.dll (newer version suggestion by tyler) to remove the annoying nagging message. (For old version) But Windows Update will still ask you to install it since it’s a newer version which is 1.5.526, unless there is newer version of cracked LegitCheckControl.dll available. You may however try to “up” the version of hacked LegitCheckControl.dll yourself by using the following method:
Get the patched/hacked “LegitCheckControl.dll” from the internet (e.g from link above or any file sharing service)
Install Resource Hacker if you still don’t.
Open both (original in Windows/System32 and hacked version) “LegitCheckControl.dll” files with Resource Hacker.Go to “Version Info”, replace the version info of the patched File with the version information from new original LegitCheckControl.dll.
1 VERSIONINFOFILEVERSION 1,5,526,0PRODUCTVERSION 1,5,526,0FILEOS 0×4FILETYPE 0×1{BLOCK “StringFileInfo”{BLOCK “040904B0″{VALUE “CompanyName”, “Microsoft Corp.”VALUE “FileDescription”, “Windows Genuine Advantage Validation”VALUE “InternalName”, “LegitCheckControl”VALUE “LegalCopyright”, “Copyright © 1995-2004 Microsoft Corp.”VALUE “LegalTrademarks”, “Microsoft® is a registered trademark of Microsoft Corporation.”VALUE “OriginalFilename”, “LegitCheckControl.dll”VALUE “ProductName”, “Microsoft® CoReXT”VALUE “FileVersion”, “1.5.0526.0?VALUE “ProductVersion”, “1.5.0526.0″VALUE “PrivateBuild”, “Built by gacald on WGA-FILE-SVR.”}}
BLOCK “VarFileInfo”{VALUE “Translation”, 0×0409 0×04B0}}
Save File.
Put the modified version of hacked LegitCheckControl.dll in Windows/System32 folder, replacing the original from Microsoft.
Beside, WGA Notifications tool is also reported to be able to be bypassed by emptying (deleting the contents of) the data.dat in C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage\data as detailed here.
If you disable Automatic Updates, you can always download any updates from Windows Update or Microsoft Update using the hacks and tips from here and here. If you are prompted to mandatory must install KB905474, the above tricks should disable the checking of existence of KB905474 notification application. Again, remember to deselect the Windows Genuine Advantage Notification (KB905474) which will listed in High Priority section and selected for you by default.
Note: Visit the a more tidy article on how to bypass and disable the WGA with various tricks and hacks or a host redirect method to make Windows genuine permanently.

part 1 2 3

Disable and Remove Windows Genuine Advantage Notifications Nag Screen part 2

Seventh Method

This method doesn’t remove WGA notification tool, instead just disable the annoying pop-ups and nags screen. Currently, you can opt out of receiving all the pop ups on start up and be left with just the star.

Right click on the WGA star in the system tray and choose ‘change notification settings’. When the web page loaded, click the + next to the “Windows Genuine Advantage Notifications Options”. Then untick (unselect) the “Display Windows Genuine Advantage Notifications messages” box and click “Save Settings”.

The page will now refresh with a new option “I understand that I am disabling the display of messages in this version of Windows Genuine Advantage Notifications”. Select by ticking the box and click “Yes, Im Sure”. After that, reboot the PC and all the nags will be gone although the Blue Star WGA icon stays in the taskbar but it doesnt pop up any warning messages.

Best of all, this is the legal way of getting rid of the annoying warning messages, although Microsoft said this resolution to be around for temporary only.

Eight Method

Install ZoneAlarm firewall, and configure to kill or disallow “WGA” in the allowed programs section.

Ninth Method

Download and install Autoruns from www.sysinternals.com. Run the program, go to the WinLogon tab and uncheck (disable) the WgaLogon, as suggested by PSnet.

Tenth Method

Steve suggested the following:

1. Go to \windows\system32 in explorer
2. Rename WgaLogon.dll to WgaLogon.dll.bak
3. Create a new empty WgaLogon.dll in notepad and save to the same location
4. Right click on the task bar, and open Task Manager at the Processes tab
5. (Quickly) delete WgaTray.exe, then it will give you approx 5 seconds to click
on WgaTray.exe in Task Manager and click End Task, and confirm
6. Restart your computer and the login and nag messages should be gone

Again, this method will help to disable the WGA warning notifications only.

Eleventh Method

Dhillip wrote an utility Windows Genuine Advantage Notifications Remover which can help to remove the warning messages.

Melhacker also wrote WGARemover tool to remove WGA.

Note: The file WGANotify Remover has been deleted and all assumed no longer works for new version of WGA.

Twelveth Method

WGA Notifications Patch is a series of steps to disable notifications message suggested by Tekken.

Thirteenth Method

Download WGAFixer (WGAFixer1.5.530.0.exe) which replaces the LegitCheckControl.dll version 1.5.530.0 and modifies the WGA related registry.

Fourteenth Method

If you have installed KB905474 (Windows Genuine Advantage Notifications) which is currently an optional component although it’s grouped as High Priority Update, there is no official and proper way of uninstalling KB905474 (according to EULA, you can’t uninstall it). However, there seems a way of uninstall or at least way to partly remove KB905474 WGA Notifications suggested by TechTics:

1 Click on Start -> Run.
2 In the Open text box, key in %windir%\system32\wgatray.exe /u
3 Press OK or Enter to execute it.
4 Click on Start -> Run again.
5 Launch Registry Editor by key in regedit in the Open text box.
6 Navigate to the following key and delete the key and its branch.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon

7 Reboot the PC and WGA Notifications should be removed.
8 Optionally, you may delete the WgaTray.exe and WgaLogon.dll installed by KB905474 and its software distribution folder by using the following commands at Run function:

cmd /c “del %windir%\system32\wgatray.exe”
cmd /c “del %windir%\system32\WGAlogon.dll”
cmd /c “rmdir /s /q %windir%\SoftwareDistribution\Download\6c4788c9549d437e76e1773a7639582a”

However, this method just removed the warning message notifications of WGA about pirated Windows, and you will be almost immediately be asked to install KB905474 again. So be sure to unselect the KB905474 when asked to install updates in Automatic Updates or Microsoft/Windows Updates.

Fifteenth Method

A registry hack for WGA suggested by PBLee. Copy the text below into notepad (including the ‘Windows Registry Editor Version 5.00′ heading), then save the file as a .reg file. Alternatively, download the wga.reg fix here or here. Double click on the file to apply the registry patch.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
“Logon”=”WLEventLogon”
“Logoff”=”WLEventLogoff”
“Startup”=”WLEventStartup”
“Shutdown”=”WLEventShutdown”
“StartScreenSaver”=”WLEventStartScreenSaver”
“StopScreenSaver”=”WLEventStopScreenSaver”
“Lock”=”WLEventLock”
“Unlock”=”WLEventUnlock”
“StartShell”=”WLEventStartShell”
“PostShell”=”WLEventPostShell”
“Disconnect”=”WLEventDisconnect”
“Reconnect”=”WLEventReconnect”
“Impersonate”=dword:00000001
“Asynchronous”=dword:00000000
“SafeMode”=dword:00000001
“MaxWait”=dword:ffffffff
“DllName”=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\6c,00,6c,00,00,00
“Event”=dword:00000001
“InstallNotifyShown”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon\Settings]
“Data”=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,69,56,c4,80,41,b9,4a,43,bf,97,3b,98,06,7e,34,57,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,14,d8,49,b1,9b,43,d1,7b,\
b9,7c,85,a2,9c,f6,c8,b7,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,e4,\
59,49,a2,0f,ee,a6,23,78,e5,c8,91,3e,f7,40,64,70,06,00,00,1a,2b,76,12,0e,6c,\
b9,0e,f2,68,c3,ba,11,32,b8,e4,1c,4d,63,45,b4,42,e6,b8,95,49,31,9c,45,ab,21,\
39,25,c2,a5,6d,36,3d,63,a4,75,e7,97,05,c7,62,52,76,9b,71,26,06,ae,28,08,77,\
22,d0,21,9d,1b,f9,ea,7a,b3,b1,07,2c,6b,17,48,06,10,1e,10,48,06,32,a6,fb,16,\
cf,b7,2e,d6,00,42,d8,2e,47,ad,87,45,2a,7e,c8,5a,1c,e3,99,dc,3c,8c,a7,29,a4,\
cd,ad,c8,d9,52,64,d9,16,00,81,ff,66,fd,f2,d2,17,ee,92,8d,a4,38,06,70,63,f9,\
0b,55,be,b5,c0,5a,8a,3e,b9,fb,13,8c,c1,df,50,61,d5,60,89,9a,0d,36,0d,3f,2e,\
77,7c,04,ef,8d,76,41,07,75,27,d2,ac,11,62,1a,7f,91,35,22,4f,0e,92,6d,2d,45,\
e9,e3,ad,0e,33,46,b4,03,b5,94,2d,9b,d7,f1,62,f9,0e,b1,9f,56,bd,80,7a,44,06,\
9f,80,19,45,bd,04,56,9c,5d,eb,fb,10,59,cd,5e,02,66,b6,af,de,d0,4e,08,ca,ff,\
44,d6,e6,a6,b1,50,cd,e9,de,f6,b9,06,90,45,f8,c7,ec,44,73,b8,8f,0f,3d,27,a7,\
32,42,2d,04,c1,a2,e2,c2,23,70,97,10,09,a2,05,00,58,95,00,94,7f,74,4e,18,e0,\
0d,e7,be,3e,2c,3e,7c,5d,c4,26,fd,bb,08,e0,c8,01,2e,db,5a,51,80,8f,f4,3e,6e,\
53,52,3d,a7,52,aa,c6,8e,fd,33,26,03,e8,3d,81,d8,c5,82,0a,ce,14,ae,29,d4,16,\
0f,7d,83,30,d1,4d,13,d9,72,52,8f,db,4c,43,63,cb,dc,97,a8,86,83,85,e6,ad,00,\
a2,13,23,c8,3a,f0,50,a7,58,ae,eb,b3,e6,1f,a4,5f,6f,5d,a1,1b,c8,1f,9e,c4,ed,\
48,53,1d,82,0d,1c,a2,6f,b6,8a,67,1a,bc,c8,de,2a,56,d9,7a,b6,e9,83,28,ab,44,\
fb,06,0b,3b,0d,9f,3e,e5,3e,5f,ff,97,eb,0c,9f,b8,4a,8b,6a,fc,91,34,64,ac,7e,\
e8,41,5d,ae,3c,59,71,2f,67,08,9c,a2,d6,88,8f,3c,e9,a9,eb,fc,b9,77,c6,ff,b6,\
66,24,b7,65,31,0e,95,64,5f,5e,af,f1,a3,f1,f2,16,f9,53,52,f1,46,77,31,4b,ad,\
62,ed,38,93,d4,c0,e9,50,db,b8,7f,68,c5,89,c9,58,a6,e2,17,9c,5b,35,54,3b,9e,\
28,6e,39,8c,bf,01,b8,3a,7a,2f,ee,07,54,ec,84,90,4b,a2,4e,24,06,19,da,e9,f3,\
1d,b1,a0,f8,1d,fc,c3,42,1a,d0,42,ba,95,8b,4b,af,16,6d,35,3e,a2,d3,9b,a1,39,\
2f,d7,a0,50,51,8e,2c,52,87,67,17,26,54,7e,de,7d,ed,68,97,66,1b,5a,c0,3f,8d,\
22,b7,8f,21,1b,51,7a,28,67,d4,ed,81,cf,fc,94,0b,ca,14,c6,8d,85,2b,e2,a5,5e,\
2a,70,50,70,59,1e,a2,aa,d8,cc,eb,59,89,36,ca,b8,15,e9,3b,14,82,86,20,9f,8a,\
45,cd,35,0c,fb,1f,52,d0,26,27,f8,ff,e3,ae,b4,80,75,c6,7b,b1,11,ab,47,8e,3f,\
11,fc,b5,1f,f9,65,e3,8a,e1,6b,68,20,e4,c3,cb,91,1e,03,99,84,48,00,a2,18,9e,\
c8,ae,54,4c,92,99,fd,03,66,17,aa,b0,d7,38,3f,d2,d6,a0,10,f1,ab,09,79,9f,ef,\
0d,5c,45,01,01,1d,cc,12,ce,d0,a4,de,e2,b2,42,45,be,ba,a9,d4,8c,7c,05,d8,7c,\
0e,48,8b,3b,0a,a5,74,90,6e,fa,ce,5f,42,93,51,19,8e,5f,6e,bd,a1,ce,cc,a3,89,\
a6,28,70,e6,0a,c7,38,56,4d,4f,89,35,8d,e1,73,2c,e6,ab,24,aa,d2,dc,cb,09,5e,\
97,aa,f6,cf,9d,ed,4f,4f,b6,27,28,ba,fe,78,f4,be,82,68,86,fb,9f,77,d2,6a,dd,\
72,86,b5,ce,da,bb,29,37,d7,e1,0e,5e,80,77,61,57,1b,6e,ae,ae,11,ae,46,98,3d,\
da,fb,3a,92,a4,8e,68,b7,24,1a,cf,8e,06,8b,63,c3,8b,55,15,c2,df,b1,97,b4,b0,\
4a,99,7d,f7,1b,8b,48,38,74,24,1c,be,c3,57,35,75,ec,ba,3e,3e,f9,03,d7,a6,9f,\
75,8b,91,73,37,27,d9,a1,4c,64,19,28,f4,54,76,81,22,1e,8a,63,c6,b0,5f,f3,f3,\
7e,d8,f6,e1,3a,06,4e,2f,3b,d6,a8,8f,a9,49,26,3d,3d,16,e4,cb,ce,8d,46,26,52,\
38,95,0d,2a,98,77,f1,c7,11,b9,da,1c,f1,c9,60,b1,97,14,4a,d5,40,53,02,f8,5e,\
de,53,27,58,94,bd,00,74,4b,04,16,35,8d,00,b0,dd,fe,43,ef,3f,84,eb,b5,f8,1d,\
72,45,b0,7a,94,99,c9,91,11,59,d5,f6,e6,69,d4,4f,e6,69,d3,cf,75,73,53,9f,82,\
2b,94,68,e4,c2,af,1e,4b,99,ea,c3,1c,9d,20,8f,cd,8d,40,af,bf,e1,be,93,02,de,\
05,40,56,2f,e2,2d,57,c0,24,f3,63,43,0d,3c,4d,de,28,ed,98,96,74,59,a5,83,8e,\
d8,be,09,15,9a,7e,f5,df,95,24,15,07,27,06,11,6a,a1,82,d8,20,35,71,9e,c5,9b,\
56,64,45,43,96,a0,55,23,c4,57,8a,c2,bc,ab,a8,ef,04,a7,27,8b,98,9c,83,5c,a7,\
55,11,d2,61,15,47,e7,d4,da,f9,33,6e,bd,de,9e,5a,eb,39,f2,9b,b2,f8,44,40,01,\
ec,5e,8b,4d,79,d3,df,b2,db,0b,b8,80,b8,9a,7e,fe,1d,08,c9,5d,21,43,23,50,1d,\
0c,a2,aa,d6,53,b9,a6,4c,9f,a2,3e,ee,65,21,46,5c,3c,63,79,68,58,60,94,87,ce,\
3f,f3,82,e9,03,b3,7e,91,ce,3d,dd,42,2a,cd,a6,01,0f,b7,51,0e,1a,b4,bd,7b,7e,\
7d,22,19,15,c3,7f,40,9f,70,de,6a,27,f7,05,b1,e0,95,31,fe,6c,6f,49,62,a1,37,\
be,7e,66,1d,35,7b,ee,1c,e2,46,ef,10,94,d5,c4,97,7d,06,fc,a1,11,9b,1c,17,08,\
5f,8f,d2,5f,fe,2f,56,19,f5,a5,49,b0,9b,ee,5a,e4,88,c1,77,d2,83,90,1f,5b,8a,\
54,77,d5,ca,9d,81,a1,7b,73,a2,31,31,d4,27,57,dc,11,f0,0b,a9,e9,f4,2f,5b,6a,\
3c,db,49,3a,5c,90,19,b9,bc,07,7f,1b,b9,ae,3f,fe,a1,f8,9f,39,0e,34,10,fe,a1,\
8a,04,cd,48,47,c9,ba,a6,35,cc,36,61,51,36,96,a9,2a,a8,c5,61,0c,c3,97,c2,c5,\
71,ae,93,b4,f4,37,68,fb,b9,9a,77,a1,6c,9f,c3,1a,e6,10,63,0c,44,fe,ce,68,44,\
86,07,91,e3,d2,6f,b7,1b,81,5b,14,9b,33,1b,1b,78,31,e8,3e,60,aa,38,59,f2,91,\
e9,75,90,a7,1e,a9,c8,13,c9,a9,3e,0c,8b,44,72,ec,cc,45,d3,11,7b,0e,1c,ac,76,\
ac,0e,52,72,89,17,9d,23,13,af,7c,65,45,76,1d,d5,ab,f5,b0,9e,b4,20,6b,be,b2,\
57,e6,73,ff,6b,69,dc,4a,76,13,c3,e3,e7,41,62,88,a0,54,11,6a,6a,31,f9,b1,25,\
cc,c2,06,dc,d3,88,02,82,69,70,2e,09,9f,64,40,88,c9,ff,6a,ee,66,69,5d,ca,79,\
b9,f0,03,23,b8,c9,1b,d9,f6,9b,d4,65,85,4c,d4,c4,09,fd,a5,45,ad,ad,49,bb,c7,\
fb,b8,2a,46,e1,15,09,1a,5e,1c,e7,16,e6,a7,8b,e4,42,d1,07,8a,ec,b4,eb,d0,09,\
c9,bd,24,89,1f,28,65,99,72,bd,3b,ca,6b,fd,f2,24,63,2a,0b,d9,c7,9a,4b,c1,29,\
21,17,7b,23,60,2c,06,db,ac,64,b7,7d,83,80,0d,ef,58,a8,a5,6f,df,9c,16,0c,5d,\
ff,ec,db,de,72,80,66,7f,0c,65,82,45,c3,b8,9a,5e,cd,0f,3d,bf,5f,cf,93,db,fc,\
5f,89,de,8b,82,88,33,ad,83,d6,bb,fd,f2,24,f5,df,ee,14,00,00,00,af,22,08,52,\
f6,a0,30,d5,4e,c6,b8,bf,fd,67,be,a7,73,67,db,7d

There is another similar registry hack which patch WPA related registry entries to let Windows assumes itself is a genuine copy of Windows and has been activated. To apply the registry modification, copy and paste the following code into a text file, and save it as a file with .reg extension. Then simply double click on the .reg file created to apply it to Windows registry. Or to save your work, simply download the zip file wpa_registry.rar that contains wpa_registry.reg. Double click on wpa_registry.reg to apply the patch. Once applied, the hack should allows users to access and download updates from Microsoft Windows Update and install certain WGA-protected software such as IE7.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WPAEvents]
“OOBETimer”=hex:ff,d5,71,d6,8b,6a,8d,6f,d5,33,93,fd
“LastWPAEventLogged”=hex:d5,07,05,00,06,00,07,00,0f,00,38,00,24,00,fd,02

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion]
“CurrentBuild”=”1.511.1 () (Obsolete data - do not use)”
“InstallDate”=dword:427cdd95
“ProductId”=”69831-640-1780577-45389″
“DigitalProductId”=hex:a4,00,00,00,03,00,00,00,36,39,38,33,31,2d,36,34,30,2d,\31,37,38,30,35,37,37,2d,34,35,33,38,39,00,5a,00,00,00,41,32,32,2d,30,30,30,\30,31,00,00,00,00,00,00,00,00,0d,04,89,b2,15,1b,c4,ee,62,4f,e6,64,6f,01,00,\00,00,00,00,27,ed,85,43,a2,20,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\00,00,00,00,00,00,00,00,00,00,00,31,34,35,30,34,00,00,00,00,00,00,00,ce,0e,\00,00,12,42,15,a0,00,08,00,00,87,01,00,00,00,00,00,00,00,00,00,00,00,00,00,\00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,94,a2,b3,ac“LicenseInfo”=hex:9e,bf,09,d0,3a,76,a5,27,bb,f2,da,88,58,ce,58,e9,05,6b,0b,82,\c3,74,ab,42,0d,fb,ee,c3,ea,57,d0,9d,67,a5,3d,6e,42,0d,60,c0,1a,70,24,46,16,\0a,0a,ce,0d,b8,27,4a,46,53,f3,17

Note: Visit the a more tidy article on how to bypass and disable the WGA with various tricks and hacks or a host redirect method to make Windows genuine permanently.

Part: 1 2 3

Disable and Remove Windows Genuine Advantage Notifications Nag Screen part 1

This page has been updated, visit the new article on how to bypass and disable the WGA or way to make your Windows genuine permanently.

Microsoft has released WGA Notifications application which effectively turned Microsoft Windows operating system into a ‘nagware’, with a “This copy of Windows is not genuine” warning. What the Windows Genuine Advantage Notifications application does what it will check your Microsoft Windows XP validity. If it found that the copy of Windows XP is not validated, not genuine, counterfeit, unlicensed, pirated, illegal, unauthorised or simply failed the Windows Genuine Advantage validation process, then the notification messages will appear at various places and time.

Disclaimer: This article is for informational and educational purpose only, as most information is found on various part of Internet. Readers should contacts Microsoft if their licensed or OEM software cannot be validated or purchase genuine software.

When you log on to a non-genuine copy of Windows XP, the following notification error message “This copy of Windows is not genuine” will pop-up on the logon process:

And the nicely said “You may be a victim of software counterfeiting” message on the bottom right corner of log-in screen:

Microsoft allows Windows faithfuls to have 2 options: Get Genuine or Resolve Later. Click on Resolve Later will temporarily bypass the notification and let you login into and use Windows nagged with notification icon and messages, which will randomly appear as balloon notification message with an icon in the notification area (system tray).

Clicking on the balloon notification or the notification area icon will lead you to the Windows Genuine Advantage Validation Failure Web page that contains the specifics of the validation failure and the steps that you can take to make the operating system genuine.

Update: Bypass WGA Validation with Crack or Hack and Disable WGA Notifications Warning Message Workarounds

Latest Version: 1.5.554.0 on October 2006 (distribute to some computers with no known roll-out pattern), 1.5.708.0 on September 2006 (distribute to whoever wants to download from Microsoft Download Center), 1.5.540.0 on 28th June 2006, 1.5.532.2 on 6th June 2006, 1.5.532.0 on 30th May 2006, 1.5.530.0 on 23rd May 2006, 1.5.526.0 on 26th April 2006.

More information on WGA Validation Tool (KB892130) and WGA Notifications (KB905474) which install LegitCheckControl.dll, WgaLogon.dll and WgaTray.exe.

With new release of WGA, some methods no longer works, and some has been updated. Several methods that has certain success on certain people, you may try until you success.

Official Method by Microsoft - more information here.

First Method:

1. Lauch Windows Task Manager.
2. End wgatray.exe process in Task Manager.
3. Restart Windows XP in Safe Mode.
4. Delete WgaTray.exe from c:\Windows\System32.
5. Delete WgaTray.exe from c:\Windows\System32\dllcache.
6. Lauch RegEdit.
7. Browse to the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify
8. Delete the folder ‘WgaLogon’ and all its contents
9. Reboot Windows XP.

Note: With this method, you may be prompted to install WGA Notifications again which can still be unselected.

Second Method:

Another alternative suggested by dman is by using System Restore to restore the PC to a previous restore point that WGA Notifications hasn’t kicked in, and then carefully stop KB905474 from been applied to the system. To use System Restore, go to Start -> All Programs -> Accessories -> System Tools -> System Restore.

Note: Again, you may be prompted again to install WGA Notification, so it must be bypassed.

Third Method updated

This method involves using a cracked version of LegitCheckControl.dll to replace the original copy of LegitCheckControl.dll, and thus bypass the WGA validation and make Microsoft believes that your copy of Windows is genuine. To get rid of WGA Notifications warning messages, the patched version of WgaLogon.dll and WgaTray.exe to replace the existing files.

To apply the patch by replacing the files manually, try to end the respective processes in the Task Manager before deleting the existing files. Most likely is you will have to restart your PC in Safe Mode in order to replacing the original copy of LegitCheckControl.dll and related files. However, there has been automatic updater and even cracked WGA installer that automatically apply the patched version of WGA files.

Latest Update for WGA version 1.5.708.0 latest

Download cracked and patched version of LegitCheckControl.dll, WgaLogon.dll and WgaTray.exe for v1.5.554.0 of Windows Genuine Advantage Validation Tool and WGA Notifications.

John suggested that it may be rolled out to reduce the frequency of ‘phone home’ feature. BetaNews has confirmed this and says Microsoft has completed the pilot phase for WGA Notifications, officially rolling out the anti-piracy reminders to Windows XP users worldwide. Anyway if Notifications Tools is patched, it won’t callbacks at all. Swissboy found that now there are 15 languages supported for KB905474 and offers solution.

General release version of Windows Genuine Advantage Notifications also has updated EULA which says installing of this update is optional. However, once installed, the update will become a permanent part of your Windows XP software, means you can’t uninstall it. The EULA also confirms that information about your system will be sent to Microsoft. You can just skip installing the KB905474 by clicking “I Decline” when shown the EULA. If you don’t want the Automatic Updates or Windows Updates to try install WGA Notifications again, click Don’t ask me to install these updates again at Decline EULA window.

Latest Update for WGA version 1.5.532.2

Version 1.5.532.2 of WGA Validation Tool and WGA Notifications is NOT YET mass released to all Windows system, so your system may not have this version.

WindowsXP-KB905474-ENU-x86-1.5.532.2-noWGA.exe (as suggested by swissboy) is the original setup of KB905474, but with the 3 files as mentioned above replaced with patched version and re-packed. You can view the contents with WinRAR or 7-Zip. Download here or here. (Removed due to compliant from Microsoft)

LegitCheckControl.dll-v1.5.532.2-Jun-02-2006.zip (as suggested by swissboy) contains hacked version of LegitCheckControl.dll which you have to replace manually over the existing dll in \Windows\System32 folder. Download here or here. (Deleted due to complaint from Microsoft)

new More automated WGA removal tool: RemoveWGA

Latest Update for WGA version 1.5.532.0

LegitCheckControl1.5.532.0.muiz.fixed.rar (suggested by Picard) is the patched LegitCheckControl.dll and can be download here or here (removed due to complaint from Microsoft).

If LegitCheckControl.dll alone doesn’t work, try to patch the other two WGA files too, namely WgaLogon.dll and WgaTray.exe. Download the the patches for 3 files here or here (Removed due to complaint from Microsoft). Overwrite the original files with these hacked version in \Windows\System32 folder. The patch should remove notifications nag screen and allows Windows Update.

There are also several automated tools that save the dirty works of have to manually overwrites and replaces the WGA applications.

WGAPatch905474 (suggested by SilverBullet) contains 905474.exe that will patch Windows to allow access to full (custom) Windows Update and get rid of nag screen. Download 905474.exe here or here (removed due to complaint from Microsoft).

There are also several patched WGANotify KB905474 installation setup which will install KB905474 WGAnotify with the 3 patched WGA files namely LegitCheckControl.dll, WgaLogon.dll and WgaTray.exe. One of them is HotFix windowsxp-kb905474-enu-x86.exe suggested by DeaDMan Walking, which will after install, disable notifications nag screen and allows update. Download here, here or here (removed coz of Microsoft complaint).

WindowsXP-KB905474-ENU-x86-v1.5.532.0-noWGA.exe (suggested by Swissboy) is also the patched KB905474 setup file which is actually the original setup of KB905474, but with the 3 files replaced. Download it here or here (removed due to Microsoft compliant).

Old Updates

Version 1.5.530.0 of cracked LegitCheckControl.dll (suggested by chucko), can also be downloaded here or here (obsolete links, visit here for updates).

Use the latest cracked LegitCheckControl.dll by searching for “Windows.Genuine.Advantage.Validation.v1.5.526.0.CRACKED-ETH0″. Can also be downloaded here (obsolete link, update here). Cracked LegitCheckControl.dll also available here or here (obsolete links, updates available here). Once download the cracked dll, replace the LegitCheckControl.dll in \Windows\System32 folder with the cracked version. You may need to restart your PC in safe mode to replace the files.

Forth Method

Jules found that by disabling and renaming the files ‘WgaLogon.dll’ and ‘WgaTray.exe’ in C:\WINDOWS\system32 folder by using the program Unlocker seems to get rid of all the nags/popups.

Fifth Method

Clear the contents or create a new empty data.dat for WGA, and make data.dat Read-Only and Hidden as detailed here.

The following step basically is the same with the above data.dat method, only different is that you no need to create any file in the WGA data folder:

1. Launch Windows Explorer and go to C:\Documents and Settings\All Users\Application

Data\Windows Genuine Advantage\data
2. Go to Tools -> Folder Option -> View.
3. Select (click) Show Hidden Files and Folders option.
4. Unselect (uncheck) Hide Protected Operating System Files option.
5. Click OK.
6. Delete everything in the data folder.
7. Right click on data folder, and select Properties.
8. Select (Check) Read-Only as the folder’s atributes.
9. Click OK or Apply.

Update: After 30 May 2006 with the release of WGA 1.5.532.0, this method no longer works. If the data.dat is set to “Read-Only”, WGA may complains that the serial key from the file could not be read, making the WGA validation failed even with the cracked dll files. So just delete the file (and make sure the folder is not set to “Read-Only”), WGA will then automatically regenerate the file and create the key, so you will pass the validation if you have the correct patched dll installed.

Sixth Method

Another alternative suggest that three files are installed Windows XP System Folder for WGA:

\WINDOWS\system32\WgaLogon.dll

\WINDOWS\system32\WgaTray.exe

\WINDOWS\system32\LegitCheckControl.dll

The wgatray.exe process makes the check for genuine windows software. If WgaLogon.dll is denied execution right, that WinLogon is unable to call it to check on Windows validity and display notification package at boot, and since WgaLogon is also responsible for running and maintaining WgaTray.exe, no more tray popups either.

To change and disable the execute bit of WgaLogon.dll:

1. Turn off Simple File Sharing in Tools -> Folder Options -> View tab.
2. Right click WgaLogon.dll in Windows Explorer and open the Security Tab.
3. Click Advanced button.
4. Uncheck the Inherit box at the bottom.
5. Click the Copy button.
6. Click OK.
7. Go through each listed user/group and remove the “Read & Execute” permission for

WgaLogon.dll, leaving the “Read” permission as-is.
8. Click OK to apply the permission changes.
9. Close the file properties dialog.
10. Restart the computer.
11. Turn “Use simple file sharing” on (optional).

Optionally, steps suggested by PSNet which has the same effect - disabling WgaLogon.dll.

Note: Visit the a more tidy article on how to bypass and disable the WGA with various tricks and hacks or a host redirect method to make Windows genuine permanently.

More on…

part 2: More methods and suggestions to bypass WGA

part 3: How you can ‘upgrade’ the version of cracked DLLs by yourself

part 1 2 3

How to remove and prevent autorun.inf virus

Have you encountered the message "Task Manager has been restricted by an administrator" when launching the Task Manager? I've encountered this a lot of times with my clients pc before. This means that the windows registry has been tampered by malicious viruses.

What to do next is launch the registry editor by typing "regedit" (without the quotation marks) and pressing the enter key to open it and manually disable the entries prohibiting the launchcing of the task manager. Another way is by starting it through typing at RUN the executable"cmd" or opening the start menu>programs>accessories>command prompt and type "regedit"; but the editor window only opens up for about 10 miliseconds. It is present, however can’t be launched. Your system will restart everytime you launch the command prompt in either way.Updating anti-virus (mcafee ver 8.5i) with its latest virus definitions and scanning the computer solves the problem, but wait! We’re not done yet. Autorun.inf manually still has to be deleted manually.There are several viruses that use autorun.inf to spread themselves; such as the Bacalid, which hides itself in ctfmon.exe, and the RavMon.EXE. These viruses set their file attributes to System+Hidden+Read-Only. These attributes make it hard for some anti-viruses programs to detecti them. These viruses save themselves in the root directory of every available drive of the infected computer and run themselves every time you open the drive. Both USB Sticks and CDs are infected by the virus that runs automatically, especially if drive autorun is enabled for the current drives, which is usually by default.
Autorun.INF is typically used by CD Installers to autoplay their installations, but Hard disks by default should not have AUTORUN.INF in the drive.
When I am finished updating my anti virus software and scanning the hard drive, I try to display the content of my computer by way of command prompt in my root directory C:\ using the dir /ah command. The following information should then be displayed:

You can see from this window that drive C contains a hidden file autorun.inf, this is a possibility that the computer is infected. To erase this, restart your windows into Safe Mode with Command Prompt. This is done by rebooting your computer and pressing F8 before windows goes out and select from the advanced options menu. On drive C and all other root directories type the following commands: 1. attrib -h -r -s autorun.inf 2. del autorun.infRepeat these steps for all of the other drives root’s directories to disable autorun.inf .
Disable AUTORUN from Registry
Now you are able to disable the AUTORUN for all drives by configuring the registry. Open the registry by typing regedit.exe to the command prompt (if your still at the command prompt) or execute it in Run and type regedit and press enter. Look for the HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\Explorer as shown below:

Double-click the NoDriveAutorun DWORD entry and type the value HEX: FF (255 in Decimal). If the NoDriveAutorun does not exists, you can create it by right-clicking the right side area of the regedit window, then click New->DWord Value -> type NoDriveAutorun. Close the registry and restart the computer. This procedure will disable all the autorun for all drives of your computer and should prevent the autorun function of infected USB drives or CDs and avoid the infection of viruses like the Bacalid and RavMon.exe./Ravmone.exe.I do hope this helps you in some way. Enjoy!

Credits to Pointblank!

How to Remove SCVHOST.exe or W32/YahLover.Worm.gen

The computer virus/worm that hides itself using the name SCVHOST.EXE, SCVHOSTS.EXE or SCVVHSOT.EXE (don’t get mistaken for SVCHOST.EXE. It is one of the vital programs of Windows,take a look in the spelling). One of my friends emailed me that this virus first spread out through Yahoo Messenger. So if you happen to have some invites from unknown friends please ignore.
The virus is detected as W32/YahLover.Worm.gen of McAfee Antivirus and as Win32/Autorun.R.worm by NOD32. This virus/worm infects your computer in one of these means.
first, it installs itself in autorun.inf in Open option of the AUTORUN. Once you happen to double click it, this will run and start spreading itself unto your system.
Furthermore, it copies itself through all the shared folders on your computers throughout the network and installs itself in the registry entries remotely using a GUEST account (through System:Remote).
Attributes of the Virus
This virus/worm blocks the task manager when ypressing Ctrl+Alt+Del to launch the task manager
It blocks the registry (The worm changes the registry to prevent running task manager and registry for harder detection). "Error says that Registry Editing has been blocked by an administrator".
It also restarts the computer when you try to go to the command prompt.

It duplicates itself to different locations of the shared folders. The duplicated virus/worm uses a FOLDER icon with an .exe file extension. WARNING! DONOT double click these folders.
McAfeealleged that it changes the configuration of your Yahoo Messenger (see McAfee info)
It autostart via registry keys Windows->Run and add itself to WinNT->WinLogon->Explorer.exe

How to remove the virus manually? (Try this it works with my PC and other systems I have deal with. But if you can’t, try using an ANTI-VIRUS like McAfee or NOD32):
Boot your system in Safe Mode Command Prompt Only (Press F8 when your computer restarts, a menu will be shown and select the option)
After you log-in the command prompt will be opened (LOG-IN AS ADMINISTRATOR).
Type CD C:\WINDOWS\SYSTEM32 (I assume that your Windows System files are located at Drive C)
Type DIR /ah, this will display all hidden files on this directory folder. You will see the following files which is used by the virus to spread itself: AUTORUN.INI, BLASTCLNNN.EXE, and SCVHOST.EXE
Type ATTRIB -H -R -S SCVHOST.EXE
Type ATTRIB -H -R -S BLASTCLNNN.EXE
Type ATTRIB -H -R -S AUTORUN.INI
Type DEL SCVHOST.EXE
Type DEL BLASTCLNNNN.EXE
Type DEL AUTORUN.INI
Type CD\
Type ATTRIB -H -R -S AUTORUN.INF
Type DEL AUTORUN.INF
After removing the virus/worm files, IT MUST be removed from the registry of your system.
In the command prompt type REGEDIT and press ENTER key. This will run the Registry Editor
From the registry, look for the keys: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, you will see an entry Yahoo! Messengger (it’s spelled like this) with a value c:\windows\system32\scvhost.exe, Delete this entry.
Look again for the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, there’s an entry named: SHELL, it has a value = Explorer.exe SCVHOST.EXE , DON’T delete this entry!!! Just edit this entry and REMOVE the SCVHOST.EXE so that Explorer.exe will be the only value that remains from this registry entry.

You could also use this virus remover http://www.technize.com/2008/06/23/smart-virus-remover-14/

Disclaimer: I have tried this process and this works fine with my computer and other PCs that I have dealed with. You should try this if you only know how to edit registry entries. (try it at your own risk) Hope this will be of great help. Have a nice day!

...WELCOME TO MY BLOG...

Hello everyone and welcome to my blog. My name is Romel from the Philippines. I work as a computer support specialist and system administrator in a college. The reason why i made this blog is i want to have a diary about my work, keeping and reposting a record of some useful information about solutions to computer problems found on the internet or self discovery and some information technology stuffs. With this record of events and information i would be able to check this things online if ever i need it and also for those people searching for solutions to problems about computer would also might get help from it. I also encourage comments, feedbacks and even disagreements would be much appreciated.