Pages

=Selamat Datang di Blog Saya=
==Jangan Lupa Tinggalkan Komentar==
^__^v

Senin, 21 Maret 2011

Cara Pembersihan Virus "Sality"

TwitThis
Putuskan hubungan komputer dari jaringan dan internet
Matikan System Restore selama proses pembersihan berlangsung.
Matikan Autorun dan Default Share, buat *.inf, klik kanan – install
Code:
[Version]
    Signature=”$Chicago$”
    Provider=Vaksincom

    [DefaultInstall]
    AddReg=UnhookRegKey
    DelReg=del

    [UnhookRegKey]
    HKLM, SoftwareCLASSESbatfileshellopencommand,,,”"”%1?” %*”
    HKLM, SoftwareCLASSEScomfileshellopencommand,,,”"”%1?” %*”
    HKLM, SoftwareCLASSESexefileshellopencommand,,,”"”%1?” %*”
    HKLM, SoftwareCLASSESpiffileshellopencommand,,,”"”%1?” %*”
    HKLM, SoftwareCLASSESregfileshellopencommand,,,”regedit.exe “%1?”
    HKLM, SoftwareCLASSESscrfileshellopencommand,,,”"”%1?” %*”
    HKLM, SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon, Shell,0, “Explorer.exe”
    HKLM, SYSTEMControlSet001ControlSafeBoot, AlternateShell,0, “cmd.exe”
    HKLM, SYSTEMControlSet002ControlSafeBoot, AlternateShell,0, “cmd.exe”
    HKLM, SYSTEMCurrentControlSetControlSafeBoot, AlternateShell,0, “cmd.exe”
    HKLM, SYSTEMCurrentControlSetServiceslanmanserverparameters, AutoShareWks,0×00010001,0
    HKLM, SYSTEMCurrentControlSetServiceslanmanserverparameters, AutoShareServer,0×00010001,0
    HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255
    HKLM, SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255

    [del]
    HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableRegistryTools
    HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableTaskMgr
    HKLM, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableRegistryTools
    HKLM, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableTaskMgr

Matikan program aplikasi yang aktif di memori terutama dalam daftar startup.

Scan dengan removal tools dengan terlebih dahulu merubah ekstensi dari removal tools tersebut dengan ekstensi lain ( misal, *.exe menjadi *.cmd ) atau pakai media write protect, file removal tersebut tidak di infeksi ulang oleh Sality.

Delete the value from the registry

1. Click Start > Run.

2. Type regedit

3. Click OK.Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.

4. Navigate to and delete the following registry entry:HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList”[INFECTED FILE]” = “[INFECTED FILE]:*:Enabled:ipsec”

5. Navigate to and delete the following registry subkeys:
HKEY_CURRENT_USERSoftware[USER NAME]914
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WMI_MFC_TPSHOKER_80
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IPFILTERDRIVER

6. Restore the following registry entries to their previous values, if required:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Setting”GlobalUserOffline” = “0?
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem”EnableLUA” = “0?

7. Restore registry entries under the following registry subkeys to their previous values, if required:
HKEY_CURRENT_USERSystemCurrentControlSetControlSafeBoot
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtStats
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtStats
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

8. Exit the Registry Editor.

Insya Allah, PC dapat kembali normal.

0 komentar:

Posting Komentar