The characteristics of a virus ramnit the most visible are:
1. Watermark.exe file located at: C: \ Program Files \ Microsoft. And this virus will spread into namaacak.exe
2. This virus attacks the flash, create a shortcut show 4, 1 recycler and autorun.inf files
3. Each drive if exposed to this virus will be made autorun.inf
Jump:
Tools and materials:
1. Unlocker or can also use fileassasin please download here, which serves to delete force.
4. SmadAV and Anti-virus updates (Kaspersky / norman / Dr.Web).
How to find it
Set folder options> view>
show hidden for known file types (check this section)
Hidden extension for hidden files & folders (uncheck if you have any questions click yes / ok)
Hide protected hidden files (uncheck if you have any questions click yes / ok)
Turn off autorun via start> run or could with Windows + R and typing gpedit.msc at Computer Configuration> Administrative Templates> System 2x click on the "Turn off autoplay" enable and click below click on the All drives and do the same on the user configuration (the Windows 7 on computer configuration and user configuration: Administrative Templates> Windows components> AutoPlay Policies> 2x click on the "Turn off autoplay" click enable)
Turn off access to the System Volume Information and Recycle every Hard drive. Right-click on System Volume Information on drive C. Click the Sharing And Security on the security tab click advanced and remove centangan the option below. Click ok. If there is a warning just click ok. ok and finished. Do it to recycle and on the other drive
Temuakn parent virus with a combination of windows + f (search) specify the drive to search its files watermark, on the advance check hidden files & folders. Enter search words its "watermark" (without the quotes), search and file watermark is found. (On windows seven straight just type "watermark" without the quotes)
In Windows XP, look at C: \ program files \ microsoft \ right click the file and select Unlocker watermark.
Besides in those folders still have 6 more places, but which must first delete is in C: \ program files \ microsoft \ Watermark.exe because the virus went from there. File watermark among others also available on:
C: \ Program Files \ Common Files \ Microsoft \ Watermark.exe
C: \ Documents and Settings \% UsernamePC% \ Microsoft \ Watermark.exe
C: \ Documents and Settings \% UsernamePC% \ Application Data \ Microsoft \ Watermark.exe
C: \ WINDOWS \ system32 \ Microsoft \ Watermark.exe
C: \ WINDOWS \ Microsoft \ Watermark.exe
C: \ windows \ temp \ microsoft \ Watermark.exe
All files are watermark.exe please delete with Unlocker or fileassasin force.
After the delete, please create a file called Microsoft (without extension format) in to 7 sections. So that the virus can not menduplikatkan his watermark on some of those goals. Also, delete the file and make a well dmlconf.dat dmlconf.dat files (text document) in C: \ WINDOWS \ system32. all files in read-only settings.
Then open regedit in the Run.
Find HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
userinit right click then select Modify and change c: \ program files \ microsoft \ watermark.exe with C: \ Windows \ system32 \ userinit.exe, (use a comma, *. exe,.)
Finishing, install and scan your computer with anivirus updates, as well as scan and repair registry using smadav all.
A little extra:
1. Ramnit not infect the file size above 1 MB.
2. Before the virus completely cleaned, Reinstall windows are not the solution, because the virus will come back again.
3. Use Kaspersky or Norman Antivirus, recommended by Kaspersky that features Disinfection.
4. Sacan flash disk with smadav, to get the autorun.inf folder, in which there is a folder con, aux, and nul.
5. Always backup important data to CD / DVD, because we can not predict what the virus is more to come.
6. Quick way to clean, scan the computer with Kaspersky Update. Once completed, some programs may not run and it's time to reinstall. : D
Rumble-Seat ramnit:
Transmission of the stick:
* Copy of Shortcut to (1). Lnk
* Copy of Shortcut to (2). Lnk
* Copy of Shortcut to (3). Lnk
* Copy of Shortcut to (4). Lnk
The file is called:
* \ RECYCLER \ * \ .* CPL
* \ RECYCLER \ * \ .* EXE
Random Call in:
What we can sample in RECYCLER Folder
* \ RECYCLER \ * \ AHjwMBNo.cpl
* \ RECYCLER \ * \ AkNMFCRL.cpl
* \ RECYCLER \ * \ aNDaUKNA.exe
* \ RECYCLER \ * \ cLPVJkpK.cpl
* \ RECYCLER \ * \ CwDUrJdB.cpl
* \ RECYCLER \ * \ dagwlQkE.cpl
* \ RECYCLER \ * \ drAVBwMZ.cpl
* \ RECYCLER \ * \ eaMmSQoX.cpl
* \ RECYCLER \ * \ fZpjyPPy.cpl
* \ RECYCLER \ * \ geWjkwZi.cpl
* \ RECYCLER \ * \ IEtRdrbh.cpl
* \ RECYCLER \ * \ IHaGrBHY.cpl
* \ RECYCLER \ * \ LKcPsJXH.cpl
* \ RECYCLER \ * \ LndIcoXP.cpl
* \ RECYCLER \ * \ lrpwohKp.cpl
* \ RECYCLER \ * \ lupXyAAw.cpl
* \ RECYCLER \ * \ LyVlnZdA.cpl
* \ RECYCLER \ * \ lZevWmcg.cpl
* \ RECYCLER \ * \ mafCbUPO.cpl
* \ RECYCLER \ * \ mGbrWbij.cpl
* \ RECYCLER \ * \ mQSMHcww.cpl
* \ RECYCLER \ * \ MvcNinTi.cpl
* \ RECYCLER \ * \ ndTjaxyh.cpl
* \ RECYCLER \ * \ nmBWLrXh.cpl
* \ RECYCLER \ * \ NuhOEyMD.cpl
* \ RECYCLER \ * \ nWALofnr.cpl
* \ RECYCLER \ * \ OaGOvJeG.cpl
* \ RECYCLER \ * \ OMEGJQcl.cpl
* \ RECYCLER \ * \ OVjsftsa.cpl
* \ RECYCLER \ * \ pCUOOaHt.cpl
* \ RECYCLER \ * \ PpXJOkIr.cpl
* \ RECYCLER \ * \ pQPlgwMY.cpl
* \ RECYCLER \ * \ pROfvClT.cpl
* \ RECYCLER \ * \ QcnlZQeZ.cpl
* \ RECYCLER \ * \ qxfhTIFG.exe
* \ RECYCLER \ * \ RsrsKfla.cpl
* \ RECYCLER \ * \ ryrrcqOx.cpl
* \ RECYCLER \ * \ Tjlcctlt.cpl
* \ RECYCLER \ * \ UvsgiOyE.cpl
* \ RECYCLER \ * \ vNKreBrS.cpl
* \ RECYCLER \ * \ vxscVUns.cpl
* \ RECYCLER \ * \ WYtPelOt.exe
* \ RECYCLER \ * \ XdmGZjNi.cpl
* \ RECYCLER \ * \ xTdEispB.cpl
* \ RECYCLER \ * \ ZcgiwHoK.cpl
* \ RECYCLER \ * \ ZeXsqRJZ.cpl
* \ RECYCLER \ * \ pvceZJVj.exe
* \ RECYCLER \ * \ SHZsXAXH.exe
* \ RECYCLER \ * \ tGDbxZoP.exe
* \ RECYCLER \ * \ tLwKdSvE.exe
* \ RECYCLER \ * \ CBToNhJS.exe
* \ RECYCLER \ * \ hrCXBaSu.cpl
* \ RECYCLER \ * \ iLGrGpyu.cpl
* \ RECYCLER \ * \ klJUCocY.exe
* \ RECYCLER \ * \ phQYFQck.exe
* \ RECYCLER \ * \ PWwgkNPH.exe
* \ RECYCLER \ * \ qiFGArit.cpl
* \ RECYCLER \ * \ rRdTUqAp.cpl
* \ RECYCLER \ * \ UdmvVDOB.cpl
* \ RECYCLER \ * \ unEglHbj.exe
Here is the alias of viruses / malware:
* Win-Trojan/Starter.3584.F (AhnLab)
* Trojan.Win32.Starter.yy (Kaspersky)
* W32/Runner.NZ (Norman)
* Trojan.Ramnit! IQNQL6zS3w0 (VirusBuster)
* TR / Starter.Y (Avira)
* Win32/Ramnit.H (CA)
* Trojan.Starter.1591 (Dr.Web)
* Win32/Ramnit.F (ESET)
* Trojan.Win32.Ramnit (Ikarus)
* W32/Ramnit.a (McAfee)
* Trj / Starter.G (Panda)
* TROJ_STARTER.SM (Trend Micro)
For users of Windows 7, the virus does not make Watermark.exe
0 comment:
Post a Comment