1. Files an annoying WATERMARK.EXE proved in two places, namely:- C: \ Program Files \ Microsoft- C: \ Program Files \ Common Files \ MicrosoftAnd this virus will spread into namaacakMGR.exe
2. This virus attacks the flash is very easy. he prepares for dshortcut 4, a recycler and autorun.inf files
3. Each drive if exposed to this virus will be exposed anyway autorun.inf
The workings of this RAMNIT virus:
1. The virus is transmitted through the FD. And even though we turn off autorun. We are exposed to this virus bias
2. When we go into a desktop PC or laptop us without us knowing it is the manipulation of viruses ramnit own. All the system is the manipulation of ramnit. Biangkeroknya is watermark.exe
3. If you reinstalled the virus will appear again for whatever reason because this virus does not have a file of children. So all of the parent. How it works:- Viruses of fd directly create a folder named C: \ Program Files \ Microsoft and C: \ Program Files \ Common Files \ Microsoft- And she made backupan file in the folder System Volume Information and Recycle every Hard drive.- After that he was infecting all of the data dikomputer. No half-hearted, too. Let dihapus same user. for example in the already infected fileku in D: \ aaa \ aaa.exe (just an example). And did I delete the folder aaa- Then we thought if the restart was successful bias. And finally it worked. But if we install the software aaa.exe td in D: \ aaa \ backupan the virus results in the System Volume Information and Recycle every Hard drive will wake up from sleep and re-infecting virus, and he made another watermark file in: \ Program Files \ Microsoft and C: \ Program Files \ Common Files \ Microsoft
How to clean:
1. This antivirus my mainstay. Only you know. Because the other hell to pay. Hehe http://www.freerav.com/
2. Should indeed be re-installed my computer but after that you all do not install the driver first. The way to do is the way to the 3
3. Turn off autorun via start-run or be with Win + R and typing gpedit.msc. on computer-system configuration 2x click on the "Turn off autoplay" enable and click below click on the All drives and do the same on the user configuration
4. Temporarily turn off access to the System Volume Information and Recycle every Hard drive. The trick is to click tools folder options to view or hide the tab uncheck the use simple file sharing and click ok, then right-click on System Volume Information on drive C: \ click sharing and security on the security tab click advanced and remove centangan on the option below. Click ok. If there is a warning just click ok. And ok and finished. Do it to recycle and on the other drive
5. Create a folder Microsoft in two places, namely in security c: \ program files \ and c: \ program files \ common files \ and do the way to the 4
6. Virus scan with your antivirus mainstay. And will dtemui various viruses millions. If the place I have 6000 viruses. . htm file that 3000 just does. . tp wrote ^&^*& tetep
7. delete the corrupted files that exist on your drive, like tryel.exe
here until the computer is secure. While not copying the same file with a file that is infected dfolder the same name. As I "D: \ program files had been infected with all the" now I replace install on "D: \ programs files \"
Want to know how, the following steps:
1. Previously turn off system restore process.
2. Turn off the process of Wscript file located in C: \ Windows \ System32, by using tools such as CProcess, HijackThis or can also use the Task Manager of Windows.
3. Once off the process of Wscript, we need to delete or rename the file so as not to be used temporarily by the virus.For the record, if we rename the file with an automatic Wscript.exe, it will be copied again in the folder. Therefore, we must find where the file Wscript.exe others, usually in C: \ Windows \ $ NtServicePackUninstall $, C: \ Windows \ ServicePackFiles \ i386.
Unlike other VBS viruses, we can change the Open With from the vbs file into Notepad, this virus berextensi MDB that matters is the Microsoft Access file. So Wscript database.mdb will run the file as if he is the vbs file.
4. Delete the parent file in C: \ Documents and Settings \ \ My Documents \ database.mdb, so that every time the computer starts up will not load the file. And do not forget we are also open MSCONFIG, disable the run command.
5. Now we will delete the files autorun.inf. Microsoft.inf and Thumb.db. The trick, click the START button, type CMD, moved to the drive to be cleaned, such as drive C: \, then we have to do is:
Type C: \ del Microsoft.inf / s, this command will delete all files microsoft.inf in all folders on drive C:. Meanwhile if you want to move the drive to stay renamed drive just an example: D: \ del Microsoft.inf / s.
For the autorun.inf file, type C: \ autorun.inf del / s / ah / f, the command will delete the autorun.inf file (syntax / ah / f) is used as the file is taking attrib RSHA, as well as to file Thumb . db also do the same thing.
6. To delete the files in addition to four previous file, we must find a way search files with extensions. Lnk size 1 kb. In the 'More advanced options' make sure the option 'Search system folders' and 'Search hidden files and folders' are both checked.
Please be careful, not all of the shortcut file / LNK file size of 1 kb is a virus, we can distinguish it from an icon, size and type. For the shortcut icon created the virus always uses icons 'folder', size 1 kb and type 'shortcut'. While the correct folder should not have 'size' and the type is 'File Folder'.
7. Fix the registry has been altered by the virus. To speed up the process of repair registry copy the script below on the program 'notepad' and save it with the name 'repair.inf'. Execute the following ways:
- Right-click repair.inf- Click Install[Version]Signature = "$ Chicago $"Provider = Vaksincom Oyee
[DefaultInstall]AddReg = UnhookRegKeyDelReg = del
[UnhookRegKey]HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, "regedit.exe"% 1 ""HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,"""% 1 ""% * "HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, "Explorer.exe"HKLM, SYSTEM \ ControlSet001 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"HKLM, SYSTEM \ ControlSet002 \ Control \ safeboot, AlternateShell, 0, "cmd.exe"
[Del]HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, WinupdateHKCU, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, explorer
