AverageCoder.Net - Programming - Software - Techie Stuffs

D2 Remover (d2 virus removal tool)

Posted by Daniel - 902 Views

averagecoder_d2remover.gifWell, it’s a virus removal program. From the title you know it will removes the d2 virus from your system. d2 virus is also known as dkernel, lExplorer, decoil daun and dEngines. Below is the information about the virus activities inside an infected system:

Creates lExplore.exe (not iExplore) in c:\windows. The file size is 28 KB.

Creates a folder named I75-D2 in C:\Windows\System32 (WinXP) or in C:\Windows\System (Win98). The folder contains 3 files:

D2.MIX - 39KB
DKERNEL.EXE - 154KB
INZ.D - 1KB

The content of the INZ.D will be like this:

[d2]
start=yes
MyName=decoil daun (d2)
MyPath=C:\WINDOWS\System32\I75-D2\dkernel.exe
ComeAt=Jam 18: 5425/01/2006
Level=Moderate (can cange level of virus)
Winamp=C:\PROGRAM FILES\WINAMP\winamp.exe
Tampungan=C:\WINDOWS\System32\I75-D2\dTemp
Author=FM nibO

Duplicates the file DKERNEL.EXE to some other name ended with .DOC extension in the target folder and the duplicated file’s Icon is not always the same.

Creates these registry entry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe lExplorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dKernel"="C:\\WINDOWS\\System32\\I75-D2\\dkernel.exe"
"lExplorer"="C:\\WINDOWS\\lExplorer.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe lExplorer.exe"

If you take a look on the Task Manager, lExplorer process and dkernel process will be visible. This virus make the infected system run slower than usual. At 12 PM it will display an annoying graphic, take over the system and force you to stop your works. d2 is also renames winamp.exe into winamp_d2.exe and creates a copy of itself as winamp.exe. Same process also applied to winamp.ini.

This program was built with Visual Basic 6, had been tested on the coder’s machine and worked well, but it may not produces the same result on your system. The coder will take no responsibilities of any kind. Please use it at your own risk.

Download D2-Remover (8 KB)

share this article

Digg del.icio.us Netscape StumbleUpon Yahoo! MyWeb reddit Furl Magnolia Newsvine Technorati SlashDot Blinklist Simpy Google
This post as PDFPosted in: Tested Software - January 2008

The following posts are programmatically considered as related to the current post by YARPP Plugin:

  1. PDUSpy (A good tool to deal with GSM SMS PDU)
  2. TCPView for Windows, Tool to check TCP and UDP Connections on your system



Leave a Reply


Options for your comment:





Hi, my name is Daniel Nugraha, a single male live on an island called Java, Indonesia. This is the place for me to share my interest in computer programming.

Coffee Break

Comments - Thanks Guys :)

  • Rangga Kusuma: Gan, Tengkiu buat postingan yang sangat berguna. Kebetulan ada project utk bikin sms gateway, dan converter Agan sangat berguna utk...
  • Chuck Norton: I actually went ahead & bolted over to Justin’s Get The Image plugin here: http://justintadlock.com/ar...
  • Chuck Norton: Question: is it possible to insert something like [custfieldimg=”joice1.jpg,15 0,1:1″] into the actual templates instead of...
  • Therese Lachance: Hi, Any idea how to have ContuttoPDF fetch the correct page language?
  • tresloukadu: yo how did u fixed when the tags shows <? and it shows < “& l t ; ” ?? please send me an email.