Tips and Triks 3

2008 November 21
by anaksep03

Menghilangkan Virus Amburadul

Beberapa teman mengeluh karna kena virus yg satu ini, mungkin si pembuat virus punya niat baik juga yakni pengen mempromosikan objek wisata yang ada di daerahnya Jembatan Kahayan, Palma yg ada di Palangkaraya. Tapi sejatinya tetap aja merugikan orang laen, khususnya temen-temen gw yg notabene compey users!!! Biasanya virus ini menyebar melalui media flashdisk dan disket (disket??? Harreeee geneee!!!! Masih ada yg pake ga yah?? hehehhe..) dan dicirikan dengan kehadiran beberapa file “tak diundang” berikut:

  • F:\Autorun.inf

  • F:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)

  • :\Friendster Community.exe

  • F:\J3MbataN K4HaYan.exe

  • F:\MyImages.exe (hidden file)

  • F:\PaLMa.exe

  • F:\Images

  • F:\Images\_PAlbTN  

 

Cuma ada yg menarik juga nih, kemampuan bahasa Inggris si pembuat virus sama “amburadul” nya ama gw, hihihihi…gak percaya, liat aja penyamarannya di Hokage:

 

Hey, Hokage, This is my place, Wanna Start a War ??

(Hey Hokage, ini rumah gua, mau menggali kapak peperangan ?)

Tetapi mungkin karena terlalu banyak belajar coding sehingga jarang belajar Inggris dengan baik menjadi :

Hey, Hokage, Is this My places, Wanna start a war**

(Hey Hokage, Apakah ini rumah saya ? Mau menggali kapak peperangan ?)

(Semoga saja “dia” tidak membuat varian terbaru khusus untuk memperbaiki grammar yg salah!! hihihihi…)

Ciri berikutnya ditandai dengan:

amburadul_html_6f93c07e

 

Yups!! Apalagi klo bukan Autorun.inf, yg berfungsi agar virus selalu aktif jika komputer dinyalakan…

 

Cara membersihkan:

  1. Putuskan hubungan komputer yang akan dibersihkan dari jaringan
  2. Matikan proses virus yang aktif di memory resident. Untuk mematikan proses tersebut gunakan tools “currprocess” (http://www.nirsoft.net/utils/cprocess.zip). Ato bisa juga pake antivirus yg sanggup ngebasmi virus ini (gw sih biasa menggunakan Avira).  Kemudian matikan proses virus yang mempunyai icon JPG dengan ekstensi EXE.
  3. Repair registry yang sudah di ubah oleh W32/Agent.EQXM (dan varian). Untuk mempercepat proses perbaikan silahkan salin script dibawah ini pada program notepad kemudian simpan dengan nama repair.inf.
         Jalankan file tersebut dengan cara:

 

 

  • Klik kanan repair.inf

  • Klik Install

[Version]

Signature=”$Chicago$”

Provider=Vaksincom

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

 

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\comfile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\exefile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\piffile\shell\open\command,,,”"”%1″” %*”

HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”

HKLM, Software\CLASSES\scrfile\shell\open\command,,,”"”%1″” %*”

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0×00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0×00010001,0

HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “about:blank”

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, “checkbox”

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, “checkbox”

HKCU, Control Panel\International, s1159,0, “AM”

HKCU, Control Panel\International, s2359,0, “PM”

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1

HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0

 

[del]

HKCU, Software\Microsoft\Internet Explorer\Main, Window Title

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI

HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing

HKCR, exefile, NeverShowExt

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

  1. Disable “System Restore” selama proses pembersihan

  2. Hapus file induk virus W32/Agent. EQXM (dan varian). Sebelum menghapus file tersebut sebaiknya tampilkan file yang tersembunyi caranya :

    1. Buka Windows Explorer

    2. Klik menu “Tools”

    3. Klik “Folder Options”

    4. Klik Tabulasi View

    5. Pada kolom “Advanced settings”

      • Pilih opsi “Show hidden files and folders”

      • Unchek “Hide extensions for known file types”

      • Uncheck “Hide protected operating system files

Kemudian hapus file berikut (di semua Drive termasuk Flash Disk kecuali untuk file yang ada di direktori C:\Windows\system32\~A~m~B~u~R~a~D~u~L~)

  • C:\Windows\system32\~A~m~B~u~R~a~D~u~L~

    1.  
      •  

        • csrcc.exe

        • smss.exe

        • lsass.exe

        • services.exe

        • winlogon.exe

        • Paraysutki_VM_Community.sys

        • msvbvm60.dll

  • C:\Autorun.inf

  • C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)

  • C:\Friendster Community.exe

  • C:\J3MbataN K4HaYan.exe

  • C:\MyImages.exe

  • C:\PaLMa.exe

  • C:\Images

  1. Tampilkan file gambar yang telah disembbunyikan di Flash Disk dengan cara:

  1.  

    • Klik “Start” menu

    • Klik “Run”

    • Ketik “CMD”

    • Pada Dos Prompt, pindahkan posisi kursor ke lokasi Flash Disk kemudian ketik perintah ATTRIB –s –h /s /d

  1. Untuk pembersihan optimal dan mencegah infeksi ulang scan dengan antivirus yang up-to-date dan sudah dapat mengenali virus ini dengan baik.

Good luck!

NB: Thanks to all reader, semoga bermanfaat! Makasih juga buat temen-temen gw di forum, nice info guys! Mesti di ingat nih slogan para pembuat virus, “Virus selangkah lebih maju dari antivirus!!!”

from → All About IT, Banner

No comments yet

Leave a Reply

Note: You can use basic XHTML in your comments. Your email address will never be published.

Subscribe to this comment feed via RSS