Saturday 13 October 2012

3 Cara Untuk Membuang Virus Ramsonware



Imagine someone getting access to your computer, encrypting all your family photos and other priceless files, and then demanding a ransom for their safe return. That is what ransomware is all about. Ransomware is a type of malware used for data kidnapping. It takes your data hostage by encrypting it using supposedly unbreakable encryption algorithms and then demands payment in exchange for the decryption key.
At this moment,the most common type of ransomware is the ‘Police Trojan’.This malicious program locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity.
IF your computer is infected with this type of malware,you can use any of the below methods to remove this ransomware infection.

Method 1: Use HitmanPro in ForceBreach Mode

  1. Download the latest official version of HitmanPro from the below link.
    HITMANPRO DOWNLOAD LINK (This link will open a download page in a new window from where you can download HitmanPro)
  2. After you have downloaded HitmanPro,you’ll need to copy the file on a USB stick/CD and follow the instructions from the below video:

Method 2: Use a Kaspersky Kaspersky Rescue Disk CD

What you’ll need to perform this removal guide :
  1. A computer with Internet access.
  2. 1 blank DVD or CD
  3. 1 DVD/CD Burner
  4. Software which can create a bootable CD –  http://www.imgburn.com/index.php?act=download
  5. A copy of the latest Kaspersky Rescue Disc from here –  http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/
  6. About 1 -2  hours depending on how much data you have on C:

STEP 1: Download and create a bootable Kaspersky Rescue Disk CD

  1. Download the Kaspersky Rescue Disk ISOimage from below.
    download kaspersky rescue disk
  2. Download ImgBurn, a software that will help us create this bootable disk.
    download ImgBurn
  3. You can now insert your blank DVD/CD in your burner.
  4. Install ImgBurn by following the prompts and then start this program.
  5. Click on the Write image file to disc button.
    Create bootable CD step1
  6. Under ‘Source’ click on the Browse for file button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)
    Create bootable CD step2
  7. Click on the big Write button.
    Create bootable CD step3
  8. The disc creation process will now start and it will take around 5-10 minutes to complete.

STEP 2:Configure the computer to boot from CD-ROM

  1. Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:
    Boot into Bios
  2. In your PC BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device.
    Boot into BIOS Step2
  3. Insert your Kaspersky Rescue Disk and restart your computer.

STEP 3:Boot your computer from Kaspersky Rescue Disk

  1. Your computer will now boot from the Kaspersky Rescue Disk,and you’ll be asked to press any key to proceed with this process
    Kaspersky Rescue Disk 1
  2. In the start up wizard window that will open, select your language using the cursor moving keys. Press the ENTER key on the keyboard.
    Kaspersky Rescue Disk 2
  3. On the next screen, select Kaspersky Rescue Disk. Graphic Mode then press ENTER.
    Kaspersky Rescue Disk 3
  4. The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then press the C button on your keyboard.
    Kaspersky Rescue Disk 4
  5. Once the actions described above have been performed, the Kasprsky operating system will start.

STEP 4: Launch Kaspersky WindowsUnlocker to remove the PRS for Music ransomware malicious registry changes

The PRS for Music ransomware has modified your system registry so that when you’re trying to boot your computer it will instead launch his lock screen.To remove this malicious registry changes we need to use the Kasersky WindowsUnlocker from Kaspersky Rescue Disk.
  1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky WindowsUnlocker.
    Kaspersky Rescue Disk WindowsUnlocker 1
    Alternatively you can select Terminal and in the command prompt typewindowsunlocker and then press Enteron the keyboard.
  2. A white colored console window will appear and will automatically start loading the registry files for scanning and disinfection. The whole process will take only a couple of seconds and after this process you should be able to boot your computer in normal mode.
    Kaspersky Rescue Disk WindowsUnlocker 2

STEP 5:Scan your system with Kaspersky Rescue Disk

  1. Click on the Start buttonlocated in the left bottom corner of the screen andselect the Kaspersky Rescue Disk then click on My Update Center and press Start update.
    Kaspersky Bootable Cd scan 1
  2. When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.
    Kaspersky Bootable Cd scan 2
  3. Click on the Objects Scan tab, then click Start Objects Scanto begin the scan.
    Kaspersky Bootable Cd scan 3
  4. If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect , and if it doesn’t work chose to quarantine the infected files just to be on the safe side.
    Kaspersky Bootable Cd scan 5
  5. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.
    Kaspersky Bootable Cd scan 7
  6. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.

Method 3: Use our manual removal guide

STEP 1 :Start your computer in Safe Mode with Command Prompt

  1. Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
  2. Press and hold the F8 key as your computer restarts.Please keep in mind that you need to press the F8 key before the Windows start-up logo appears.
    Note: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the “F8 key”, tap the “F8 key” continuously until you get the Advanced Boot Options screen.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Command Prompt, and then press ENTER.
    Enter Safe Mode with Command Prompt

STEP 2: Remove the malicious registry key and file

  1. When Windows loads in Safe Mode with Command Prompt, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer.exe, and press Enter.
    explorer.exe at Safe Mode with Command Prompt
    The Windows Explorer will open, do not close this window.
  2. Using the same Windows command prompt,type regedit.exe and press Enter.
    Type regedit.exe at Safe Mode with Command Promp
  3. The Registry Editor will now open and you’ll need to browser to :
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\.
    And search on the list to the right for an registry entry named Shell.
    Browse to registry
    Right click on this registry key and select the Modify option. The default value should be explorer.exe however this infection most likely modified this entry.
  4. Before you rename this registry entry to explorer.exe, copy the location of the modified value to a piece of paper or Notepad because this value will point you to the ransomware executable file ,which needs to be removed.
    In our case, the malicious file is running from the Desktop and it’s calledcontacts.exe, but the cyber crimanls may have changed the file name in your case so it might have a different name.
    Path to infection
  5. Modify the value of the registry entry back to its default value
    explorer.exe
    Then click OK to save your changes and exit the Registry editor.
    value explorer.exe
  6. Use the window opened on Step 1 and browse to the location indicated in the value of modified registry entry and delete the malicious file. In our case, the malicious file was running from the Desktop and it was calledcontacts.exe.
    Delete malicious file
  7. Go back into Normal Mode.To restart your computer, at the command prompt, type shutdown /r /t 0 and then press Enter.
    Restart command
Alternatively you can use this other manual removal guide to get rid of this trojan:
1 – Press Ctrl-O (that’s the letter O, not the number zero).
2 – Select “Browse“, and then go to C:\windows\system32 and open cmd.exe.
3 – Type “explorer.exe” into the newly opened window. You should now be able to use the desktop again.
4 – Browse to your Startup folder. The path will vary depending on the language settings and Windows version. The screenshot below shows the path on the English version of Windows XP. You will also have to replace “Administrator” with your user name in the path (unless you’re already using the Administrator account, but lets not get started on that…).
Windows 7 and Vista users can go to : 
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
5 – Delete any entries you don’t recognize. The names of the malicious entries may be different than the ones shown in the screenshot. If you are unsure, you can remove all entries, but at the risk of disabling other valid applications from automatically starting.
6 – Reboot the computer.

No comments:

Post a Comment