Lesson Kill Virus

Lesson Kill Virus and Basic of Virus

                      Understanding Registry

For go to regedit has allot of way

  1.    Start => Run type regedit.exe => Ok
  2.    Go to C:\windows double click regedit.exe
  3. Right click in desktop => new =>shortcut => type regedit.exe => Next => finish.
    If not run regedit.exe you can change it regedit.com or disable regedit.exe or create code:
    Start => Program => Accessories =>Command Prompt and then CD\ Enter => CD windows => Enter => ren regedit.exe regedit.exe =>Enter.
    Start => Program => Accessories =>Command Prompt and then CD\ Enter => Gpedit.msc enter =>User configuration => Administrative templates =>System => Prevent access to registry editing tools => tic enable =>apply ok.

Create Registry
dim wsh

set wsh=Createobject(“Wscript.Shell”)

wsh.Regwrite”HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

DisableRegisTrytools”,0,”REG_DWORD”

wsh.Regwrite”HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

DisableTeskmgr”,0,”REG_DWORD”

wsh.RegWrite “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\

Explorer\RestricRun”,0,”REG_DWORD”

wsh.Regwrite”HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun

“,0,”REG_DWORD

Break new

There are six main branches, each containing a specific a specific portion of the information store in the Registry. They are as follows:

HKEY_CLASSES_ROOT-This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.

HKEY_CURRENT_USER-This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon manes, desktop settings, and Start menu settings.

HKEY_LOCAL_MACHINE-This branch contain computer specific information about the type of hardware, software, and other preferences on a given PC, this information us used for all users who log onto this computer.

HKEY_USER-This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.

HKEY_CURRENT_CONFIG-This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.

KEY_DYN_DATA-This branch points to the part of HKEY_LOCAL_MACHINE, for user with the Plug-&-Play features of Windows, this Each registry value is stored as one of five main data types:

REG_BINARY-This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.

REG_DWORD-This type represents the data by a four byte number and is commonly used for Boolean value, such as “0”is disabled and “1”is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.

REG_EXPAND_SZ-This type is an expandable data string that is string containing a variable to be replaced when called by an application for example, for the following value, the string “%SystemRoot%” will replaced by the actual location of the directory containing the Windows NT system files. (This type is only available using an advanced registry editor such as REGEDT32).

REG_MULTI_SZ-This type is a multiple string used to represent values that contain lists or multiple valures, each entry is separated by a NULL character. (This type is only available suing an advanced registry editor such as REGEDT32).

REG_SZ-This type is a standard string, used to represent human readable text values.

Other data types not available through the standard registry editors include:

REG_DWORD_LITTLE_ENDIAN- A 32-bit number in little-endian format.

REG_DWORD_BIG_ENDIAN-A 32-bit number in big-endian format.

REG_LINK- A Unicode symbolic link. Used initially: applications should not use this type.

REG_NONE-Not defined value type.

REG_QWORD-A 64-bit number.

REG_QWORD_LITTLE_ENDIAN-A 64-bit number in little-endian format.

REG_RESOURCE_LIST-A device-driver resource list.

Example with Registry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoControlPanel            “,0,”REG_DWORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\DisableRegistryTools”,0,”REG_DWOR            D”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoFind”,0,”REG            _DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoRun”,0,”REG            _DWORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\Disablecmd”,”0″,”REG_DWOD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoViewOnDrive            “,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\StartMenuLogof            f”,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoRun”,0,”REG            _DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoDesktop”,0,”            REG_DWORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\NoDispScrSavPage”,0,”REG_DWOD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\LockTeskbar”,0,            “REG  _DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoClose”,0,            “REG  _DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoPrinters”,0,            “REG  _DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoMSHelp”,0,            “REG  _DWORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\Disable Taskmgr”,0,”REG_DWOD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\NoDospSettingsPage”,0,”            REG_DWOD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoFolderOption            s”,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoDispBackgro            unPage”,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoProertiesRecycleBin”,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\Nodrives”,0,”            REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoSimpleStarM            enus”,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoAddPrinter”,            0,”REG_DWORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\System\NoDispAppearacnePage”,0,”            REG_DWOD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Prolicies\ActiveDesktop\NoChangingWallPaper“,0,”            REG_DWOD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoDeletePrinter            “,0,”REG_DWORD”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Prolicies\Explorer\NoRestrictRun            s”,0,”REG_DWORD”

HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\Hidden\ShowAll\Checked

Varlue”,”1″,”REG_DWOD”

HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\HideFileExt\Checked

Varlue”,”0″,”REG_DWOD”

HKCU\Software\Microsoft\Windows\Current Version\Explorer\Advanced\Folder\SuperHidden\Unchecked

Varlue”,        “1″,     “REG_DWOD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun”,1,”REG_WORD”

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\1″,”Regedit.exe”,”REG_SZ”

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\2″,     “BrokenHearts.exe”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\15”,   “WINWORD.EXE”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\14”,   “EXCEL.EXE”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\10”,   “MSACCESS.EXE”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\11”,   “POWERPNT.EXE”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\12”,   “MSPUB.EXE”,            “REG_SZ’

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestricRun\16”,   “Photoshop.exe”,            “REG_SZ’

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion on             “RegisteredOwner”=”Broken Hearts”

code:

dim wsh

set wsh=Createobject(“Wscript.Shell”)

Wsh.Run “Taskkill /F /im Explorer.exe”,0

Wsh.Run “Taskkill /F /im Diller-hearted.exe”,0

Broken Hearts Help Kill Virus by our self

In general, virus is killed with 3 principle, Here are :

First : To see process for end process

Second : In to regedit to delete Key or Dara Type that Virus write to regedit

Third : To find Virus file on anther Drive in window

To see windows file processing

Press Ctrl+Alt+Del to run Task manger, or we can use the one file is “Processxp.exe” or we can rse MS.DOS to see following.

Click on start >run after type cmd or command or start > program > accessories > command prompt

C:\>tasklist (for looking process)

C:\>taskkill /f /im  (for ending program or application)

Ex : C:\>taskkill /f /im wmplayer.exe /im notepade.exe

Safe Mode

Turn on your computer or Restart your Computer press on F8  and choose window saft with command prompt. Because on safe Mode it cancel all start up service, so that any Virus can’t start or run on windows Safe Mode.

How to know virus folder

If folder shows type is application . it is virus folder

If folder shows type is folder. It is simple folder

If you are not clear you can property on folder>Version> original file name. If original file name different folder name, it’s virus folder (*except word.exe original file name is blank)

Play boy virus            (1)

  1. Kill process
  2. Program > Run > regedit.exe
  3. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\current version\policy\explorer\Run (Delete Data Type in Run)
  4. search *.exe

End

“Oh la la” name virus           (2)

It just makes your computer slowly than before.

  1. we kill process:  SVIQ.EXE, FUN.EXE, DC.EXE,
  2. HKEY_CURRENT_USER\Software\Microsoft\windows\current version\Run (Delete Data Type in run)
  3. HKEY_CURRENT_USER\Software\Microsoft\windowsNT\Current Version\Windows (Delete tMel in Data Type load & Run)
  4. HKEY_LOCAL_MACHINE\Software\Microsoft\windowsNT\current Version\Win logon (change Values shell to explorer.exe)
  5. search *.exe

End

My finny virus           (3)

Wecan’t open process taskmgr end process and show hidden file on windows :

  1. Easy to kill go to safe Mode; choose Safe Mode with Command Prompt.
  2. Press Ctrl+Alt+Delete and then click File > Create new task > Type regedit.exe
  3. HKEY_CURRENT_USER\Software\policies\Microsoft\System (Delete System or Disable CMD)
  4. HKEY_CURRENT_USER\Software\policies\Microsoft\windows NT\current version\Windows (delete Values Data in load)
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies (delete Key all except Non enum; Ratings; system)
  6. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run (Delete Winsys)
  7. HKEY_LOCAL_MACHINE\Software\Microsoft\windows NT\Current Version\Winlogon (change tMel shell to explorer.exe)
  8. Close regedit>click File >Create new task> Type explorer.exe
  9. Search *.exe *.com *.vbs
  10. Delete New Story.reg and Recycle Bin

End

Phnom Penh Virus    (4)

When we open window, it’s show doll picture. It’s hidden regedit, search, folder option and control panel.

  1. Kill process “Window.exe”
  2. Drive C:\>window\double click on regedit.exe
  3. HKEY_CURRENT_USER\Software\Microsoft\windows\currentversion\policies\explorer (Delete all except No Drive type Auto Run)
  4. HKEY_LOCAL_MACHINE\Software\Microsoft\windows NT\Current Version\Run (Delete Data type in key Run)
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\windows NT\Current Version\Winlogon (change value Shell to explorer.exe
  6. Search *.exe
  7. and Picture in C:\>window (wallpaper.BMP)                       End

BBU.exe Virus

It’s hidden regedit talkmgr run and make your computer slowly than before it’s name IT_student_BBU@yahoo.com.exe

  1. Kill process Accounting.exe
  2. New short cut>gpedit.msc or we write not pad to open regedit or use program to open regedit
  3. On gpedit.msc > administrator template>system>prevent access to registry editing tool>tick Enable>Apply and then tick Not configured or disable > Apply again.
  4. HKEY_CURRENT_USER\Software\Microsoft\windows\current version\policies\explorer (delete No find, No folder options, No run)
  5. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current version\Run (delete the king of ghost)
  6. search *.exe

End

Word.exe or leana virus                   (6)

It’s hidden document of office9 (word, excel…) we can’t show hidden file go to regedit. If you show or go to regedit, your computer will restart as soon as. Especially we can’t open safe Mode too.

  1. Kill process Services.exe (Word picture)
  2. go to window and rename regedit.exe to regedit.com. Other way Run type comman.com
    C:\>cd windows
    C:\>Windows>ren regedit.exe regedit.com
  3. HKEY_CLASS_ROOT\exefile\shell\open\command (change value to default. Here are [“%1″%*])
  4. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current version\Winlogo (change value shell to explorer.exe)
  5. HKEY_LOCAL_MACHINE\System\control set001\control\Safe Boot(change value Altemate shell to cmd.exe)
  6. HKEY_LOCAL_MACHINE\System\control set002\control\Safe Boot(change value Altemate shell to cmd.exe)
  7. search *.exe

End

AutoRun.exe Virus               (7)

  1. Kill process svchost.exe (our svchost has service svchost of virus hasn’t service) there are three process: Computer name, user name, and svchost
  2. go to window> double click on regedit.exe
  3. HKEY_CURRENT_USER\Software\Microsoft\windows\current version\policies\explorer\Run (Delete Run)
  4. HKEY_CURRENT_USER\Software\Microsoft\windows\current version\Run (Delete Data Type in Run)
  5. HKEY_CURRENT_USER\Software\Microsoft\windows NT\current version\Windows (Delete Value Data in load and run)
  6. HKEY_CURRENT_USER\Software\Microsoft\windows NT\current version\Winlogon (change value shell to explorer.exe and Delete System)
  7. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current version\policies\

explorer\Run (Delete Run)

  1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current version\Run (Delete Data Type Computer name belong to your computer)
  2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current version\Winlogon (Delete Value Data in system and change Value data in userinit to C:\Windows\System32\userintit.exe)
  3. HKEY_LOCAL_MACHINE\System\Control set001\Control\safe Boot (change value Alternate shell to cmd.exe
  4. HKEY_LOCAL_MACHINE\System\Control set001\Control\safe Boot (change value Alternate shell to cmd.exe)
  5. search *.exe *.com *.pif *.bat *.cmd

Master virus   (8)

It is similar Autorun.

Kill process and go to regedit

  1. 1.      HKEY_CURRENT_USER\Software\Microsoft\windows\current version\policies\explorer\ advance\folder (Delete key folder)
  2. 2.      HKEY_CURRENT_USER\Software\Microsoft\windows\current version\Run (Delete run)
  3. 3.      HKEY_CURRENT_USER\Software\Microsoft\windows\current version\policies\explorer\run (delete run)
  4. 4.      HKEY_CURRENT_USER\Software\Microsoft\windows NTN\current version\window (delete value data in load and run.com)
  5. 5.      HKEY_CURRENT_USER\Software\Microsoft\windows NT\current version\win logon (delete shell and system)
  6. 6.      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current version\policies\Explorer\Run (delete run or Explorer)
  7. 7.      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current version\Run (Delete Data Type run)
  8. 8.      HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current version (Delete system and change userinit to C:\Windows\System32\userinit.exe
  9. 9.      HKEY_LOCAL_MACHINE\System\control set001\control\safe Boot (change value Alternate shell to cmd.exe)
  10. 10.  HKEY_LOCAL_MACHINE\ System\control set002\control\safe Boot (change value Alternate shell to cmd.exe)
  11. 11.  search *.exe *.com *.pif *.dll *.bat *.cmd

            Global.exe Virus        (9)

It close all application we usually to use.

  1. Kill process : system.exe, Globle.exe, svchose.exe
  2. Regedit.exe after kill process again
  3. HKEY_CLASS_ROOT\exefile, comfile, piffile, batfile (Delete NeverShow.ext)
  4. HKEY_CLASS_ROOT\regfile\shell\Open\command (chane it to regedit.exe”%1″)
  5. HKEY_CLASS_ROOT\MSCfile\shell\open\command (change to %system Root%system32\mmc.exe “%1″%or we copy from Run as that stay under command)
  6. HKEY_CURRENT_USER\control panel\desktop (change Scrmsave.exe to C:\windows\system32\logon.scr
  7. HKEY_UCRRENT_USER\Software\Policies\Microsoft\Windows\System (Delete Key System)
  8. HKEY_CURRENT_USER\Software\Microsoft\Current Version\policies\explorer (Delete all except NoDrivetypeAutoRun)
  9. HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run once (Delete Value Data of Default in Run once)
  10. HKEY_LOCAL_MACHINE\Software\ Policies\Windows\System  (Delete Key system)
  11. HKEY_LOCAL_MACHINE\Software\ Microsoft\Windows\Current version\Explorer\Advanced\ Folder\SuperHidden (in valuename double click and add “d” it so that “ShowSuperHidden”)

For more contact us:

Email : chanleangheng@gmail.com

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: