Matikan System Restore selama proses pembersihan berlangsung.
Code:
[Version]
Signature=”$Chicago$”
Provider=Vaksincom
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SoftwareCLASSESbatfileshellopencommand,,,”"”%1?” %*”
HKLM, SoftwareCLASSEScomfileshellopencommand,,,”"”%1?” %*”
HKLM, SoftwareCLASSESexefileshellopencommand,,,”"”%1?” %*”
HKLM, SoftwareCLASSESpiffileshellopencommand,,,”"”%1?” %*”
HKLM, SoftwareCLASSESregfileshellopencommand,,,”regedit.exe “%1?”
HKLM, SoftwareCLASSESscrfileshellopencommand,,,”"”%1?” %*”
HKLM, SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEMControlSet001ControlSafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEMControlSet002ControlSafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEMCurrentControlSetControlSafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEMCurrentControlSetServiceslanmanserverparameters, AutoShareWks,0×00010001,0
HKLM, SYSTEMCurrentControlSetServiceslanmanserverparameters, AutoShareServer,0×00010001,0
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255
HKLM, SOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer, NoDriveTypeAutoRun,0x000000ff,255
[del]
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableRegistryTools
HKCU, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableTaskMgr
HKLM, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableRegistryTools
HKLM, SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,DisableTaskMgr
Matikan program aplikasi yang aktif di memori terutama dalam daftar startup.
Scan dengan removal tools dengan terlebih dahulu merubah ekstensi dari removal tools tersebut dengan ekstensi lain ( misal, *.exe menjadi *.cmd ) atau pakai media write protect, file removal tersebut tidak di infeksi ulang oleh Sality.
Delete the value from the registry
1. Click Start > Run.
2. Type regedit
3. Click OK.Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
4. Navigate to and delete the following registry entry:HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList”[INFECTED FILE]” = “[INFECTED FILE]:*:Enabled:ipsec”
5. Navigate to and delete the following registry subkeys:
* HKEY_CURRENT_USERSoftware[USER NAME]914
* HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_WMI_MFC_TPSHOKER_80
* HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_IPFILTERDRIVER
6. Restore the following registry entries to their previous values, if required:
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Setting”GlobalUserOffline” = “0?
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem”EnableLUA” = “0?
7. Restore registry entries under the following registry subkeys to their previous values, if required:
* HKEY_CURRENT_USERSystemCurrentControlSetControlSafeBoot
* HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBoot
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtStats
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExtStats
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExtStats
* HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
* HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
8. Exit the Registry Editor.
Insya Allah, PC dapat kembali normal.
0 komentar:
Posting Komentar