Virus is the real destroyer for our system, and till now the virus growth rapidly. W32/Smalltroj. VPCG virus is the popular things. This virus block all access to security website and some selected website and forwarded to Ip 209.85.225.99, its the google Ip address. so if user seach website that blocked by that virus, transfered to www.google.com.
Thereis tips and trick to handle this virus :
1. Disable System Restore, while cleaning processing.
2. Disconnect Computer from internet connection and Lan.
3. Rename [C:\Windws\system32\msvbvm60.dll] to prevent virus reactive.
4. Clean system with Tools Windows Mini PE Live CD, because many rootkit imitate service and driver. please download the software from [http://soft-rapidshare.com/2009/11/10/minipe-xt-v2k50903.html]. than booting computer from live CD. after that delete main file for virus with step :
l Klik menu [Mini PE2XT]
l Klik menu [Programs]
l Klik menu [File Management]
l Klik menu [Windows Explorer]
l Then delete the file below :
o C:\Windows\System32
§ wmispqd.exe
§ Wmisrwt.exe
§ qxzv85.exe@
§ qxzv47.exe@
§ secupdat.dat
o C:\Documents and Settings\%user%\%xx%.exe, when xx is random character (example: rllx.exe)
o C:\windows\system32\drivers
§ Kernelx86.sys
§ %xx%.sys, when xx is random character with size 40 KB (example: mojbtjlt.sys or cvxqvksf.sys)
§ Ndisvvan.sys
§ krndrv32.sys
o C:\Documents and Settings\%user%\secupdat.dat
o C:\Windows\inf
§ Netsf.inf
§ netsf_m.inf
5. delete registri that created by virus, with "Avas! Registry Editor" :
l Klik menu [Mini PE2XT]
l Klik menu [Programs]
l Klik menu [Registry Tools]
l Klik [Avast! Registry Editor]
l click menu "Load....."
l delete registry :
Ø HKEY_LOCAL_MACHINE\software\microsoft\windows\currentvers
on\run\\ctfmon.exe
Ø HKEY_LOCAL_MACHINE\system\ControlSet001\services\kernelx86
Ø HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\kernelx86
Ø HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\passthru
Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\ctfmon.exe
Ø HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
ü change value at string Userinit = userinit.exe,
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
ü %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List
ü %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
Ø HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
ü %windir%\system32\ wmispqd.exe = %system%\ wmispqd.exe:*:enabled:UpnP Firewall
Ø HKEY_LOCAL_MACHINE\system\ControlSet001\services\%xx%
Ø HKEY_LOCAL_MACHINE\system\CurrentControlSet\services\%xx%
note:
%xx% is random character, this key create to run .SYS with size 40 KB in directory [C:\Windows\system32\drivers\]
6. Restart komputer, rebuild registry with copy the script below to notepad with name repair.inf, right click repair.inf choose install.
[Version]
Signature="$Chicago$"
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, software\microsoft\ole, EnableDCOM,0, "Y"
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallDisableNotify,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,AntiVirusOverride,0x00010001,0
HKLM, SOFTWARE\Microsoft\Security Center,FirewallOverride,0x00010001,0
HKLM, SYSTEM\ControlSet001\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\ControlSet002\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SYSTEM\CurrentControlSet\Control\Lsa, restrictanonymous, 0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0x00010001,0
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,ctfmon.exe
HKLM, SYSTEM\ControlSet001\Services\kernelx86
HKLM, SYSTEM\ControlSet002\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\kernelx86
HKLM, SYSTEM\CurrentControlSet\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\mojbtjlt
HKLM, SYSTEM\ControlSet002\Services\mojbtjlt
HKLM, SYSTEM\ControlSet001\Services\Passthru
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate, DoNotAllowXPSP2
HKLM, SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe
7. Delete temporary file and temporary internet file with free software ATF-Cleaner. Download tools at http://www.atribune.org/public-beta/ATF-Cleaner.exe.
8. Restore host with tools Hoster, just download from http://www.softpedia.com/progDownload/Hoster-Download-27041.html. click [Restore MS Host File] to restore host.
9. To prevent re attack from virus, please use the uptodate anti virus.
Have a nice try.
Langganan:
Posting Komentar (Atom)
Tidak ada komentar:
Posting Komentar