This entry was posted on Monday, September 22nd, 2008 at 12:59 pm and is filed under IT Info, Tips & Tricks, Virus. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
SIMBE Blog
SIMBE Official Weblog
7 Steps To Erase Virus Rieysha
Virus Rieysha is a virus that supposed to be from Yogyakarta (Indonesia). Detected as W32/Autorun.FCN, this virus was made by using Borland Delphi 6.0 and is using TXT icon (Text Document).
Each time we turn on the computer or everytime we execute a file that have .TXT, .BAT, .DOC, or .INI extention, it’ll trigger a message that stated “Sayang Kapan Kamu Balik Ke Indonesia? Apa Kamu Kembali Dengan Hatimu Yang Dulu?”
To erase this virus, you can follow the instruction below:
1. Turn Off system restore when we do this process
2. Turn off the virus process that still active in memory by using Task Manager
3. Repair Windows Registry by using following script. Write the scipt with notepad, save it with the name “repair.inf” and execute this script (right click “repair.inf”, then click install). It’s better making “repair.inf” in a different computer (which havent contaminated by the virus)
[Version]
Signature=”$Chicago$”
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, “Organization”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner ,0, “Owner”
HKCU, Control Panel\International, s1159,0, “AM”
HKCU, Control Panel\International, s2359,0, “PM”
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “about:blank”
HKLM, SOFTWARE\Classes\.sys,,,”sysfile”
HKLM, SOFTWARE\Classes\.doc,,,”word.document.8″
HKLM, SOFTWARE\Classes\.bat,,,”batfile”
HKLM, SOFTWARE\Classes\.ini,,,”inifile”
HKLM, SOFTWARE\Classes\.dll,,,”dllfile”
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoDriveTypeAutoRun,0×00010001,255
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\run, RunDll
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices, Windll
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoDrives
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHiden
HKCU, SOFTWARE\Classes\exefile, Default
NOTE: when you are saving this file, in the “save as type” column, choose “Text Document”
4. show up the hidden file before erasing the virus to optimize finding file process. if the folder option or master drive (C:\) havent shown up, logoff computer then login again.
C:\Program Files
* RunDll.exe
* KenanganJogja.exe
C\WINDOWS\rieysha.exe
C:\Jadwal_Manggung.exe
C:\PesanBuatKekasih.bat
C:\rieysha.exe
C:\Windows
* pesan.txt
* rieysha.exe
C:\Windows\system32
* Rahasiaku_Pacarku.exe
* DaftarHacker_Blacklist.exe
* Cerita_Panas_Mendebarkan.exe
* Pesanku.doc
* SuratCinta.exe
* Autorun.inf
* RieyshaAnakJogja.exe
* Sampah.txt
* notepad.exe
C\WINDOWS\system32\Restore\pesan1.txt
C\WINDOWS\system
* psene_seng_gawe.rtf
* rieysha.exe
* Jogja_virus_maker.exe
D\DiaryRieysha.exe
D:\Puisi.txt
E\CatatanTugas.exe
H:\CeritaDewasa.exe
G:\CatatanML.exe
K\CeritaML.exe
5. find a file named “rieysha_anak_jogja.txt”, then rename it with “MSVBVM60.DLL”. After that, copy paste that file to “C:\Windows\system32″.
6. rename “C:\Windows\bacaan_anak_tk.txt” or “C:\Windows\ bacaanHot.txt” (choose one) with “C:\Windows\notepad.exe”. Then rename also “C:\Windows\ReadMe.txt” to “C:\Windows\cmd.exe”
7. For optimal cleaning, use antivirus that is capable to detect and destroy this virus.
Source : Detik.Com
Leave a Reply