HOW TO OVERCOME VIRUS

Written By Nohara Binti Parahita Niya on Sunday, March 24, 2013 | 3:55 AM


PART 1: BASIC CAPITAL 
1. Alternative Ways to Run Program 

Generally we click on the program icon that is in the start menu or on the desktop to run certain programs. But the utility programs are not all available in the start menu or on the desktop. These programs (eg Regedit.exe, CMD.EXE) usually run through the Start menu> Run. What can we do if there is no menu Run in the start menu? Here are some alternative ways to run certain programs are \'unusual\': 

a. Utilize Windows Explorer 

Run the Windows Explorer, locate the file that you want to run the program in the folder C: \\ Windows or C: \\ Windows \\ System, or in the C: \\ Windows \\ System32. Then double click the program file. 

b. Utilizing the Command Prompt (CMD.EXE) 

= Click Start> Programs> Accessories> Command Prompt or run CMD.EXE first above manner. 

= Type the name of the program you want to run, then press enter. 

C: \\ Documents and Settings \\ mr. orche!> REGEDIT 

c. Using Batch File 

= Run Notepad through the start menu or through Windows Explorer. 
= Type the name of the program you want to run, for example \"regedit\" (without the quotes). 
= Save the file using the extension. Bat, for example, \"TES.BAT\". 
= Run the file. Bat through Windows Explorer (double-click). 

d. Using the Task Manager (taskmgr.exe) (Windows XP) 

= Press Ctrl + Alt + Del. 
= Click the [New Task ...] on the Applications tab. 
= Type the name of the program, and then press enter. 

e. Utilizing the File Browser in ACDSee 

ACDSee = Run from the Start Menu. 
= Find the program file to run in the file browser window. 
= Double-click on the program file. 

2. Alternative ways Registry Operations 

If you can not run REGEDIT, registry operations can still be performed with some of the following alternatives: 

Alternative 1: Use the command REG 

1. Run Command Prompt (CMD.EXE). 

2. To see the list of key and value, use the REG QUERY lokasikey. 
Example: 
REG QUERY HKLM \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 
REG DELETE HCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 

3. Type REG DELETE namakey / V namavalue to remove a certain value. 

Example: 
REG DELETE HKLM \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer / V NoRun 
REG DELETE HKCU \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer / V NoFolderOptions 

Note: 

= Root name should be abbreviated, for HKEY_CLASSES_ROOT HKCR, HKLM for HKEY_LOCAL_MACHINE, HKCU for HKEY_CURRENT_USER, HKU for HKEY_USERS, and so on. 

= For the key name contains spaces, the name of the key enclosed in double quotation marks. 

= To know more surgery procedures using REG command, type \"REG /?\" Without quotes. 

Alternative 2: Using files. REG 
1. Run Notepad and type the following as examples: 

The new format (WinXP): 
Windows Registry Editor Version 5.00 
[HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer] 
\"NoFolderOptions\" = dword: 00000000 

The old format (Win9X/NT): 
REGEDIT4 
[HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer] 
\"NoFolderOptions\" = dword: 00000000 

2. Save the file with the extension. REG, then double click on the file. Reg file that you saved. 

Explanation: 

= The first line, \"Windows Registry Editor Version 5.00\" or \"REGEDIT4\" is the rule for marking the file registry. 

= The second line, \"[HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer]\" shows the location of the registry key, where the value list with values â��â��below mentioned data will be stored. 

= The third line, \"NoFolderOptions\" = dword: 00000000, name value with the desired data for the value. In this example the mean change / assign the data value 0 in the value named \"NoFolderOptions\". 

= Typed regedit file format with WinXP (new format) as well as the old format (Win9X/NT), both of which can be used for Windows XP, but the old format can only be used for Windows 9x/NT. 

Alternative 3: Using Startup Disk (only applicable for Win9X) 
This method is the most difficult, and may be the only effective way to restore the registry when the system is already completely paralyzed. 

1. Boot using the Startup Disk 
a. Enter Win95/98 Startup Disk into the floppy drive. 
b. Restart (make sure the configuration settings in the BIOS boot sequence pointed to the floppy). 

2. Go to the directory (folder) C: \\ Windows 
A: \\> C: 
C: \\> CD WINDOWS 

3. Perform the export of data from the registry to the file. Specific reg key for the desired 
Format command: 
REGEDIT / E namakey namafilereg 

Example: 
REGEDIT / E HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer TES.REG 

If the key name contains spaces, use quotation marks: 
REGEDIT / E \"HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer\" TES.REG 
3. Reach the Back Menu Folder Options in Windows Explorer 

Some viruses to hide certain files that the user (computer user) is not aware of the virus and that the virus is more difficult to be removed, making it a hidden file. Hidden files can still be viewed by the user when setting the Folder Options on the option \'Show hidden files and folders\' is enabled. Sometimes even this menu eliminated by viruses to ensure files remain invisible virus. To hide the Folder Options menu, the easiest and most commonly used by the virus is to change the registry settings, to insert value \"NoFolderOptions\" is worth 1. To bring back the Folder Options menu, this value should be removed, or changed the value to \"0\". 

= To change the Folder Options settings, click the Tools menu> Folder Options in Windows Explorer. 

= Value NoFolderOptions the registry is one or both of the following locations: 

HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 

HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 

Value can be removed by using the REGEDIT program, or by typing the following command at the Command Prompt: 

REG DELETE HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer / V NoFolderOptions 

REG DELETE HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer / V NoFolderOptions 
4. Bring up the Run menu 

Delete value \"NoRun\" or change the value to 0 by using the registry operations (see sample registry operations to bring up the Folder Options menu above). Value \"NoRun\" is the key: 

HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 
5. Bring up the Find menu 

Delete value \"NoFind\" or change the value to 0 by using the registry operations (see sample registry operations to bring up the Folder Options menu above). Value \"NoFind\" is the key: 

HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \\ Policies \\ Explorer 
6. Enabling REGEDIT 

Sometimes it can not be executed because REGEDIT be disabled by setting the registry by viruses. To recover, delete the value \"DisableRegistryTools\" or change the value to 0 by using the Command Prompt (for WinXP), or by creating a file. REG (for Win9X). 
7. Come Up with a Changing attributes Hidden Files Through Command Prompt 

Hidden files (hidden) can be raised without playing Folder Options, but by disabling the hidden attribute on file. Hidden file attributes can only be changed in Windows Explorer if the Folder Options settings allow hidden files displayed. The alternative is to change the file attributes via the Command Prompt. To see a list of files hidden by Command Prompt, use the command \"DIR / AH\". Next use the attrib command followed by the attribute parameter to be changed. The following example can be used to disable the hidden attribute, read only, and the system at the same time, on all the files in the current directory: 

Attrib-r-h-s *. * 
8. File Searching Through Command Prompt 

a. View a list of files / folders that are in the current folder: 

DIR *. * 

b. View a list of files / folders in the current folder, including files / folders hidden: 

DIR *. * / A \"A\" stands for \"ALL\" 

c. View a list of files (excluding folders) that are in the current folder: 

DIR *. * / AD \"D\" stands for \"DIRECTORY\", \"-\" means exclusion 

d. View a list of folders (excluding files) that are in the current folder: 

DIR *. * / AD \"D\" stands for \"DIRECTORY\" 

e. View a list of files / folders hidden: 

DIR *. * / AH \"H\" stands for \"HIDDEN\" 

f. View a list of files / folders order by name: 

DIR *. * / ON for files and folders, \"O\" means \"ORDER BY\", \"N\" means \"NAME\" 
DIR *. * / AD / ON to folders only 
DIR *. * / A-D / ON to file only 
DIR *. * / A-DH / ON for hidden files only 
DIR *. * / ADH / ON for hidden folders only 

g. View a list of files / folders sort by type (extension) 

The trick is similar to sorting by name, only \"/ ON\" replaced by \"/ OE\". 

h. View a list of files sort by size 

The trick is similar to sorting by name, only \"/ ON\" replaced by \"/ OS\". 
For detailed information on rules of use of the DIR command, type \"DIR /?\" And press enter. 
9. Deadly Suspicion Process 

The definition of a process is a program that runs in the background (background program), has no form because it is not made to interact with the user. In contrast to the application program that is seen having to interact with the user. Viruses are usually made in such a way that when the virus is running is not visible at all, he is just a process. Virus file is running normally can not be removed because the process is running. Usually the virus file can only be deleted after the process is stopped. List of application programs and processes that are running can be viewed using the Windows Task Manager (taskmgr.exe) simply by pressing the Ctrl + Alt + Del. Once the Windows Task Manager window appears, you can select the \"Applications\" to see a list of the application program, or the \"Processes\" to see a list of processes. Another option is the \"Performance\", \"Networking\" and \"Users\". 
To stop the application program is running, select the application name from the list, then click the \"End Task\". To stop a running process, select the process name then click the \"End Process\". If Windows Task Manager can not run, we can still see and stop the processes that are running from the Command Prompt by calling the program \"TASKLIST.EXE\" to see the process list, then call the program \"taskkill.exe\" to stop the process. 

Example: 
Tasklist 
Taskkill / F / IM notepad.exe / IM MSPAINT.EXE 
Taskkill / F / PID 1230 / PID 1253 / T 

Description: 
Parameter \"/ F\" which means \"FORCE\" will cause the process to be stopped by force. 
Parameter \"/ IM\" means \"IMAGE (NAME)\". That process will be stopped is the process by which the name is mentioned after the parameter \"/ IM\". 
Parameter \"/ T\" means \"TREE\" and cause all the branches were also suspended. 
_________________BAGIAN 2: GAP-GAP TRIGGER active VIRUS 

Virus program copied to the computer clean of viruses do not cause the computer is infected. The virus becomes active and begins to work when the program is run by the user, for example, when clicked twice through Windows Explorer. So the first viral infection caused by the user to the computer itself. Once given the opportunity, the virus can freely make an active schedule as desired manufacturer. By looking at the gaps that can lead to active virus, we will more easily find a nest of hiding viruses and then subdue him. 
1. Registry 

Registry provides a facility that allows active program itself before the start menu appears. This facility is actually available to application programs, but frequently used by viruses. Registry settings can be viewed and manipulated using the default Windows REGEDIT program (Run, regedit). The structure in which consists of five root (HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, and HKEY_CURRENT_CONFIG), each root has many branches called the key. Each key can contain multiple keys and / or values. In the file management structure, root can be identified with the drive, the key is identical to the folder, and the value is identical to the file. As with folders, key can not contain data, it can only load another key and value. Registry data that can influence the behavior of the overall system is loaded in value. To know more clearly the structure of the registry, run regedit. Carefully run REGEDIT, since one procedure may cause the system paralyzed!!! 

a. Key \"Run\" 

Key \"Run\" is designed to accommodate a list of programs that will run the system just prior to the start menu is active. In the registry, this key can be found in several places, namely in: 
Key = \"HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows \\ CurrentVersion\" 
Key = \'HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Windows \\ CurrentVersion \" 
= Some of the key in the key \"HKEY_USERS\" 

If one or more user listed in the User Accounts (Control Panel> User Accounts), then there will be some HKEY_USERS root key that holds the settings for each user. Some of the key also contains the key \"Software \\ Microsoft \\ Windows \\ CurrentVersion\" and it may also contain key \"Run\". 

b. Value \"Shell\" and \"Userinit\" at the Key \"Winlogon\" 

Value \"Shell\" and value \"Userinit\" key in \"winlogon\" can have the same effect-effective for virus-with the value stored in the key \"Run\". Generally the data for the second value is: 

Shell = \"Explorer.exe\" 
Userinit = \"C: \\ WINDOWS \\ system32 \\ userinit.exe,\" 

Key \"Winlogon\" are: 
Key = \"HKEY_CURRENT_USER \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion\" 
Key = \'HKEY_LOCAL_MACHINE \\ Software \\ Microsoft \\ Windows NT \\ CurrentVersion \" 
= Some of the key in the key \"HKEY_USERS\" 

In addition to value and key mentioned above, it is possible there are still many key / value which can be exploited by viruses, although it may not be effective, and so far the author has never been discovered. 
If found value is suspicious, do adequate analysis before deciding to remove it. Do not just delete it!!! 

2. Start Menu and Desktop 

a. Start> Programs> Startup 

Folder \"Startup\" in the start menu is provided to accommodate the programs to be run automatically by Windows when the boot process is complete.