MALWARE/VIRUS INPORT LAGI NAIK DAUN

Sebuah virus import yang sedang menyerang computer saat ini, hati-hati dalam membuka file di computer anda, karena file yang tersebut dibawah ini adalah sebuah file bayangan yang dibuat oleh worm Nhatguanglan, memang tidak begitu berbahaya tapi sangat menggagu kerja kita kalo worm ini telah berintergrasi di computer kita, berikut cara membasmi worm/malware ini silakan diperhatikan step by step mungkin bias membantu anda dalam membasminya.

File yang dibuat oleh Nhatguanglan

Virus File Name
~~~~~~~~~~~~

New Folder.exe
Size: 192/196KB
virus file version 1,1,1,1
Icon: Folder
SCVHSOT.exe
Size: 192/196KB
Attributes: Hidden+System
virus file version 1,1,1,1
Icon: Folder
scvshosts.exe
Size: 247/248KB
Attributes: Hidden+System
virus file version 2,2,2,2
Icon: Folder
etc.
Symptoms
~~~~~~~~
You will find these files in your Windows folder, Shared Documents, etc.
Tools>Folder Option is disabled.
Tidak bisa melihat hidden files.
Task Manager is disabled.
Regedit is disabled.

If you are having a LAN connection you will be unknowingly spamming the chat box.
e.g.:
”http://nhatquanglan.xlphp.net/“
”C:\WINDOWS\hinhem.scr”
Behind the Screen
~~~~~~~~~~~~~~~~~
The following files are created:
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
The virus is copied to other comps on the network in the Shared Docs.
\\ABC\SharedDocs\New Folder.exe
\\ABC\SharedDocs\scvshosts.exe
\\ABC\SharedDocs\autorun.inf
Modifies some files in the “Documents and settings” folder.
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat

Modifies some registries at:
\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4c4da22e-f800-11db-8de6-806d6172696f}\BaseClass ,etc.
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger
\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ,etc.
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData
\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ , etc.
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable
Modifies some system files:
C:\Documents and Settings\Piyush Chandra\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Piyush Chandra\Cookies\index.dat
C:\Documents and Settings\Piyush Chandra\Local Settings\History\History.IE5\index.dat
Runs the following commands under DOS (only by the virus version 1,1,1,1):
C:\WINDOWS\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\cmd.exe /C AT /delete /yes
Solution
~~~~~~
Enable Regedit, Task Manager, Regedit, Hidden Files, etc.

Enable Task Manager
——————-
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f


Enable Regedit
————–
1. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
2. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Folder Option & Hidden Files
—————————-
1. Start> run
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
2. Start> run
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f
3. Start> run
reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 1 /f
4. Start>run
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v CheckedValue /t REG_DWORD /d 1 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL /v DefaultValue /t REG_DWORD /d 2 /f
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v CheckedValue /t REG_DWORD /d 2 /f

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN /v DefaultValue /t REG_DWORD /d 2 /f

Other steps
——————
Delete the files
C:\WINDOWS\SCVHSOT.exe
C:\WINDOWS\hinhem.scr
C:\WINDOWS\system32\SCVHSOT.exe
C:\WINDOWS\system32\blastclnnn.exe
C:\WINDOWS\system32\autorun.ini
C:\Documents and Settings\All Users\Documents\SCVHSOT.exe
Modify some registries
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Shell REG_SZ --> explorer.exe
\Software\Microsoft\Windows\CurrentVersion\Run\ Yahoo Messengger -->delete
Precaution
~~~~~~~~~
Download Remover Nhatguanglan

Read More