pang Linh - Thién Son — Hai Sau Nguy Hiém Worm Rong, : Rhbot.Azm Lan Tran ‘7 ry, Worm_ n Taj Viegy \ sau Worm_Rontokbro.B any Dude dénh gid cé mic db nguy hiém ya te a6 \ a 5 * TAY nhig lay nhiém vio hé diéu hanh: Windows 95, 98. ye ah MEN Server 2003. T, 2, Hinh thtic phat tan: giti ban sao cla ng trong file dinh kém gj File ¢6 chia sau si dung biéu wong Thy Mue ciia w; ~ Iva nguéi ding mé no (vi to mo a. oe ' ee Hah ads ais cone. Khé tinh ae uc iad cé ou clorerae, aa 1, sau cing mé cita sd Winks P! nham che dau cdc tién trinh no thuc hién Jén méy th: “sn hin. Sau thé rat nhiéy Cac ban sao cia no 1én khip cée tt e nhiéu tén khée nhau. Trén cdc may bi nhiém chay he dit!” Windows 2000, XP, and Server 2003, sau tha ban sao vao dite” dude ma hés an. . os @ hoa phia duGi thu muc User Profile, sau dé tao m0! thu! . trong dung din nay |inh - Thién Son Linh ng 9 wong May Tinh Khi Bi Nhiém Sau Wor ie? rm Rontokbro 5 B sé thuc hién Kbdi dong tai may nay ‘inh citg "an nhan khi thay nh tiéu dé (title bar) cig sta 56 , tha 6 che Ki ty EXE" hay atsTRY" Sau chén them enh oe 2 or VaO file TOEXEC.BAT trong 6 dia c: Khign cho cde my bi nhiém si Ww soa Windows 95, 98, va ME bi tam fam ditng 8 trong qué ju Registry lam mii muc jder Options trén menu ctia tat ca cde ctta 58 Windows Explorer va Fol khong thé mo duge hp thoai Dac biét hon, sau con v6 hiéu héa Re: istry khién cho Folder Options. ‘Ahigu hoa Registry k ngudi ding khong thé mé ctta 58 Regi Control Panel. Do d6 ngudi ding stry dé thay ddi cdc gid ti ma stu di cdy thém vao. Phuong Phap Diét: Pon dt mdi oo, At ki voi ban cap nhat m Ban ding cde chudng trinh chéng virus bat ki véi uk . : khong Thi 48 diet, yj du nhu : D32, AVG Anti-virus, ... nhung cham : dé ban nén tl Phe duge 184 khéa Folder Options va Registry. Do i Phung Phap diét thi céng sau: 1lal tinh - ThI6N 82 Ing poe sag Th COnB voces pigt inh O Ché DO Si ve Khoi DONE May Tinh Sale Mo gel: Bue OS Windows 98 4. Khoi dong lai may tinh. Bam F8 6 man hinh Starting Windows 95, 2. Bam Fe 3. Chon ché dO Safe Mode tit Windows 95 Startup : . en, d6 bam Enter. Windows 98 va ME 4. Khdi dong lai may tinh, 2. Bam phim CTRL cho dén khi menu Startup xuit hign 3. Chon che d6 Safe Mode sau d6 bam Enter, Windows NT (ch€ db VGA ) 1. Bam Strl>ScttinessControl Panel. 2. Bam nhay chudt vag biéu lugng System. Baim vao thanh Startup/Shutdown,.ow List lt 10 gidy va bapa. Bidy va bam OK dé hit ar hs stpthay Tat may va khoi dong lai may tinh. Chon che do VGA ti menu startup, Khdi dong lai miy tinh. 4 2. Bam phim F8 cho dén khi nhin thay thanh Startiny Windows 6 cudi man hinh. 3. Chon ch do Safe Mode t¥ Windows Advanced Options Menu sau d6 bam Enter. Windows XP 4. Khoi dong lai may tinh. 2. Bam phim FS sau khi Power-On Self Test (POST) due : vn Khon thye hién. NGu Windows Advanced Opueny Menu khong ~ Ag a ce yy ba bs xudt hién, cO ging khol dong Hai mety bam phuw nhiéu lan sau man hinh POST. "| i” a Opuons 3. Chon ch do Sate Vode ti indows Advanced Oply Menu sau do bam Enter. _ nn atinh THEN “ {anh hudng dey qué ty pang” wie dau vet anh B "nh ng a5 a ie My wut Regist 4 ng poh tro noa Registry nén ban khong thé mg Regi fu di Khoi yisiue WStry BE - i Se, ti 03 Regedit dug in art > Run, g0 Jénh Star han sé phai viet cdc dong lénh say de mg khog Do dé bans Bist Thue hién: click Start > Run, 89 notepad ust he, i Notepad. Ban g6 vao cde dong 1énh phy sau: i Option Explicit Dim WSHShell, n, MyBox, p, Thienson, rum, vers, itemtype Set WSHShell = NSSTPLCreateObjecteWScxipt She Feats MiosoR0WindowsiCunemvecne Policies\Systemm P=p& “PisableRegistry Toole itemtype = "REG_DWorp Thienson = "xin che 40 cac ban" 4_ystishell ReeRead (p) grror Goto 0 on eam = Err.Number ifermum <> Othen ysHshell Reg Write p, 0, itemtype End If ffn=1 Then n=0 WSHShe hell. Reg Write p, n, itemlyPe Mybox = Msg " . sgBox("Registry cua ban da duoc MO", uso, Thins 8? End ig ~~ eeng tinh Thien $00 © > hop those an ee ave > hop OU Sayer, ® click menu File > Sa T Save khi vw Khung File Name: dat tén 1A MOR¢egedit. vhs Khung Encodeing: chon ANSI ~ 3 x Save in, click Sie Chon thu mue can tutu trong khung danh sich Save in, cli¢ oh / : a tu ban Sau do hap dtip cho chay file MORegeditvbs dil thong bao, click OK.Registry cua ban da duoc mo ctia ban da duge md. aunt di REBISUY ad aq stat ? Run, gO Regedit, bam Enter ctta sé Registry Ed si = Gis ail niga joo rd cita 86, click tim khoa sau: gy_LOCAL_MACHINE > SOFTWARE > Microsolt > Windows yCurrentVersion > Run iin phdi ctta s6, tim va xod gid ui: a ow t. ‘nn-Spivactus = "% WindowstéAINP\norBiok exe (Windows M y M0. XP & Server 2003) h . PNT) “™-Spizaetus = "\IN[\nol Btok.exe” (Windows yy & NIy din mac dinh dén thy ihe rg - i > pon . a hy . qwinlows® « hoac C:\WINNT Bén trai o ty Luu y° windows Gye | cw pang thug lac: n tho tim khéa sau: ; ftware > ictos JRRENT. USER > Soft st ; ae My HKEY_ CurrentVe ‘sion > Rut én phai ctfa s6, tim va xa gid tri : Bén Tok-Cirrhatus = "%UserProfile%\A pplication Dating ~ SS. (Windows 2000, XP & Server 2003) ae "“%Windows%\A pplication Data\sinss., (Windows ME) Bu6e 3: Xo4 Cac Day Vét Clia Sau Trong Registry Bén trai cita 56, click tim khéa sau: HKEY_CURRENT_USER > Software > Microsoft > Wind" CurrentVersion > Policies s Explorer Bén phai CUla 86, tim va X04 gid tri: OSag Linh = Thién son Ne qtr ctfa 86, click tim khéa sau: pe . CURRENT_USER >Software ye TO . >Micencapy cnet Version > Policies > System 2h nto, Pa phai cua s6, tim va xoa gid tri: paableRegistyTOO!s = "dword:000000009" pong ciia so Registry. te Khoi phuc lai file AUTOEXEC.BAT vat AUTOEXEC.BAT bang Notepad. Click Stan > Run, 3 qotepad c:\autoexec.bat, Enter. X6a gid tr] sau: pause Ding file AUTOEXEC.BAT. Click Yeg dé lu Jai, oP)son inh - ThI6N pang U Bude 2m Restore trong Window anh ning System K pat tinh nang s XP ivy nay gitip feh ban trong viée sag tutu Vai he they , shige nang nay . . . v4 ata cht ng khi gap sul co. Nhung cdc phan mém a. hé thong khi gap su n phue he Vi thé quét duge thu muc System Volume Infor p ‘ khong tion Viva. Restore ltt tri cde tap tin gitip khoj Phue System Res virus khi System théng cdc ban Iuu wit bi nhiém Virus. he thing ra inh trang "tdi nhiém" Thue hién: bam td hdp phim aq + Pause > Op thoai Syve Properties xudt hién, | Hardee 1 Advanced Automatic Updstes | Remote | m System Restor | © can tack and feverse harmful changes to your * ‘Computer, | M tun otf Systern Restore Or all drives SYSTEMIC] DANGLINH (0) Tuned off STHIENSON {E:) Turmed ott Tuned olfon é € Yste Urn off 5 si k gq § trong may tinh g,don ric ,ingp pain B+ E > hign ctta s6 My Computer. Click ph ni Sa chon Properties oes General | Tools | Hardware | Sharing | -~ SS Type: ' File system: = FAT BE Used space: 778G8 { V Fees 1.7868 assG8 Capacity 10 263 298 O48 bytes ' pan ¢ thy p thoa} P ¢ Toperties - > chon 0pang Linh - Thién Son Pocus i : Disk Cleanup More Options | Windows components ‘You can free more disk space by : ‘ EMOVvin, Windows components that yoy ‘9 HE, YOU do not Use > Installed programs | p| Youcan tree more disk space by re, z you do not use. Teme eg lon a hy q 7 System Restore —— so You can free more disk ¢ most recent restore point Pace by eMOviNg all buy the | a Bene | — | oan Trong hdp thoai Disk Cleanup — chon nhan More Option, cliky Clean Up ciia phan System Restore > chon Yes khi xudt hint bao. Click tiép OK trén hdp thoai Disk Cleanup, réi chon Yet xuat hién thong bao. Chuong trinh sé tién hanh x6a cde file sieve A hee ay gid may the may va céc diém phuc héi ctia System Restore. Bay gid miyt ban thuc su “sach” khong con virus.The Disk Cl an your machine. dé lay nhiém cao. Lay nhiém vio HBH: Wind : Windows 95, gut 6 toc 5000, XP, Server 2003. Sau lay nhigm tén mang ch ing chia 8, ME, NT, 4 Ww orM_RONTOKBRO.B tha ban sao va cdc thy mue dutge chia mje dnb: pMinsisystem32 (s\Window s\system32 (WINNT\system32 ng janh Néu thy muc dé co dat password truy cap, sau WP hop HONE S jser name ya Sich ma nd di ~ 4 chma no dinh nghia trude UBanglinh-Thién SON Vulnerability RPC/DCOM Vulnerability Nooai ra. loai sdu nay con c6 kha ning an clip ID ‘tla A a Key clys s Ihe, may unh cia nan nhan va CD key cta ACU tye, ch Mh GH FIFA, Command and Conquer, James Bond 007, 5 » * Maley lly nhu chung duve cai trén may bi nhiém, Phuong Phap Diét Ban ding cde chuong trinh chong virus bat ig vidi bing nhat dé diét. Vi du nh: D32, AVG Anti- “VITUS, ... Ban C6 th AN e6 Hg khdo phuong phap diét tht cOng sau: Diét Thi Cong Buée 1: Ditng tén tinh hoat dong ctia Sau: M6 Windows Task Manager, Windows 95, 98. and ME (ham CTRL4ALTEDELETE) an psc) Windows NT, 2000, 2003 and XP chim CPRL+SHIFT# os| adi ctta s6, click tim Khoa sau: | ren de inh sich cae chung Sn: ig ‘ninh ¢ wexe — Click nut End T; ask h, dany 2 chon sertk ts ay End Process lick in W indows dang st? dung, % 10 jo phien ba rae Xoil ede dau vét anh hung dé qua ti yh! inh khei dong may soistY- fd y REE ry Editor: Click menu Start > Run, g6 Regedi , egedit, bam Enter xjsTy Editor xuat hién. iaictta sé, click tim khéa sau are > Microsoft >OLE gy. CURRENT_USER >Sottwé phii ctfa 36, tim va xod gid UE vem CSRSS Patch = “sertkfg. exe" rt rindows 7 re? Microsoll > Winde EY en LY CURRENT_USER >Soltwa! ire . wWersion > Run Pe an 38Bang Linh - Thién Son an rit Bén phii ¢ ; o System CSRSS Patch = "sertkfg.exe" si Bén trai ctfa s6, click tim khéa sau: HKEY_LOCAL_MACHINE » Software > ierosop, CurrentVersion > RunSer: Vices Moy 5 Ben phai cita sd, tim va xo4 gid tri: System CSRSS Patch = "sertkfg exe" Buéc 3: Thiét 1ap lai cdc gid tri bi sau thay 46} trong Registry Van trong ctta s6 Registry Bén trai ctta sd, click tim khéa sau: HKEY_LOCAL_MACHINE > Software > Microsoft > Ole Modify Bén phi cita s6, click phai vao EnableDCOM = chon Mo ee aeng Linh - Thién son 9 ng text box Value Data, go Y frond khu iva 56 Registry. pong © ban tit tinh nang System Restore trong Windows x: lows XP/ME cudi cing, | gdon rac trong may tinh nhu da trinh bay 6 trén. - Virus Lam Bién Dang Phong Chit Viet trén Trang Web : |* st, m6t Iic ndo a6 ban truy cp vao www.luoitre.com.yn - cling tat c nhiing Website sit dung chit Viét c6 dau khée - toe d6 tdi fia wd x cace a aa igu vé rat cham. Ching 15 gidy sau khi trang Web hign ra day ai, bg ab biel ong dung toan bo chir Viét c6 dau wén trang Web déu bi bien ‘ng thank aay ‘ inh nbié hanh dau cham héi(?). Nguyén nhan do may tinh nhiem virus eee ava Trojan. WIN32Spoop oo Me, pang Linh - Thién Son Jrojan.Win32.Spooner Trojan nay xuat hién trén Internet vao ngay Ng Sinh Ni sin day chting mdi bat dau nhien, Vag Mh Sig May cho dén mai g iy ra Idi phéng chit cho trinh duyéy Weh Vin, n viét Nam vi trén.Virus nay thudng duge dinh kém trong cae trang Wey ia hode tong cic “ip tin gui kém theo email. Do vay ney , VO ; Z ¢ fos 4% nh cap vao cde tang Web do hay kich hoat cdc tap tin Ltt ke q em mail khong rd ngudn goc thi lap ttfe may tinh sé bi nhigm M6 Ta Con Trojan.Win32.Spooner c6 tap tin thuc thi 14 Sp.exe, yy os Trojan.Win32.Spooner.c cé6 tap tin thuc thi 1a S4bt1d3d06b4249%99, dla2aab03d024.exe, cd 2 tap tin thye thi ctia loai virus nay dey gj kich thude 89.088 bytes va déu niim 6 thu mue gée cita 3 dac (C:\sp.exe) ma khéng c6 biéu tugng tap tin nhu nhiing tap tin binh thung khdc. Cc tp tin thue thi nay w dong kich hoat dé chay city Windows mdi khi khéi dong may tinh. Nhung la thay, cde winh it lai khong phat higa virus ndi ti€ng nhu Norton Antivirus, McAfee ... ra loai virus nay.4ng Linh - Thién Son pa 6 thé dict chting theo cach thi} eg cong nh Si pan’ au a 1: DOI vd Windows NT 2099 tim va : Ap tin sp.exe alick chon & Ap p.exe réi bam nuit Ena Pr Ocess, ai ve éi windows 98/ME, bam t6 hyp phim Ctrt rl + Alt Del clic click pt p tin SP- exe, roi bam EndTask. chon a 9: MG cla s6 Windows Explorer (ba pude 2: xplorer (bam t8 hej Sp phim HR » a tap tin spexe hode S4bfld3doeb42a20 24. im x6a aab03d024.exe trén 6 dia C: (nén an Shi dad n an Shift + Delete dé x6a hin ching ma khong nam lai trong thing rac). nu Start -> Run, g6 Jénh msconfig toi nhdn Enter gude 3: Click met -> bd dau chon 6 kidn ¢ lai may tinh. Chu »>bim chon nhan Startup 6 etia $6 hién ra ting sp.exe -> bim OK -> bam Yes tg khdi dng ig, nen muon stl duns ban {8 Windows 2000, khong ¢6 Jénh msconfig, ny , q a download tai: nrpang Linh - Thién Son iaquitsew eehipaeon vn/echiprooU/Soltwares/209 ptyp:// MIM s¢ ONS NFie hode cd thé gd Iénh regedit: vao hép lénh Run, tron © & cy, Registry Editor, dd tim theo kha sau: 1 HKEY_LOCAL_MACI INESOFTWARE Microsoft Wingy, \Cy, ntVersion\Run tre HKEY_LOCAL_USER\SOFTWARR\ Microsoft\ Windows CurrentVersion\ Run Tim va xéa khéa bén khung phi c6 tén 1a sp Diét Virus Shutdown Msblast Trong théi gian qua, nhiing ngudi sit dung méay tinh khi truy cdp vac internet 6 Viét Nam va trén thé gidi déu khon khé W m6t con virus ma dan Sai Gon dang goi ném na la “virus shutdown”, Khi may tinh bi nhiém virus, Windows sé bi virus khong ché, li8n tue hign thing bdo 1a hé thong sé shutdown. Va diéy d6 xdy ra that su, bit chip ngudi str dung c6 mudn hay khong. May ca nhan thi con do d6i chil Con mang thi hau nhu té hét. Toe do truy cp internet cing i ach cach dang ghét.tinh TIEN SON 9 ae ye @ Msblast (con c6 tén W32/Lovsan.worm, Msblast.cxe rus “ , vit tftp, khai dng dich vu Distributed Component Object thong qua tinh in32.Poz spiaster-Worm, Win32-Poza, WORM. MSBLAgr 4) da wr pac 16 Fy sng Remote na tend xp. Msblast lay lan nhanh chong trén thé gidi va tai Vier Procedure Call (DCOM RPC) trong Windows 2000 va . a6 bay nhiém vao nhiéu hé thong mang Idn (Hang khong, But “ gd vao Regedit . ) raj a - Im, x wi auto update * = msblastexe tr _ windows F ong khoy if HKEY_LOCAL_MACHINE\SOPTW R55 \ Windows \ CurrentVersion \ Run, Sau do kha 1 I don tinh. * Xod file msblast.exe trong thu muc SYSTEM3) * Tiép theo, ban phai “bit” 16 hong ctia Windows bin . Le 1M ich ve va cai dat miéng va (patch) stta 16j dnb cho w dows 2000 hay Windows XP. Ti ban stta 13; DCOM Rec h Cho Windows tai: “microsoft.com/technet/treeview/url=iechne hup://ww security /bulletin/MS03-026.asp * Tdi file cp nhat mdi nhit ctia chung trinh chéng virus m . v& cai dg vie ban dang stt dung nhu: McAfee, NAV, D32... vé cai windows va quét toan b6é may. rr,pong Linh - Thién Son pho ng Chéng Virus Sasser | wor ys. Sasser (W32.Sasser.Worm) bit ddu lay lan trén Internet tit yin jy tht bay 1-5-2004 va c6 kha ning tu dng lay Jan bat cw may tinh ly khi két ndi Internet ma khong can “qua trung gian” thu dién tir. ie virus Igi dung 16 h6ng bao mat Local Security Authority Subsystem Ml ~ ° service (LSASS - Ii nay di duge Microsoft cong bd va phat hanh Se pinsiia 16i ngdy 13-4-2004) dé tan cong cde may cai Windows 2000/ xp/ Server 2003 (nhiing may tinh c6 tuGng Itta bdo vé 6 thé chan gue virus nay). khi may tinh bi lay nhiém Sasser sé xuat hién hop thoai System Shutdown va ty khéi dong lai may gidng nhv khi bi mhiém virus Mblast. EEE This system is shutting down. Please save all & work in progress and log off. Any unsaved changes willbe lost. This shutdown was intisted by NT AUTHORITY\SYSTEM Time before shutdown: 00:00:55. Message The system process TAWINDOWS \eystem32\lass exe! terminated unexpectedly with status code “1073741819. The system vill now shut down and restart. 93Bang Linh - Thién Son Yeahs . ie ountered LSA Shell (Export Version) has enc. . and needs to close. We are sory for the inconyet en i If you were in the middle of something, the inform, ation y Ney might be lost. FOU Were 7 ki Please tell Microsoft about this problem. We have created an error repart that You can send to hel LSA Shell (Export Version). We will treat this report as cone TAB oye anonymous. ident ang To see what data this error report contains, click here. Send Error Report | f Cach diét Virus Sasser Ban tai vé ban diét virus Sasser ctia chuong trinh diét Virus ma minh Unt dang su dung, vi du nhu: McAfee: http://vil.nai.com/vil/content/v_125007.htm Symantec: http://securityresponse.symantec.com/a veenter/venc/data/w32.saset -worm. htm] ; 5 r ~ 0) gine, Cee th Chdvan CAA ai da vc clang OM 4“et pi pe wat: Tat wr > omd — ahutdowy be xsi ene "G is ask Managet (nhan Ctrl+Alt+Delete) -> click Dhan Processes - i ya chon chuong trinh dang chay cé tén avserve?, exe va tit cd aoa inh nao c6 phan tén 18 cé&e ki sh + _up.exe (vd d - exe) -> click End Process -> thoat Task Manager. 1663 pri wir bt, OR stgnetane @ / g6 regedit, bam OK -> bén khung trai, tim dé a ects g trai, tim dén hod sau: sep nein “ od sau: i & > Age ck Start > Run -> HKEY. LOCAL_MACHINE\Software\Microsoft\Windows\CurrentV ersion\Run. Tim xod gid tri: "avserve2 exe"="% Windir%\avserve2.exe" bén khung phai -> thoat Registry Editor. Tig hanh cap nhat ban v4 1di cho Windows (tuy theo phién bin) at -tin/ms04- dia chi: hitp:/Awww.microsoft.com/technet/security/bulletn iLmspx dé khong bi ti nhiém. Vee bog Pile Chee tiwh ik ‘dv Om cd 5 ente0t Lodac dc promo > %, "4 attrib + RZ 7mr ny DIOE Virus Khon Home Page Ma Vik Homepage CO Ae ban se bj Mt dong thay Gj 1 . ‘anh ma minh khong Money mudi y "A t 4 4D kh6a lun kt ny thay dor lai homepay 4 Virus kéem tre 4 mn; ry Yim Cia? . hy Ans hodc Malware, 7 * i C1 do biti @ mn Toolbar, vi du nh tro; Ciich Digt TAC tinh nang System Restore trong Windows 4 PME, Mic ¢ up ich ban trong nang nay ¢ ViGe sao Iutu lai hé thong va khgi cy Phuc thong khi Lp su co. Nhung cde phan mém chong Virus kha; Me te qué ( duve thu mue System Volume Information, ngj System Restor Iuu tri cde tap tin gitp khdi phuc hé thong. Vi vay sé xay rat Wang "tdi nhiém" virus khi System Restore Phuc hoi hé thing ci ban luu trv bi nhiém virus. Thue hién: Arter Propet * Bam td hop phim + Pause > hdp thoai System slick chon 6 kiém xuat hién, Chon nhan System Restore — click cho %pong Linh - Thién Son ~ @ Turn off System Restore on all drives. Click Apply, réi chon Yes khi xuat hién thong bao. she 42 Computer Name | Hardware | Advanced Automatic Updates | Remote =, System Restore can track and reverse harmful changes to your +B computer um off System Restore on all drives 7 G3SYSTEM (C:) Tumed off (3 DANGLINH (D:) Tumed off SI THIENSON [E:) Tumed off “+ Ban ding c4c chuong trinh chong virus bat ki voi ban c4p nhat mdi nhat dé diét. Vi du nhu : D32, AVG Anti-virus, ... * Khdi d6ng lai may tinh rdi vao ché dé Safemode (Bam F8 khi khdi déng Windows) sau d6 cho chay chuong trinh quét virus, 97Bang Linh - Thién Son xod nhiing file bi nhiém. Nh chon Te che ga % Wey chif kh6ng nén chi quét riéng file ex xe Don rac trong may tinh Bam to hdp phim +E > hién ctla sé yy . YC py, phai vao 6 dia C: > chon Properties Le General | Tools } Hardware | Sharing | <2 saa ———~| a pa Type: Local Disk File system: FATI2 HB Used space: [& Free space: 9.363.851.776 bytes 7,78 GB 1.859.446.272 bytes 1,76 GB 10.263.298.048 bytes — 9,58G8 Capacity: Drive C —pang Linh - Thién Son @ Trong hép thoai Properties — chon nhin General, click nut Disk Cleanup Popes ake. 24x} Disk Cleanup Mote Options | Windows components You can free mote disk space by removing optional Windows components that you do not use (Cleanup. |] Installed programs You can free mote disk space by removing programs that you do not use, i Clean up. | System Restore ——~~ | ugm] You can free more disk space by removing all but the : most recent restore point. “ Trong hdp thoai Disk Cleanup > chon nhan More Option, click nit Clean Up ctia phan System Restore — chon Yes khi xudt hién théng bdo. Click tiép OK trén hdp thoai Disk Cleanup, réi chon Yes khi xuat hién thong bdo. Chiiong trinh 99"Dinos M Dh Ne we héj ¢ file rac trong miy va cic he en ciia System Restore. piét Thi Cong hl mde cong” mot chut nhung sé gitip ban loaj duie ke y ec “ . Pha Tu hoai khi m: a cdc anti-virus cla ban khong nhan ra chting, & pau tién, ban cling phai tat tinh ning System Restore yj q . _ ‘on rac may tinh cla minh nhu da trinh bay 6 trén, Ké dén ban M3 Registry Editor: Click menu Start > Run a Regedit, bam Enter > ctta s6 Registry Editor xuat hién. & Bén trdi ctia s6, click tim kh6a sau: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ¢ Bén phai cita sé nh&p dup vio gid tri Applnit_DLLs. Hop thoai Edit String xuat hién. 100ien son g inh - Th value name: 2x) rappin DULS yalue data: ipl al Cancel g khung Value data. Trong vi du nay 1a * a lai tén file tron, an ghi ipl dl (tuy 9 ga nd di, tiie on. pién co thé tén file ctia may ban sé khdc). Sau do ° ‘ 6 thi g khung Value data cla ban rong. pan X! « Ban thoat khdi Registry réi md Windows Explorer (@ +E), Tim va xéa file hipl.dil trong thu’ muc Windows. Néu ban tim (gan thudc tl jnh an), thi trong ctta sé Windows khong thay > Folder Options... chon sa lick menu Tools chon © Show hidden Explorer ban ¢ View trong hop thoai xuat hign- Click Ider > click Apply 7 OK (hién (8 t cd tap un’ vi files and fo thu muc an). 10!h = ThIBN SON palin ] | General View | Fae types | Otte Files | ene older ews Folder Ye sa cenvenpth the view [euch ae Details or Tikes a you are using fr this folder to all folder 85) that Advanced settings: Display fle size information in folder tips EZ Display simple folder view in Explorer's Folders list 1 Display the contents of-system folders © Display the full path in the addhess bar 1 Display the full path in the title bar 11 Donot cache thumbnails Hidden files and folders © Dont show hidden files and folders LOR Show hidden files and folders 1 Hide extensions for known file types YZ Hide protected operating system files (Recommen D1 Launch folder windows in a sepatate process ded) a * Ban download chuong HiJackThis.exe tai dia chi: hup://www.spywarein fo.com/~merijn/files/Hi jackThis.exe * Tai thu muc chifa file download, ban nhap dip dé khéi ddng chuong trinh HiJackThis. Xuat hién giao dién nhv hinh sau: 102oon Linh - Thién ach yackthis, the first general browser hijacker detecter ‘and to Hi ek tas program vallbe updated to detect general hire erent ap al x Ci cere Sta ace Bey 7 ’ Me corr quickstart ae new users what would you We to do? T po asystem scan and save aloghile | | Do a system scan only _— View the kst of backups ee Open the Misc Tools section ee Open online HijackThis QuickStart Courtesy of TomCoyote.org ae caetiialiniiieeniniinicee | Hone of the above, just start the program F Dont shove this frame again when T start HijackThis dm nut Do a system scan only oB % Chung trinh sé do trong hé thong cdc chudng dang chay cting nhu cde khoa dang str dung trong Registry. Sau dé hién mot cua so mdi chi’a ket qua dd tim nhw hinh sau: 103delet cere wed vou. The best thing to do ua ‘e had art he Foks. Fe and ° isso 29 core nn = about:blank eee Ser Cplren\an, earch Ba = HD /1S.1d.yshon eam creat FRCL otter Explorer\Main, Start Page = http://vm. tucitre HR cLnsetteere NEY rernet Explorer\Main, Search Bat = Hitp:/Jus.rd. yahoo, a. Husa rs TT enploreriMan, Start Page = Ht IMeneprece ne Hrunisotoare er stlinternet Explorer\Search,SearchAssistant = about Blan Run, g6 Regedit, bam Enter — cifa sd Registry Editor xuat hién. Tién hanh xo4 cdc khod (phan 6 dam) sau trong registry: fee eee 107Dang Linh - Thién Son RG IKEY_CLASSES_ROOT \CLSID\ { 3A4E6FF3-BF59- 4468-5; lr H 731BCE2F34 9A} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft \Wing. dows UF rap tVversion\Explorer\Browser Helper Object s\ (34, ~ 4E6py 3. BF59-446E-9DC8-731BCE2F34 9A} HKEY_LOCAL_MACHINE\Software\Classes \svchost Upa, “Update Diét Virus Thay Déi Man Hinh Desktop M6 Ta Virus Trojan.Desktophijack.C 14 m6t loai Trojan, lam thay 4éj desktop cia may tinh. Khi virus hoat déng no thu hién cdc cong viéc sau: “+ Tao ra cac file sau: System Z\intell32.exe System %\oleext.dll System %\oleext32.dll %System%\wppp.html 108h - Thien SON p\uninstlUexe Ghi chu — em 1a thu muc chifa file lay nhiém ti qsystem ay nhiém tiy the a ) » phién hin windows da dude liét ké trong bai Diét Virus Panh C4 an {p passwor d gwindir 1a thu muc cai dat Windows. Vi du: C:\Windows hoa y s hoc cAW inNT ~ Ty thém vao cdc gid tri va cdc khoa trong Registry. Hién thi bic Anh sau trén Desktop Ret TL DO AL dade Prd tae Reds d hehath re RL . Se fella at ROK hile yest wy) Ah removal Bu heaah - Thien SON pang Unk Zhen haw bE - % Hien thi bidu tong ¢# trén khay hé thong, Khi tre re Shug vy bidu tugng nay sc hién lén dong chit Your os ay Pte, am dup chudt vao bié er infected. Khi bam dtip chuot vao biéu tuong ng my trap, Web tif dia chi sau: any (http://Jwww.psguard SOmUREMOVED af a434 sup. “ Cho ban tdi vé va cai dat chuong trinh PSGuarg dé . ; © diet “Spyware”. Tat nhién chi toan virus ma thoi. Cach Diét cy Tat tinh nang System Restore trong Windows XPymE nhu dg trinh bay trong phan Diét Virus Khoa Homepage, * Ding cdc chung trinh chong virus bat ki voi ban cAp nhat mai nhat dé diét. Vi du nh: D32, AVG Anti-virus, ... Khoi dong lai may tinh ri vao ché d6 Safemode (Bam F8 khi khdi dong Windows) sau d6 cho chay chung trinh quét vir, xo4 nhitng file bi nhiém. Nh chon ché d6 quét tat cd cae file chi khong nén chi quét riéng file .exe oe y 2 ét Virus Don rac trong may tinh nhu da trinh bay trong phan Didt Vir Khoa Homepage. 410ag Linh - Thién Son Ma Registry Editor: Click menu Start > Run, 86 Regedit, bai am ” ate _» ctta s6 Registry Editor xudt hién. nm khdéa sau: ey poCAL_MACHINE\Software \Microsoft\Wind ‘ae ows \ entVer sion\Run khung phai om xéa gid tri: “intell32.exe" = \ntell32.exe" en -qsystem% hut muc chifa file lay nhiém tiy theo phién h CAp i chu: GeSystem% 1a t g bai Diét Virus Dan Ghi bin Windows da dude Hét ké tron, Password. tn va x6a ede Khoa sau (phin 16 dam): 37d- HEE ey CLASSES_ROOT\CLS ID\{ 35°7A87ED-3E5D~4 3334-DEB7EB4982A3} key LOCAL MACHINE\SOFTWARE\M}C “ Current n i Version\Uninstall \Interne rosoft Wind t update iilBang Linh - Thién Son Tim khéa: mS HKEY_CURRENT —USER\Software\Microso¢ t\w; . CurrentVersion\Policies\Explorer ry Bén khung phai tim xéa gia ti: "NoActiveDesktopchan . Tim khéa: HKEY_CURRENT —USER\Software\Microsogt\y; ndows CurrentVersion\Policies\system Bén khung phi tim xéa gid wi: "NoDispBackgroundPage" va "NoDispAppearancePage” Tim khéa: RKEY_CURRENT_USER\Cont rol Panel\Desktop 2 . Lo . 2" ya "Wallpaper = Bén khung phai tim x6a gid tri: "Wallpaperstyle" va "Wallpsy ‘a ay dink nen kM! "WSystemRoot%% System %\wppp. html" (wppp-hunl la 4 may bi nhiém virus nhu da minh hoa G én)as Bang Link | THIEN Son piét Virus | ny Thay Déi Trang Cha if M6 a us Trojan.StartPape 4 10 mot toai y Trojan rs cia MAY nh bi nhidyy » lam thay déi trang f thuc hién tén may nhigm cae cong viee sau: aus vin Tao ra file se.dll trong thy muc CAWindows\Temp hoac @ TA C:AWinNT\Temp (thy theo phién ban Windows ma ban dang ding). . wip ea ky chinh no thanh mét déi tugng trg gitp cia Internet pang . : ui 1 bang cach thém cc khod trong Registry. €1 Explor hi trang web co chifa tép se.dll mdi khi ngudi ding mé @ Hien Internet Explorer. : : 1a. i XP/ME nhuw da ang System Restore trong Windows ft tinh nar P é omepage. inh bay trong pha Diét Virus Khoa Homepage / 4 g chuong c ng vir At ki véi ban cap nhat mor yng virus bi véi b rat md A ng trinh chong Ding cac chuong /G Anti-virus, ..- mbit dé diét. Vi du nh’: D32, AV G er “ 113 ——— ~~ wY Ae —pang Linh - Thién Son ai om ga 1d ko ah A? oa i & Khoi déng lai may tinh roi Va0 ch dg So i i Me H kh6éi d6ng Windows) sau d6 cho chay cna xod nhiing file bi nhiém. Nho chon che 6 aK My Wh chi khéng nén chi quét riéng file .exe ta 3 hy “Don rac trong may tinh nhu da trinh bay trong : fi, Khéa Homepage. “ah Dig, ‘hy “ M6 Registry Editor: Click menu Start + Run, BO Re Enter > cia s6 Registry Editor xuat hién, Bedi tg Tim va x6a cdc kh6a sau (phan t6 dam): HKEY_CLASSES_ROOT\CLSID\ {2862 736E-7827~419, A4E8-F13FB2E8C945} HKEY_CLASSES_ROOT\CLSID\{5607D0D5~3205-45p, A125-63666696DDA0} Tim khda: HKEY CLASSES ROOT\PROTOCOLS \Filter\text/html IKEY_CLASSES_ROOT\PROTOCOLS\ Filter \text/plain 14O L MA Ss Ww CA. CHINE\SOFTWARE\Microsoft\Windows\ SOFTW. f£t\w s\ Pe . arversion\Run | ys? a pnd ep" 7 “yundl132 gtemp$\se.dll, Dilinstall" j tim x6a gid tri: Tim kha: ox qonnen_usen otenareensses ST mplorex \Main soft\Internet sey _LOCAL_MACHINE\ ‘explor goftware\Micro er\Main Bén phai tim x08 gid tri: sp. hemi" "Search Bar" = 11S