Cara Menghapus virus W32.Korron.A

{ Posted on Feb 19 2008 by khepri }
Tags : ,
Categories : Serba-serbi

1. Temporarily Disable System Restore (Windows Me/XP).
2. Update the virus definitions.
3. Reboot computer in SafeMode
4. Run a full system scan and clean/delete all infected file(s)

5. Download and run Symantec Tool to reset registry. Click here.

6. Delete/Modify any values added to the registry.
Navigate to and delete the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\”LoggonAdministrator” = “%SystemDrive%\Documents and Settings\Administrator\Local Settings
\Application Data\WINDOWS\WINLOGON.EXE”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\”Sysmontrng” = “C:\Documents and Settings\Administrator\Local Settings
\Application Data\WINDOWS\SERVICE.EXE”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\”r0nk0r” = “C:\WINDOWS\r0nk0r.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\”MSMSGS” = “C:\Documents and Settings\Administrator\Local Settings\Application Data
\WINDOWS\WINLOGON.EXE”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\”ServiceAdministrator” = “C:\Documents and Settings\Administrator\Local Settings
\Application Data\WINDOWS\SERVICES.EXE”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\docfile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\xlsfile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
\”LimitSystemRestoreCheckpointing” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer
\”DisableMSI” = “1?
HKEY_CURRENT_USER\Control Panel\Desktop\”SCRNSAVE.EXE” = “C:\WINDOWS
\system32\MRHELL~1.SCR”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
\”DisableConfig” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
\”DisableSR” = “1?

Restore the following registry entries to their original values, if required:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\”Userinit” = “C:\WINDOWS\system32\userinit.exe,”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\”Userinit” = “C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\IExplorer.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
\”Shell” = “Explorer.exe “C:\WINDOWS\system32\IExplorer.exe””
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\comfile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\”(default)” = “File Folder”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\piffile\shell\open\command
\”(default)” = “”C:\WINDOWS\system32\shell.exe” “%1? %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\AeDebug\”Auto” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\AeDebug\”Debugger” = “”C:\WINDOWS\system32\Shell.exe””
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot
\”AlternateShell” = “C:\WINDOWS\r0nk0r.exe”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\”AlternateShell” = “C:\WINDOWS\r0nk0r.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\”Hidden” = “0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\”HideFileExt” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
\Advanced\”ShowSuperHidden” = “0?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\Explorer\”NoFolderOptions” = “1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
\System\”DisableCMD” = “1?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
\Explorer\”NoFolderOptions” = “1?

7. Exit registry editor and restart the computer.

copy paste from precisesecurity.com

This entry was posted on Tuesday, February 19th, 2008 at 2:40 pm and is filed under Serba-serbi. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


5 Responses to “Cara Menghapus virus W32.Korron.A”

  1. By cinker on Feb 24, 2008 | Reply

    kenapa yach orang suka buat virus2 itu. padahalkan merugikan org banyak.
    dasar kurang kerjaan…………….!
    :p

  2. By Donald on Feb 25, 2008 | Reply

    boss, sepertinya tulisan yang berbau registri bagusnya menurut saya, di pisah ke .txt aja boss, atau export .reg, soalnya ini tadi dicoba, salah tulis saya, error jadinya, kekekekeke

    cool lah boss,

  3. By admin on Feb 27, 2008 | Reply

    Thanks atas sarannya boss.

  4. By Okta Sihotang on Mar 20, 2008 | Reply

    wah..penghapusan virus secara manual ya ??, klo okta mah pake antivir :)

  5. By ncomputing penganti-pc on Jun 19, 2008 | Reply

    saya pakai anti virus :) :) :)

Post a Comment