Step 7 deracinate Virus' K0pL4xZ '
Virus "K0pL4xZ" is detected as VBWorm.QTT mengincar computer users, especially with a lot of Office files, how to change the icon and the Microsoft Office file types.
But there, this virus does not destroy the file to the Office. The virus is made using Visual Basic. So that the chance of virus, it is using undercover icon "Windows Media Player Classic" with the application file type (exe). Up to, follow the steps below:
1. Disconnect the computer that will be cleared from the network (LAN).
2. Turn off "System Restore" during the cleaning process.
3. Turn off the virus active in memory. Use the tools KillVB to kill the process in memory. Please downlod tools at: http://www.compactbyte.com/brontok/killvb.zip
4. Fix the registry is modified by the virus. To speed up the process of repair registry copy the script below on the program notepad, then save with the name "Repair.inf". Run the file in the following manner:
- Click right repair.inf
- Click Install
[Version]
Signature = "$
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg =
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"
HKLM, SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, "cmd.exe"
HKLM, SOFTWARE \ Classes \ exefile, application
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start page, 0, "about: blank"
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Search Page, 0, "about: blank"
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, UncheckedValue, 0x00010001, 0
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, UncheckedValue, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOrganization, 0, "Organization"
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOwner, 0, "Owner"
HKLM, SOFTWARE \ Classes \ txtfile, FriendlyTypeName, 0, "@ C: \ Windows \ system32 \ notepad.exe, -469"
HKLM, SOFTWARE \ Classes \ Word.Document.8,,, "Microsoft Word Document"
HKLM, SOFTWARE \ Classes \ Word.Document.8 \ DefaultIcon,,, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01500 48383C9) \ wordicon.exe, 1"
HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8,,, "Microsoft PowerPoint Presentation"
HKLM, SOFTWARE \ Classes \ PowerPoint.Show.8 \ DefaultIcon,,, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-015 0048383C9) \ pptico.exe, 1"
HKLM, SOFTWARE \ Classes \ Excel.Sheet.8,,, "Microsoft Excel Worksheet"
HKLM, SOFTWARE \ Classes \ Excel.Sheet.8 \ DefaultIcon,,, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01500483 83C9) \ xlicons.exe, 1"
HKLM, SOFTWARE \ Classes \ Access.Application.11,,, "Microsoft Office Access Application"
HKLM, SOFTWARE \ Classes \ Access.Application.11 \ DefaultIcon,,, "C: \ WINDOWS \ Installer \ (90110409-6000-11D3-8CFE-01 50048383C9) \ accicons.exe, 1"
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0x00010001, 1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0x00010001, 0
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, ShowSuperHidden, 0x00010001, 1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden, WarningIfNotDefault, 0, "@ shell32.dll, -28964"
[
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableRegistryTools
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableTaskMgr
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DIsablecmd
HKCU, Software \ Microsoft \ Internet Explorer \
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer, NoFolderOptions
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableRegistryTools
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ System, DisableTaskMgr
HKLM, SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Run, System
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop
HKCU, Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, shell
HKCU, Software \ Policies \ Microsoft \ Windows \ System, DisableCMD
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ HideFileExt, WarningIfNotDefault
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Run, Cintaku
HKLM, SOFTWARE \ Classes \ exefile, FriendlyTypeName
5. Delete the file "C: \ Windows \ desktop.ini" (the file that works to change the icon into the Windows Control Panel icon). Use the dos prompt to delete the file.
6. Find and delete the files in the parent virus Hard Disk and Flash Disk with the first show the hidden files. To speed up the search function use the "Search Windows".
Here are some files that parent will be made by Koplaxz:
C: \ Documents and Settings \% username% \ Start Menu \ Programs \ Startup
Winhelp.exe
C: \ Documents and Settings \% username% \ Start Menu \ Programs
Hellloo_Gheea.exe
C: \ Documents and Settings \% username% \ My Documents
Jangan_Dihapus_Apalagi_Dibuka.exe
C: \ Documents and Settings \% username% \ Start Menu
Koplaxz Kudo Shop.exe
C: \ Documents and Settings \% username% \ Start Menu \ Programs
Hellloo_Gheea .. exe
C: \ Windows
TourWindowsXP.exe
svchost.exe
Kudo.com
command32.pif
KopLaXz@KudoShop.exe
C: \ F4HM1_KudO_M4n4j3r.exe
C: \ G0d3G.exe
C: \ Ghe@_i_miss_u.3gp.exe (
C: \ K0pL4xZ.exe
C: \ K 0 P L 4 X Z.exe
C: \ KopLaXz@KudoShoP.exe (
C: \ R0n13G4N_G3Ndut_S3xY.exe
C: \ R3eve5.exe
C: \ K0pL4xZ @ KudoShop (
folder.htt
msvbvm60.dll
K0pL4xZ.exe
C: \ K0pl4xZ @ KudoShop \ K0pL4xZ.exe
C: \ [space] WINDOWS \ System_FriendZ_KopLaXz32
F4HM1_KudO_M4n4j3r.exe
G0d3G.exe
K 0 P L 4 X Z.exe
R0n13G4N_G3Ndut_S3xY
R3eve5.exe
C: \ [space] Windows \ Zx4Lp0K.html
C: \ WINDOWS \ system32 \ smkn2majalengka.scr
C: \ Windows \ system32 \ PCMAV.exe
C: \ Windows \ system32 \ Asholest.exe
C: \ Documents and Settings \% username% \ SendTo \ KoPLaXzKudo (e-mail). Exe
C: \ Autorun.inf (all drives)
C: \ Desktop.ini (all drives)
C: \ A Letter Ghe @ 4. Txt (all drives)
C: \ K0pL4xZ@kUdO_5h0P.txt
C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf
C: \ WINDOWS \ desktop.ini
Then delete the files that have a parent virus characteristics:
Icon "Windows Media Player" CLASIC / 3GP Video Format
Size 31 KB
Extension EXE, PIF, SCR, and COM
File type "Application"
Delete the following files:
C: \ Autorun.inf (each root drive: c: \ or D: \)
C: \ Desktop.ini (each root drive: c: \ or D: \)
C: \ A Letter Ghe @ 4. Txt (the root of each drive: c: \ or D: \)
C: \ K0pL4xZ@kUdO_5h0P.txt (each root drive: c: \ or D: \)
C: \ K0pL4xZ @ KudoShop (the root of every drive and Flash Disk)
C: \ Documents and Settings \ All Users \ Desktop \ A Letter Ghe @ 4. Inf
C: \ [space] WINDOWS
C: \ [space] Windows \ Zx4Lp0K.html
7. For optimal cleaning and prevent re-infection, scan using the anti-virus up-to-date.
0 komentar
Posting Komentar