He never ceases to disseminate their knowledge and never leave them alive forever. This article is how to remove the virus amburadul Varian for all without antivirus program can be cleaned simply by using the technical manual.
The easy way to tell if your computer infected by this virus will be JPEG files with the extension application. Now let's start removing!
1. Unplug your computer infected its network to stop the spread of this virus.
2. Turn off "System Restore" when in the cleaning process.
3. Killing the virus process using power tools "currprocess" kill all processes with JPG icon.
4. Repair registration that has already changed by the virus using this code and save as
repair.inf :
[Version]
Signature="$Chicago$"
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0,
"Explorer.exe"
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
UncheckedValue,0x00010001,0
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0x00010001,1
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0x00010001,1
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0x00010001,1
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
CheckedValue,0x00010001,0
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
DefaultValue,0x00010001,0
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "about:blank"
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,
type,0, "checkbox"
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
type,0, "checkbox"
HKCU, Control Panel\International, s1159,0, "AM"
HKCU, Control Panel\International, s2359,0, "PM"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
ShowSuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
SuperHidden,0x00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HideFileExt,0x00010001,0
[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspoold.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\kspool.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\rstrui.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\wscript.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\mmc.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HokageFile.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Rin.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\SMP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskkill.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\tasklist.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Obito.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\KakashiHatake.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-CLN.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV-RTP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\boot.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\HOKAGE4.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\PCMAV
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansav.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Setup.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Instal.exe, debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Install.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\procexp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\taskmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution
Options\Ansavgd.exe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer,
LimitSystemRestoreCheckpointing
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
5. Remove virus captain in %systemroot%\system32\~A~m~B~u~R~a~D~u~L~ before doing so you have to make hidden files are made visible.
Then, delete the file from this list:
csrcc.exe
smss.exe
lsass.exe
services.exe
winlogon.exe
Paraysutki_VM_Community.sys
msvbvm60.dll
Drive: \ autorun.inf
Drive: \ FoToKu xx-x-*. exe, where "x" indicates the date on which the virus
active
Drive: \ Friendster Community.exe
Drive: \ J3MbataN K4HaYan.exe
Drive: \ MyImages.exe
Drive: \ PaLMa.exe
Drive: \ Images
6. Don`t forget to install anti virus up to date.
Tidak ada komentar:
Posting Komentar