Just like other viruses in general, the virus Sandra Dewi use a removable flash disk drive alias as the distribution itself. File that will create a virus that is in Sandra Dewi Bugil.exe
Pembersihannya following steps:
* We disconnect the computer that will be cleared from the network.
* Turn off 'System Restore' for the virus cleaning process (for Windows XP / Vista)
* Turn off the virus active in memory. Use tools for task managers, such as Process Explorer (can be downloaded at the following address) http://www.sysinternals.com/utils/index.html
* Perform kill process, in some file that the virus is active are:
o C: \ Documents and Settings \% username% \ Start Menu \ Programs \ Startup \ Sandra Dewi Bugil.exe
o C: \ WINDOWS \ Sandra Dewi Bugil.exe (see figure 10)
* Clear registry string that has been created by the virus. To facilitate the registry can use the script below.
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,"""%1"" %*"
HKCR, comfile\shell\open\command,,,"""%1"" %*"
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, piffile\shell\open\command,,,"""%1"" %*"
HKCR, lnkfile\shell\open\command,,,"""%1"" %*"
HKCR, scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner"
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Policies\Microsoft\Windows\system, DisableCMD
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, StartMenuLogoff
Use the notepad, then save with the name 'repair.inf' (use the Save As Type option to be All Files so that the error does not occur). Repair.inf run with a click on the File menu in Windows Explorer and select install. Repair.inf should create a file on the computer clean, so that the virus is not active.
* Delete the file that the virus has characteristics as follows:
Icon + images (JPEG Image)
Exe Extension +
+ Size 132 kb
Note:
o We recommend that show hidden files in order to simplify the search process in the virus file.
o To facilitate the search process should use the "Search Windows" with the filter *. exe files that have a size of 133 KB.
o Delete the file that the virus usually have the same modified date. (see figure 11)
* For optimal cleaning and prevent re-infection, you should use the anti-ter-virus update and recognize this well. You can also use tools Norman Malware Cleaner which you can download the http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe
Taken From DetikInet
No comments:
Post a Comment