Overcoming Virus Tutorial
Filed under: tips and tricks, tutorials
paste copied from http://www.oprekpc.com/
PART 1: CAPITAL BASIS
1. Alternative ways to Running Program
Generally, we click the program icon in the start menu or the desktop to run certain programs. But the programs do not all utilities are available in the start menu or the desktop. These programs (for example REGEDIT.EXE, CMD.EXE) usually run through the Start menu> Run. What can we do if the menu does not Run in the start menu? Here are some alternatives to run certain programs in a manner that is' not normal ':
a. Use Windows Explorer
Run Windows Explorer, locate the file you want to run the program in the folder C: \ Windows or C: \ Windows \ System or C: \ Windows \ System32. Then double click on the file program.
b. Use Command Prompt (CMD.EXE)
= Click Start> Programs> Accessories> Command Prompt, or run CMD.EXE first way above.
= Type the name of the program who want to run and press enter.
C: \ Documents and Settings \ mr. orche!> regedit
c. Using a Batch File
Notepad = Run through start menu or through Windows Explorer.
= Type the name of the program who want to run, for example, "regedit" (without quotation marks).
= Save the file using the extension. Bat, for example, "TES.BAT".
= Run the file. Bat through Windows Explorer (double click).
d. Using Task Manager (TASKMGR.EXE) (Windows XP)
= Press Ctrl + Alt + Del.
= Click the button [New Task ...] on the Applications tab.
= Type the name of the program, and press enter.
e. Use the File Browser ACDSee
= Run from the Start Menu ACDSee.
= Find the file you want to run in the file browser window.
= Double-click on the file program.
2. Alternative ways of Registry Operations
If you can not run regedit, registry operations can still be done with some of the following alternatives:
Alternative 1: Using the Reg
1. Run Command Prompt (CMD.EXE).
2. To see a list of key and value, use the command QUERY lokasikey Reg.
Example:
Reg QUERY HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
Reg DELETE HCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
3. DELETE namakey type Reg / V namavalue to delete a certain value.
Example:
Reg DELETE HKLM \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer / V NoRun
Reg DELETE HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer / V NoFolderOptions
Note:
= Abbreviated name should be root, HKCR for HKEY_CLASSES_ROOT, HKLM for HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER to HKCU, HKU to HKEY_USERS, and so on.
For name = key that contains a space, name key diapit with double quotation marks.
= To find out more operating procedure using Reg, type "Reg /?" Without the quotes.
Alternative 2: Using the file. Reg
1. Run Notepad and type the following as examples:
New format (WinXP):
Windows Registry Editor Version 5:00
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]
"NoFolderOptions" = dword: 00000000
Old format (Win9X/NT):
REGEDIT4
[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]
"NoFolderOptions" = dword: 00000000
2. Save the file with the extension. Reg, and then double-click on the file. Reg that has been saved.
Description:
= The first line, "Windows Registry Editor Version 5:00" or "REGEDIT4", is a basic rule to mark the file registry.
= Second line, "[HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer]" indicates the location of registry key, where the list value with the value of the data mentioned below will be stored.
= Third line, "NoFolderOptions" = dword: 00000000, mentioning the name and its value data to the desired value is. In the example this means that the change / provide valuable data on the value 0 is called "NoFolderOptions".
= File regedit that a format with WinXP (new format) or long format (Win9X/NT), both can be used for Windows XP, but the old format can be used only for Windows 9X/NT.
Alternative 3: Using a Startup Disk (only valid for Win9x)
This is the most difficult, and may be the only effective way to restore registry when the system has been paralyzed terlanjur at all.
1. Boot using the Startup Disk
a. Enter the Startup Disk floppy drive to Win95/98.
b. Restart (make sure the configuration settings in the BIOS boot sequence to floppy disks).
2. Go to the directory (folder) C: \ Windows
A: \> C:
C: \> CD WINDOWS
3. Perform the export of data to the registry file. Reg key specific to the desired
Format command:
Regedit / E namakey namafilereg
Example:
Regedit / E HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer TES.REG
If the key contains spaces, use quotation marks:
Regedit / E "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer" TES.REG
3. Back issue Folder Options Menu in Windows Explorer
Some of the viruses need to hide the files so that a particular user (the computer) does not recognize the virus and the virus is more difficult to remove, by creating a hidden file. Is still hidden files can be viewed by the user if the settings in the Folder Options option 'Show hidden files and folders' is enabled. Sometimes the very day removed by the virus to ensure the virus files are not visible. To hide the Folder Options menu, how to most easily and most commonly applied by the virus is to change the registry settings, insert the value "NoFolderOptions" is worth 1. To display the Folder Options menu again, this value should be removed, or changed the value to "0".
= To change these settings Folder Options, click the Tools menu> Folder Options in Windows Explorer.
Value = NoFolderOptions in the registry are one or two locations below:
HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
Value can be removed by using the regedit program, or by typing the following command in the Command Prompt:
Reg DELETE HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer / V NoFolderOptions
Reg DELETE HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer / V NoFolderOptions
4. Display the Run Menu
Delete value "NoRun" or change the value to be 0 using the registry operation (see sample registry operation to display the Folder Options menu at the top). Value "NoRun" is the key:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
5. Display the Find Menu
Delete value "NoFind" or change the value to be 0 using the registry operation (see sample registry operation to display the Folder Options menu at the top). Value "NoFind" are on the key:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer
6. Enable regedit
Sometimes regedit can not be started because the registry settings to disable by the virus. To restore, delete the value "DisableRegistryTools" or change the value to be 0 by using the Command Prompt (for WinXP), or by creating a file. Reg (only for Win9x).
7. Create files with the Hidden Atributnya Change Through Command Prompt
Hidden file (hidden) can appear without play Folder Options, but turn off the hidden attribute on the file. Hidden file attribute can only be changed in the Windows Explorer Folder Options settings if possible hidden files displayed. Alternative is to change the attributes of the file through the Command Prompt. To see a list of hidden files via Command Prompt, use the command "DIR / AH". Then use the attrib command followed by the parameter attribute to be changed. The following example can be used to turn off the hidden attribute, read only, and the system at once, on all active files in the directory:
Attrib-r-s-h *.*
8. Search for File Through Command Prompt
a. View a list of files / folders that are in the current folder:
DIR *.*
b. View a list of files / folders that are in the current folder, including file / folder hidden:
DIR *.* / A "A" stands for "ALL"
c. View a list of files (not including the folder) that is located in the current folder:
DIR *.* / AD "D" stands for "DIRECTORY", "-" means that the exception
d. View a list of folders (not including the file) that is located in the current folder:
DIR *.* / AD "D" stands for "DIRECTORY"
e. View a list of files / folders hidden:
DIR *.* / AH "H" stands for "HIDDEN"
f. View a list of files / folders based on the series name:
DIR *.* / ON for files and folders, "O" means "ORDER BY", "N" means "NAME"
DIR *.* / AD / ON only for the folder
DIR *.* / A-D / ON to file only
DIR *.* / A-DH / ON for any hidden files
DIR *.* / ADH / ON for the only hidden folder
g. View a list of files / folders based on the ordinal type (extension)
Way similar to pengurutan by name, only "/ ON" replaced with "/ OE".
h. View a list of files based on size of order
Way similar to pengurutan by name, only "/ ON" replaced with "/ OS".
For detailed information about the rules of use DIR command, type "DIR /?" And press enter.
9. The suspected death
The process is a program that runs in the background (background program), does not have a form because it is not possible to interact with the user. With different application programs which are visible because they had to interact with the user. The virus is usually made in such a way so that when the virus is running does not appear at all, it is only a process. File virus that is running normally can not be deleted because the process is running. Usually the virus is a new file can be deleted after the process is terminated. List of application programs and processes that are running can be viewed using the Windows Task Manager (TASKMGR.EXE) simply by pressing the keys Ctrl + Alt + Del. After the Windows Task Manager window appears, we can select the "Applications" to view a list of the application; or the "Processes" to see the process list. Another option is "Performance", "Networking", and "Users".
To stop the application program is running, select the name of the application from the list, then click "End Task". To stop the process that is running, select the name of the process and then click the "End Process". If the Windows Task Manager can not run, we still can see and stop the process that is running from the Command Prompt with a program called "TASKLIST.EXE" to see the process list, then call the program "TASKKILL.EXE" to stop the process.
Example:
TASKLIST
TASKKILL / F / IM Notepad.exe / IM MSPAINT.EXE
TASKKILL / F / PID 1230 / PID 1253 / T
Description:
The parameter "/ F" which means "FORCE" will cause the process is stopped by force.
The parameter "/ IM" means "IMAGE (NAME)". This means that the process will be stopped is the process by the name of the parameter after the "/ IM".
The parameter "/ T" means "TREE" and cause all the branch is also terminated.
_________________BAGIAN 2: Triggers midst actively VIRUS
Virus program that copied to the computer clean of viruses that cause the computer is not contagious. The virus has become active and start work when the program executed by the user, for example, when clicked twice through Windows Explorer. So the first time the virus infection to your computer caused by the user himself. Once given the opportunity, the virus can freely make the schedule according to the desired on the author. By looking at your midst that can be triggered actively virus, we will more easily find the nest and then hiding the virus meringkusnya.
1. Registry
Registry provides a facility that allows programs on their own prior to the start menu appears. This facility is provided for application programs, but many used by the virus. Registry settings can be viewed and manipulated using the default Windows program regedit (Run, regedit). The structure consists of the five root (HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG), each root has many branches called the key. Each key can contain multiple key and / or value. Management structure in the file, root can diidentikkan with the drive, a folder with the identical key and value associated with the file. Like a folder, key can not load data, it can only load key and value. Registry data that may affect the overall behavior of the system loaded in value. To know the structure of the registry is more clear, run regedit. Be careful to run regedit, because a procedure can cause total paralysis system!
a. Key "Run"
Key "Run" is made to accommodate the list of programs that will run the system shortly before the start menu is active. In the registry, this key can be found in several places, namely on:
Key = "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion"
Key = "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion"
= Some of the key in the key "HKEY_USERS"
If one or more of the registered user in User Accounts (Control Panel> User Accounts), then the root HKEY_USERS there will be some key that holds the settings for each user. Some of the key also contains the key "Software \ Microsoft \ Windows \ CurrentVersion", and the key may also include "Run".
b. Value "Shell" and "Userinit" key in the "Winlogon"
Value "Shell" and the value "Userinit" key in the "Winlogon" can provide the same effect-effective for virus-value with the stored key in the "Run". Generally, data for the second value is:
Shell = "Explorer.exe"
Userinit = "C: \ WINDOWS \ system32 \ userinit.exe,"
Key "Winlogon" in:
Key = "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion"
Key = "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion"
= Some of the key in the key "HKEY_USERS"
In addition to key and value mentioned above, it is still possible for many key / value that can be used by the virus, although it may not be effective, and this author has never been found.
If the value is found suspicious, do an adequate analysis before deciding to remove them. Do not delete the original!
2. Start Menu and Desktop
a. Start> Programs> Startup
Folder "Startup" in the start menu is provided for programs to be run automatically by Windows when the process is finished booting. The virus can take advantage of this folder to actively trigger the virus by creating a shortcut in it, or make a duplicate with the virus in it. Virus Brontok folder using the initial version of the file called "EMPTY.PIF" DOS image program.
b. Link / Shortcut
Files link or shortcut (file berekstensi. "LNK" and. "PIF") that are in the start menu or desktop at work as a "shortcut" to a program to facilitate the user to run the program. Files such as this, because it is not really the program, generally is small, not more than 4KB. This file can be manipulated so that the virus does not refer to the program that should, but be deflected to the virus program. To know the shortcut to be deflected or not, right-click on the shortcut file, click "Properties", then see the description of the "Target".
File shortcut can also be removed only by the virus was replaced by the virus program icon is created with the shortcuts of the original file. Cases such as this rare, but it never happened. If this happens, generally the size of the files' shortcut 'is more than 4KB. But the size of the file "shortcut" is not a guarantee that a file has been manipulated virus into the program. To check the contents must be viewed using a Hex Editor. Unfortunately, only certain people, especially the ever-learn programming or electronics engineering, digital program that you can understand the Hex Editor. Files generally have a shortcut arrow, unless the file is viewed in the start menu. If we see the start menu folder contents using Windows Explorer, all original file shortcut (not the folder) will have a arrow. If no image panahnya, possibly (not guarantee) the file is not a shortcut shortcut beneran.
3. Task Scheduler
View Control Panel> Scheduled Tasks to see a list of periodic schedules that have been scheduled in the system. The virus sometimes make the schedule here to run a virus program from a particular location. Delete Scheduled task harmful only.
4. AUTOEXEC.BAT
Each booting, the computer will check the file C: \ AUTOEXEC.BAT and run the commands in it, if any. Of course this profitable opportunity program and application program virus. Check the contents, and delete command or harmful to the virus file. If not sure of the result of this, the AUTOEXEC.BAT file can be copied first, so if there is anything that is not desired, can be restored as the overwrite AUTOEXEC.BAT file with the copies that have been made. To disable one or more commands in the AUTOEXEC.BAT file can be added the word "REM" (without quotation marks).
5. Take a transfer program
The virus can also take over the program as follows:
a. Change the name of the application programs are often used by users. For example WINWORD.EXE (Microsoft Word) changed to WINWORD1.EXE.
b. Make a duplicate of virus with the name of the program frequently used by users. In this example, create a duplicate with the virus name WINWORD.EXE.
c. When the user intends to run the application (Microsoft Word), and the user actually runs the virus program, virus program and then calls the original application program that has been renamed (WINWORD1.EXE).
This strategy is implemented by d2/Decoil leaf virus, with the take over the program Winamp. To investigate, check out the programs available in shortcutnya start menu or the desktop. Virus programs generally small, between 30KB to 300KB, while the application is usually relatively large size (more than WINWORD.EXE size 8.000KB, EXCEL.EXE larger than 6.000KB). Date of the making of the program can also be used to determine whether a program is original or not, even though the file is actually a date can be changed easily.
6. Possible midst Other
a. ?
PART 3: STEP-STEP Overcoming VIRUS
This section does not discuss practical steps to deal with virus-virus which is found, because the virus actually has a job, attack strategies, attack and level removal techniques (how to) their own. By serving as the following can be expected to understand concepts of how the virus, so it can be applied to a variety of viruses that same basic strategy. Views of how to work virusnya, actually there are many types of virus that does not follow the ways described here, because the way it works is different. What's covered here is how to overcome common type of virus that is easily made and is outstanding in many of Indonesia, to penetrate to remote areas that do not have internet network. Virus-virus like this is not difficult for the programmer who created the ability slightly above average programmer.
For this type of virus as described above, the general steps to address them are as follows:
1. Stop the process that suspicious
Most of the processes in the process is the process that you run the system (Windows) or a program that we are deliberately run. If we terlanjur kill the process that is part of the system, sometimes the computer will shutdown itself with notice and countdown before. Sometimes the virus is easily recognized because the name is odd (eg "sempalong" or "exploration" in the Brontok virus). But the virus often does not use the name that appears at a glance, familiar, so that the user presume that process is the process of the operating system, but actually work with the names used by the system, eg lExplorer (LEXPLORER, not iexplorer, with the letter "i "large). In fact, many also use the name that exactly matches the name of a process executed by the system, so that we can not distinguish the virus and the only system based on the name.
The names of the default Windows itself is common among "SVCHOST.EXE", "SPOOLSV.EXE", "SERVICES.EXE", "WINLOGON.EXE", "LSASS.EXE", "CRSS.EXE", "EXPLORER" , "System", "System Idle Process". These names are usually always there, even if the computer is not running any programs. Sometimes the virus also uses the names on this not-so stop by the user. Unless "SVCHOST.EXE", generally the default system name is not identical. If for example there are two processes to the same "SERVICES.EXE", may be one of them is a process executed by the virus.
If we see the process through the list of Command Prompt with a program called "TASKLIST.EXE", we can also see the Process ID (PID) of each process. In the Windows Task Manager, PID is not displayed. If there is some chance that the same process and part of the process is the process of virus, then I will be more likely to suspect that the process PID is greater as the virus, based on the assumptions and logic that the PID is given a unique and series, and the virus is executed part of the process after the system is run.
2. Remove / change the file name as a suspected virus
We can remove a suspicious file that is located in the system (the default folder in Windows) if we believe will not cause a more serious problem. But not sure if it will, it is better to simply change the file name or extension only, eg "Sempalong.exe" changed to "Sempalonk.exe" or "Sempalong.ex_".
Problems that may arise:
>> File not found a suspicious
Virus that is designed well, of course, not easy to find, as they may apply one or a combination of some of the following tricks:
1. attribute files are hidden virus
> Folder Options Change the settings so that hidden files are still displayed.
> If the file is done using the search facility Search, make sure the options "Search system folders", "Search hidden files and folders" and "Search subfolders" in the menu "More advanced options" is enabled (checked).
> If the file is done with the search command "DIR" through the Command Prompt, use the parameter "/ AH" to show hidden files.
> If necessary, enable the non-hidden attribute on all files in a folder by typing "attrib-r-h-s *.*" in the Command Prompt.
2. Folder Options settings are set so that hidden files are not visible (default setting is the default Windows does not show hidden files)
> Change settings Folder Options.
3. Folder Options menu in Windows Explorer is removed
> Munculkan Folder Options menu again.
4. virus using the file extension other than. "EXE"
Please note that this kind of virus does not always berekstensi. "EXE". So we can only find a file "*. EXE" to find the virus, the virus while others use the same extension for effective virus, such as the extension. "COM" (MS DOS Application). "PIF" (Shortcut to msdos programs) ,. "SCR" (Screen Saver). "BAT" (MS-DOS Batch File),. "LNK (Shortcut)."
>> Suspicious file can not be removed / in-rename
This can occur if the file is a file running programs. If this happens, stop the process before the file came from the program. If necessary, use TASKLIST and TASKKILL to kill suspected processes.
>> We thought terkecoh because the files are not virus
File viruses may be a certain kind of face document, typing text notepad, or even folders. Remember that each program has its own icon. This means that the program has full freedom in determining the icons of programs that dibuatnya, Brontok virus sebebas select the icon / image folder.
The virus can appear in different names, faces / icons, type, size, and date of birth. Fourth is the nature of this file can be used to facilitate the search files, but also very easy for viruses masquerade. The only guidance is a safe file extension (eg. "EXE", ". COM," or. "SCR"). File extension with a different file type (eg "Microsoft Word Document", "Text Document", "File Folder"). Type that is displayed in Windows Explorer can be easily manipulated by the virus so that it allows multiple extension file name has the same type.
3. Disable virus triggered actively
Check the midst of actively allows virus and delete or restore as it should, if found harmful manipulation.
4. Remove duplicate file virus
If the virus in the system (on drive C:) is clean, also looking at the data and the folder in another drive. Delete all the files as a virus that is believed.
5. Restore system
Restore registry settings that have been manipulated to make the virus aksinya, for example: re-enable regedit, back munculkan Folder Options menu, Folder Options configuration that allows the user to identify the characteristics of the file, and so forth.
_________________
I'm just like a pill .. Instead of makin 'you better, I keep makin' you ill.
No comments:
Post a Comment