Google Search Box

Senin, 08 September 2008

Virus W32 Amburadul

Kayanya udah banyak yg kena sama virus ini,saya mendapat langkah-langkah untuk menghapus virus ini secara manual. CARA INI SAYA DAPATKAN DARI FORUM VAKSIN.COM yang ditulis oleh Pak Adang Juhar Taufik,saya hanya membantu share saja

- Disconnect komputer yang akan dibersihkan dari jaringan
- Disable “system restore” selama proses pembersihan (Windows ME/XP)
- Matikan proses virus yang aktif di memory resdent. Untuk mematikan proses tersebut gunakan tools “currprocess”. Kemudian matikan proses virus yang mempunyai icon JPG.
- Repair registry yang sudah di ubah oleh . Untuk mempercepat proses perbaikan silahkan salin script dibawah ini pada program notepad kemudian simpan dengan nama repair.inf.

- Jalankan file tersebut dengan cara:
- Klik kanan repair.inf
- Klik Install

[Version]
Signature=”$Chicago$”
Provider=Vaksincom

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\comm... %*”
HKLM, Software\CLASSES\comfile\shell\open\comm... %*”
HKLM, Software\CLASSES\exefile\shell\open\comm... %*”
HKLM, Software\CLASSES\piffile\shell\open\comm... %*”
HKLM, Software\CLASSES\regfile\shell\open\comm... “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\comm... %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... UncheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio...
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio...
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... CheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... DefaultValue,0×00010001,0
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... type,0, “checkbox”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... type,0, “checkbox”
HKCU, Control Panel\International, s1159,0, “AM”
HKCU, Control Panel\International, s2359,0, “PM”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoo... AlternateShell,0, “cmd.exe”
HKCU, Software\Microsoft\Windows\CurrentVersio... ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersio... SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersio... HideFileExt,0×00010001,0

[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\http://www.vaksin.com/hall_of_fame.htm-C...
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\http://www.vaksin.com/hall_of_fame.htm-R...
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\http://www.vaksin.com/hall_of_fame.htm
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\http://www.vaksin.com/hall_of_fame.htm
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe
HKCU, Software\Microsoft\Windows\CurrentVersio... DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersio... NoFind
HKLM, SOFTWARE\Policies\Microsoft\Windows\Inst... DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Inst... LimitSystemRestoreCheckpointing
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... PaRaY_VM
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... ConfigVir
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... NviDiaGT
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... NarmonVirusAnti
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... AVManager
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersio... EnableLUA

- Hapus file induk virus . Sebelum menghapus file tersebut sebaiknya tampilkan file yang tersembunyi caranya :
- Buka Windows Explorer
- Klik menu “Tools”
- Klik “Folder Options”
- Klik Tabulasi View
- Pada kolom “Advanced settings”
- Pilih opsi “Show hidden files and folders”
- Unchek “Hide extensions for known file types”
- Uncheck “Hide protected operating system files (Recommended)

Kemudian hapus file berikut:

• C:\Windows\system32\~A~m~B~u~R~a~D~u~L~
• csrcc.exe
• smss.exe
• lsass.exe
• services.exe
• winlogon.exe
• Paraysutki_VM_Community.sys
• msvbvm60.dll
• C:\Autorun.inf
• C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)
• C:\Friendster Community.exe
• C:\J3MbataN K4HaYan.exe
• C:\MyImages.exe
• C:\PaLMa.exe
• C:\Images

- Hapus juga file induk virus di flash disk /disket

- C:\Autorun.inf
- C:\FoToKu xx-x-xxx.exe, dimana x menunjukan tanggal virus
tesebut di aktifkan (contohnya: FoToKu 14-3-2008.exe)
- C:\Friendster Community.exe
- C:\J3MbataN K4HaYan.exe
- C:\MyImages.exe
- C:\PaLMa.exe
- C:\Images

- Tampilkan file gambar yang telah disembbunyikan di Flash Disk dengan cara:
- Klik “Start” menu
- Klik “Run”
- Ketik “CMD”
- Pada Dos Prompt, pindahkan posisi kursor ke lokasi Flash Disk
kemudian ketik perintah berikut ATTRIB –s –h /s /d

- Untuk pembersihan optimal dan mencegah infeksi ulang scan dengan
antivirus yang up-to-date dan sudah dapat mengenali virus ini dengan
baik.

Tidak ada komentar: