Virus killing Guide

1. Preparation
Before we eradicate the virus, would that prepare first things that we later
need. Between laian that we need to siapakan namely:
* Anti virus
* Tools-tools like: currproses, regworkshop portable, portable cmd, etc.
* Windows PE or Windows portable
* A cup of sweet tea
Anti Virus
Anti virus (which is of course update) is we need in killing viruses. Of
mananya only have anti-virus, I sure need it ...
Nah, the problem now is, where the most anti-virus better ..? Evaluation on the
whether or not anti-virus can be assessed from:
1. The extent to which anti virus to virus-virus and how quickly he recognizes it.
To further understand the above I mean, I will make a case example.
Eg on the day this appears a virus with the name "batosai". After the emergence of this virus,
the anti-virus which most quickly detect this virus. And he takes time
how long can mendeteksinya. Anti virus that is good he can be as soon as possible
mendetaksi virus. Because of the rapid anti-virus can detect the virus it will be more
quickly to minimize the spread of the virus.
Some anti-virus is a necessary provided PCMAV. Anti virus is quite powerful in
killing virus-virus local indonesia. Other anti-virus such as: Norton, avg, avira, BitDefender,
Kaspersky, McAfee etc.. For anti-virus, we simply choose one.
2. Tools-tools
One of the things that is not less important is the tools-tools. Not how, some large
the virus spread in Indonesia, even the process of turning off the antivirus. So that any anti-virus
not slightly> _ <. Therefore, disinilah we need other tools to be able to turn off
virus activity. Other useful tools if the registry editor and windows command promt
didisable by virus
3. Windows PE or Windows Portable
The two windows are very useful when we already can not menbasmi virus
through the normal Windows. Excess is the second windows, windows will not be
fell ill virus. Because the two windows stand alone. In addition, the windows PE and
there are already portable and anti-virus tools. Just add, this made windows PE
approximately 2005, so anti-virus data base can not be used. However there are other tools that
not least, the registry editor for the OS. So although we make Windows PE,
we can still mengotak especial property registry windows installed
4. A cup of tea is enough to accompany us. I'm not dizzy anymore ketemu ketemu-ago
headache, may be drinking tea with the mind we can restore a daze. ^ _ ^
2. Step mengatatasi common virus
1. Stop the process suspicious
Most of the processes currently running on the windows is the windows system is
own, such as svchost.exe, services.exe, lsass.exe etc.. However most of the process
system, there are several program processes, such Winamp.exe, firefox.exe etc.. However, not infrequently
there is also the virus. The process of this virus which is the root of the problem. Because this process
akan possible even damage the system even system. The process is what makes us cranky,
make a slow computer, the process to spread themselves and menduplikai themselves, even
make a lot of data disappeared.
Not infrequently we are wrong in the process of death, the virus appeared dikira process system.
When this happens it is likely that appear akan akan computer is restarting itself, or
even no effect at all. To avoid this, we need to be careful and we must
have little knowledge of the windows. Which is a process system, process
programs and processes which the virus. Here are a few tricks adlah to distinguish between kusus
the virus or not
a. The process of virus usually have a strange name and not known, such kspool.exe
kspools the virus, the virus runner.exe on bhatosai, explorasi on brontok virus.
b. The process of virus usually have the same name with the system. Such
svchost.exe on the bird flu virus, the lsass.exe virus brontok
c. The process of virus usually have a strange icon, such as the serration on the icon virus kspool, icon
folder on bhatosai virus icon and microsoft word on the bird flu virus.
Which is the problem is how can we distinguish between the process of virus
with the process when the system has the same name ..? Is how we need to know
where the process is running. That is by using software such as currproses.
If there is a process that has the same name with the name of the process system process
virus usually does not set the process in the c: \ windows \ system32. Because all the system
akan running in the c: \ windows \ system32. For example a bird flu virus, this location is in the process
c: \ recycled. Virus bathosai c: \ windows \ system \ dll.
When we already know all the viruses, the next step is we need to be
turn off the virus simultaneously. If we do not kill together
then later on the other (not that we turn off) of the virus will run the process again
virus that we turn off again (for some viruses). How to turn off the virus can be
done with beberaa ways:
a. By using software such as currproses.
b. By using Command Promt. Namely with the command tasklist to see
the process is running. Medium taskkill command to kill the process. Example
the death process taskkill / F / IM notepad.exe / IM xxx.exe or with
PID use taskkill / PID 3214. PID can be seen on the right side of the process.
2. Disable virus triggered activity
The virus, which only copied to your computer clean from viruses, will not cause
computer contracting. Virus akan akan become active when the virus file
executed by the user manually or memalui program that can run on
automatically. And when the virus is active, the virus program itself will make the virus so that it can
run automatically. This is called a rift with the virus triggered the event. The rift
trigger:
a. Registry
Registry provides a facility that allows programs on their own before the start menu
appear. This facility is provided for application programs, but many
used by the virus. Registry settings can be viewed and manipulated using the program
Regedit default Windows (Run, regedit). The structure consists of the five root
(HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS,
and HKEY_CURRENT_CONFIG). Each root has many branches called the key.
Each key can contain multiple key and / or value. Management structure in the file, the root can
diidentikkan with the drive, a folder with the identical key and value associated with the file. Like
folder, the key can not load data, it can only load key and value. Registry data that
can affect overall system behavior in the loaded value. To know
structure more clearly registry, run regedit. Be careful to run regedit, because
incorrect procedure can cause total paralysis system!
Key "Run"
Key "Run" is made to accommodate the list of programs that will run the system shortly before
start menu is active. In the registry, this key can be found in several places, namely on:
* "HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion"
* "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion"
* "HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ explorer"
If one or more of the registered user in User Accounts (Control Panel> User Accounts),
then the root akan HKEY_USERS key, there are several settings to accommodate the
each user. Some of the key also contains the key
"Software \ Microsoft \ Windows \ CurrentVersion", and the key may also include "Run".
Value "Shell" and "Userinit" key in the "Winlogon"
Value "Shell" and value "Userinit" key in the "Winlogon" can provide the same effect
effective virus-for-value with the stored key in the "Run". Generally, the data for
second value is:
Shell = "Explorer.exe"
Userinit = "C: \ WINDOWS \ system32 \ userinit.exe,"
Key "Winlogon" in:
* HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion "
* HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion "
* Some of the key in the key "HKEY_USERS"
In addition to key and value mentioned above, it is still possible for many key / value that
can be used by the virus, although it may not be effective, and this author has not
never find.
If the value found suspicious, do an adequate analysis before deciding
to remove them. But remember, do not delete the original!
b. Start Menu and Desktop a. Start> Programs> Startup
Folder "Startup" in the start menu is provided to accommodate the programs akan
be run automatically by Windows when the process is finished booting. The virus can take advantage of
this folder to actively trigger the virus by creating a shortcut in it, or with
create a duplicate in the virus. Brontok virus early versions utilize this folder with
create a file called "EMPTY.PIF" DOS image program.
c. Link / Shortcut
Files link or shortcut (file berekstensi. "LNK" and. "PIF") that are in the start menu or in the
desktop functions as a "shortcut" to the program files for easy user run
program. Files such as this, since it's not really the program, generally is small,
not more than 4KB. This file can be manipulated so that the virus does not refer to the program
should, but be deflected to the virus program. To know the shortcut to be deflected
or not, right-click on the shortcut file, click "Properties", then see the information on
the "Target".
File shortcut can also be removed only by the virus program and replaced with the virus that
icon is created with the shortcuts of the original file. Rare cases such as this, but never
occurred. If this happens, generally the size of the files' shortcut 'is more than 4KB. But the size of the file
"shortcut" is not a guarantee that a file has been manipulated into
virus program. To check the contents must be viewed using a Hex Editor.
Unfortunately, only certain people, especially the ever-learn programming or
electronics-digital techniques that can understand the program Hex Editor. Shortcut files generally
arrow image has, unless the file is viewed in the start menu. If we see the contents of the folder
start menu using Windows Explorer, all original file shortcut (not the folder) will have
arrow image. If no image panahnya, possibly (not guarantee) file shortcut
is not a shortcut beneran.
d. Task Scheduler
See Control Panel> Scheduled Tasks to see the list of already scheduled periodic
scheduled in the system. The virus sometimes make the schedule here to run the program
virus from a particular location. Delete Scheduled task harmful only.
e. AUTOEXEC.BAT
Each booting, the computer will check the file C: \ AUTOEXEC.BAT and run perintahperintah
in it, if any. Of course this opportunity and benefit program applications
virus program. Check the contents, and remove the hurt or the file that points to the virus.
If not sure of the consequence, the AUTOEXEC.BAT file can be copied first, so if there halhal
that is not desired, can be restored as the override file
AUTOEXEC.BAT with copies have been made. To disable one or more
command in the AUTOEXEC.BAT file can be added the word "REM" (without quotation marks).
f. Take a transfer program
The virus can also take over the program as follows:
* Change the name of the application programs are often used by users. For example WINWORD.EXE
(Microsoft Word) changed to WINWORD1.EXE.
* Make a duplicate of virus with the name of the program is often used by users. In this example,
create a duplicate with the virus name WINWORD.EXE.
* When users intend to run the application (Microsoft Word), and the user is actually
run a virus program, virus program and then call the application programs
native has been renamed (WINWORD1.EXE).
This strategy is implemented by d2/Decoil leaf virus, taking over the program Winamp. To
check, check the programs shortcutnya available in the start menu or the desktop.
Virus programs generally small, between 30KB to 300KB, while the application
usually relatively large size (more than WINWORD.EXE size 8.000KB, EXCEL.EXE
larger than 6.000KB). Date of making the program can also be used to
to determine whether a program is original or not, even if a file can actually
date changed easily.
g. Another rift
....???
3. Remove duplicate file virus
If the virus in the system (on drive C:) is clean, also search in the data folder and in the other drive. Delete
believed that all the files as a virus. Menggapus du [likat file can manually or with
how to scan with anti virus. Save me, when we scan with anti virus kemputer akan
but there is still a process that is running the scan results are less than the maximum of
we scan the computer at the time of the virus have all turned off.
4. Restore system
Restore registry settings that have been manipulated to make the virus aksinya, for example:
re-enable regedit, back munculkan Folder Options menu, Folder Options configuration
that allows the user to identify the characteristics of the file, and so forth.