Jakarta - If you meet Nadia Saphira might be heart-blooming flowers, but if the computer infected with virus' Nadia Saphira '? Try to follow the steps below...[...]
Here are eight steps to clean the virus' Nadia Saphira 'alias' W32/VBTroj.AOQB' on the computer such as antivirus analysts raised Vaksincom, Adi Saputra, in information received, on Tuesday (26/5/2009):
1. Should disconnect the computer from the network will be cleaned
2. Turn off 'System Restore' for the virus cleaning process (for Windows XP / Vista).
3. Turn off the virus active in memory. Use tools for task managers, such as CProcess (you can download on the site Nirsoft)
4. Do kill process, in some file that the virus is active are:
* C: \ Documents and Settings \ All Users \ Start Menu \ Programs \ Startup \ lan.exe
* C: \ WINDOWS \ system32 \ misconfig.exe
* C: \ WINDOWS \ taskmgr.exe
5. Delete registry string that has been created by the virus. To facilitate the registry can use the script below.
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCR, batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCR, comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCR, exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCR, piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCR, lnkfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCR, scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced,
HKLM, SOFTWARE \ Classes \ exefile \ DefaultIcon ,,,""% 1 ""
HKLM, SOFTWARE \ Classes \ exefile,,, "Application"
HKLM, SOFTWARE \ Classes \ exefile, infotip, 0, "prop: FileDescription; Company; FileVersion; Create; Size"
HKLM, SOFTWARE \ Classes \ exefile, TileInfo, 0, "prop: FileDescription; Company; FileVersion"
HKCU, Software \ Microsoft \ Command Processor, Autorun, 0,
HKLM, SOFTWARE \ Microsoft \ Command Processor, Autorun, 0,
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, CheckedValue, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, DefaultValue, 0x00010001, 2
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, nofind
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, nofind
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ msiexec.exe
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sessmgr.exe
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ SPYXX.exe
* Use the notepad, then save with the name "repair.inf * *" (use the Save As Type option to be All Files so that the error does not occur).
* Run repair.inf with a right click, then select install.
* We create a file on the computer that repair.inf clean, so that the virus is not active.
6. Delete the file that the virus has characteristics as follows:
* Icon application / folder
* Ext. exe
* Size 69 & kb 17 kb
* Note:
* We show the hidden files in order to simplify the search process in the virus file.
* To facilitate the search process should use the "Search Windows" with the filter file **. exe **. * & * have this size 69 KB & 17 KB.
* Delete the file that the virus usually have the same modified date.
7. Unhide the hidden folders on the drive or flash. Use the command 'attrib' in the command prompt.
* Click 'Start'
* Click the 'Run'
* Type in 'CMD' and press the Enter key
* Move the cursor position to drive Flash Disk
* * Then type the command attrib-s-h-r / s / d *, then press the enter
8. For optimal cleaning and prevent re-infection, you should use the anti-ter-virus update and recognize this well.
8 Step Cleaning 'Nadia Saphira'
0 komentar:
Post a Comment