Indonesia-made virus known locally disguised as a cartoon Doraemon, sinchan and Tom & Jerry. The virus is disguised with Real Media Player icon.
Here’s how to clean the virus:
1. Should do the cleaning in safe mode mode.
2. Turn off the active virus process in memory. Use task manager replacement tools, such as Itty Bitty Process Manager (can be downloaded at http://majorgeeks.com/Itty_Bitty_Process_Manager_d4690.html)
Do kill process in some active virus files are:
* C: \ WINDOWS \ Help \ explorer.exe
* C: \ WINDOWS \ system32 \ 300403.exe
* C: \ WINDOWS \ system32 \ aparaparsaparyangparipircapar.exe
* C: \ WINDOWS \ system32 \ HacKid’s. Exe
3. Remove string registry that was created by the virus. To make it easier to use the following registry script.
[Version]
Signature = “$ Chicago $”
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ batfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ comfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ exefile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ piffile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ regfile \ shell \ open \ command,,, “regedit.exe”% 1 “”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ scrfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, “Explorer.exe”
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet001 \ Control \ SafeBoot, AlternateShell, 0, “cmd.exe”
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Control \ SafeBoot, AlternateShell, 0, “cmd.exe”
HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Control \ SafeBoot, AlternateShell, 0, “cmd.exe”
HKLM, SYSTEM \ CurrentControlSet \ Control \ SafeBoot, AlternateShell, 0, “cmd.exe”
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0 × 00010001.1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, HideFileExt, 0 × 00010001.0
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ SuperHidden,
UncheckedValue, 0 × 00010001.1
SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, DefaultValue, 0 × 00010001.0
[del]
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, noboe
HKCU, Control Panel \ Desktop, SCRNSAVE.EXE
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFolderOptions
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \. Reg \ shell
HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \. Txt \ shell
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ App Paths \ MSCONFIG.EXE
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, NoDispScrSavPage
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore, DisableSR
HKEY_LOCAL_MACHINE \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ SystemRestore, DisableConfig
* Use
notepad, then save with the name “repair.inf” (use the Save option
As Type to All Files to avoid mistakes).
* Run repair.inf with right click, then select install.
* We recommend that you create a file on the computer repair.inf clean, so the virus is active again.
4. Delete virus files that have characteristics as follows:
* Icon “Real Player”
* Extension *. exe
* Size 129 kb
Note:
* We recommend that you show hidden files in order to facilitate the search process of the virus file.
* To facilitate the search process should use the “Search Windows” with the filter *. exe files that have size 45 KB.
* Delete the virus files that usually have the same modified date.
5. For optimal cleaning and prevent re-infection, antiviral use an updated and can detect and eradicate this virus very well.
Recent Comments