Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • Brontokremoval

    Загружено:

    Krijesnica
    18 просмотров3 страницы
    Symptoms no able to launch TaskManager, as it will auto close (Not disabled by administrator) Symptoms Unable to run setup / install any application / run setup bcoz it will autoclose your browser. IMPORTANT : PLEASE USE "SHIFT+DELETE" to remove all the files used by this virus.

    Исходное описание:

    Оригинальное название

    brontokremoval

    Авторское право

    © Attribution Non-Commercial (BY-NC)

    Доступные форматы

    RTF, PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Symptoms no able to launch TaskManager, as it will auto close (Not disabled by administrator) Symptoms Unable to run setup / install any application / run setup bcoz it will autoclose your browser. IMPORTANT : PLEASE USE "SHIFT+DELETE" to remove all the files used by this virus.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате RTF, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    18 просмотров3 страницы

    Brontokremoval

    Загружено:

    Krijesnica
    Symptoms no able to launch TaskManager, as it will auto close (Not disabled by administrator) Symptoms Unable to run setup / install any application / run setup bcoz it will autoclose your browser. IMPORTANT : PLEASE USE "SHIFT+DELETE" to remove all the files used by this virus.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате RTF, PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 3

    Symptom

    No able to launch TaskManager, as it will auto close (Not Disabled by administrator)


    No able to launch Regedit.exe as disabled by administrator
    You'll found a txt file at C:\Baca Bro !!!.txt
    Unable to install any application/run setup bcoz it will auto close

    P/S : You dun have to think you could google Antivirus or similar keyword on your
    browser, bcoz it will auto close your browser.

    1st We need to get alternative 3rd party Task manager, i recommend Starter
    http://www.snapfiles.com/opinions/Starter/Starter.html

    2nd Replace your Task Manager with Process Explorer, which have more details
    compare with taskmgr.exe
    http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

    3rd Enable to view SUPER HIDDEN FOLDER, Please download this regtick
    http://www.snapfiles.com/get/regtick.html

    4th Disable system restore, by follow these steps


    - Right Click "My Computer" select System Restore tab and check the small box "Turn
    Off System Restore"

    Lets Start....

    Run Starter, kill these processes currently running, KILL THESE PROCESSES IF RUNS
    UNDER "YOUR USERNAME" NOT THE "SYSTEM". If you accidently kill any process
    under System, no worry.. Either your pc auto restart or just u need to reboot your pc.

    j<random>.exe
    o<random>.exe
    b<random>.exe
    csrss.exe
    lsass.exe
    services.exe
    smss.exe
    sv<random>.exe
    winlogon.exe

    Done, now you should able to run your task manager. Please user Process Explorer.
    Double check any of these process listed above still running. If yes, please kill it.
    Completed then now we'll remove the physical files used by this virus. Please access
    to these locationd and remove all the files

    IMPORTANT : PLEASE USE "SHIFT+DELETE"

    <User>\Local Settings\Application Data\dv<random>\yesbron.com


    <User>\Local Settings\Application Data\jalak<random>.com
    <Windows>\_default<random>.pif
    <Windows>\j<random>.exe
    <Windows>\o<random>.exe
    <Windows>\sa<random>\ib<random>.exe
    <System>\c<random>.com
    <System>\n<random>\b<random>.exe
    <System>\n<random>\csrss.exe
    <System>\n<random>\lsass.exe
    <System>\n<random>\services.exe
    <System>\n<random>\smss.exe
    <System>\n<random>\sv<random>.exe
    <System>\n<random>\winlogon.exe
    <Windows>\Tasks\At1.job
    <Windows>\Tasks\At2.job
    <System>\n5817\c.bron.tok.txt
    C:\Baca Bro !!!.txt <----- If your window installed on C drive, if D it would be D:\Baca
    Bro !!!.txt and so on.

    Once done, proceed to remove registry

    Use regtick to enable your regedit.exe, done proceed to remove the registry entry

    The following registry entries are created to run yesbron.com, _default<random>.pif,


    j<random>.exe and sv<random>.exe on startup:

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
    <random characters>
    <User>\Local Settings\Application Data\dv<random>\yesbron.com

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run
    <random characters>
    <Windows>\_default<random>.pif

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    <random characters>
    <System>\n<random>\sv<random>.exe

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    <random characters>
    <Windows>\j<random>.exe

    The following registry entries are changed to run j<random>.exe and


    o<random>.exe on startup:

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Shell
    Explorer.exe "<Windows>\o<random>.exe"

    (the default value for this registry entry is "Explorer.exe" which causes the Microsoft
    file <Windows>\Explorer.exe to be run on startup).

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    <System>\userinit.exe,<Windows>\j<random>.exe

    (the default value for this registry entry is "<Windows>\System32\userinit.exe,").

    The following registry entry is set, disabling the registry editor (regedit):

    HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    DisableRegistryTools
    1
    Registry entries are set as follows:

    HKCU\Software\Brontok
    Message
    Look @ "C:\Baca Bro !!!.txt"

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    Hidden
    0

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    HideFileExt
    1

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    ShowSuperHidden
    0

    Registry entries are created under:


    HKCU\Software\Brontok\

    Вам также может понравиться