Cleaning Boot.exe Virus

wonk blackgak 13:15
tricks Cleaning boot virus without antivirus

file services:

- C:\Windows\linkinfo.dll
- C:\Windows\System32\drivers\LsDrv118.sys
- C:\Windows\system32\drivers\nvmini.sys
- C:\Windows\System32\drivers\cdralw.sys
- C:\Windows\System32\drivers\riodrvs.sys
- C:\Windows\System32\drivers\DKIs6.sys

On Registry:

- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%file%]
- “DisplayName” = “NVIDIA Compatible Windows Miniport Driver”
- “ImagePath” = “%system%\drivers\%file%.sys”

-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%file%]
- “NextInstance” = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%file%\0000]
- “Service” = “%file%”

- “Legacy” = 1
- “ConfigFlags” = 0
- “Class” = “LegacyDriver”
- “ClassGUID” = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
- “DeviceDesc” = “%file%”
-[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_%file%\0000\Control]
- “NewlyCreated” = 0
- “ActiveService” = “%file%”
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\%file%
- “DisplayName” = “RioDrvs Usb Driver”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\%file%
- DisplayName” = “RioDrvs Usb Driver”

NOTE:
%file% is one of the:
- Nvmini
- Cdralw
- RioDrvs



Location not Infected:

- \LOCAL SETTINGS\TEMP
- \QQ
- \Windows
- \Winnt


Some file maybe virus infected:
- launcher.exe - repair.exe - wow.exe
- wooolcfg.exe - woool.exe - ztconfig.exe
- patchupdate.exe - trojankiller.exe - xy2player.exe
- flyff.exe - xy2.exe - au_unins_web.exe
- cabal.exe - cabalmain9x.exe - cabalmain.exe
- meteor.exe - patcher.exe - mjonline.exe
- config.exe - zuonline.exe - userpic.exe
- main.exe - dk2.exe - autoupdate.exe
- dbfsupdate.exe - asktao.exe - sealspeed.exe
- xlqy2.exe - game.exe - wb-service.exe
- nbt-dragonraja2006.exe - dragonraja.exe - mhclient-connect.exe
- hs.exe - mts.exe - gc.exe
- zfs.exe - neuz.exe - maplestory.exe
- nsstarter.exe - nmcosrv.exe - ca.exe
- nmservice.exe - kartrider.exe - audition.exe
- zhengtu.exe



Process Cleansing of Virus:

- Disable Network Connetion
- Turn Off "System Restore"
- Log on with "Safe Mode “safe mode”
- Kill proccess virus on "Services.msc"
- Click [*Start] [Run]*.
- Write "services.msc", OK
- Search Virus proccess with name “NVIDIA Compatible Windows Miniport Driver” or
“RioDrvs Usb Driver”
- Click Action > Properties
- Click "Stop".
- On Startup Type select "Manual"
- Click "OK"



Delete Registry key:
copy paste this code in "Notepad"

[Version]
Signature=”$Chicago$”
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1?” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1?”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1?” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0,
“Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM,
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,
UncheckedValue,0×00010001,1
[del]
HKLM, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SYSTEM\ControlSet001\Services\RioDrvs
HKLM, SYSTEM\ControlSet001\Services\cdralw
HKLM, SYSTEM\ControlSet001\Services\nvmini
HKLM, SYSTEM\CurrentControlSet\Services\RioDrvs
HKLM, SYSTEM\CurrentControlSet\Services\nvmini
HKLM, SYSTEM\CurrentControlSet\Services\cdralw
HKLM, SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RIODRVS
HKLM, SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_RIODRVS
HKLM, SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_nvmini
HKLM, SYSTEM\CurrentControlSet\Enum\Root\LEGACY_cdralw
HKLM, SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_cdralw
HKLM, SYSTEM\CurrentControlSet001\Enum\Root\LEGACY_nvmini

- Save file name as = repair.inf

- Right-Click "repair.inf" -->> Click Instal



Delete file in directory:

- C:\Windows\linkinfo.dll
- C:\Windows\System32\drivers\lsDrv118.sys
- C:\Windows\system32\\drivers\nvmini.sys
- C:\Windows\System32\\drivers\cdralw.sys
- C:\Windows\System32\drivers\riodrvs.sys
- C:\Windows\System32\drivers\DKIs6.sys



Show Hidden and SuperHidden file:

- Open Windows Explorer
- Click menu “Tools” | Folder Option
- Click “View”
- and select “Show hidden files and folders”
- Uncheck “Hide protected operating system files (recommended)”

- Click “Apply”
- Click “Ok”


And delete file "Boot.exe" and "Autorun.inf" in Flaskdisk

To repair file infected download Avira on http://www.avira.com/

Install and Scan on "Safe Mode" (recommended)
wonk blackgak

Posted by wonk blackgak

{^_^}

Post a Comment

2 Comments

  1. baitulmalklaten21 October 2009 at 18:22

    wah sip tapi apa tidak mumet yo mas nyarinya, kalau pake anti virus aja kelemahannya ada po?

    ReplyDelete
  2. wonk blackgak7 December 2009 at 07:38

    kl pake anti virus..pakenya di safe mode aja...soalnya virusnya gak jalan kok di safe mode

    ReplyDelete

Emoji
(y)
:)
:(
hihi
:-)
:D
=D
:-d
;(
;-(
@-)
:P
:o
:>)
(o)
:p
(p)
:-s
(m)
8-)
:-t
:-b
b-(
:-#
=p~
x-)
(k)