Jumat, 26 Desember 2008

Membasmi virus blue fantasy (Virus surabaya)

Setiap startup dia selalu mengeluarkan pesan
Click this bar to view the full image.
Click the image to open in full size.

Selain itu virus ini juga membuat file autorun.inf yang berisi code untuk menjalankan dirinya saat user membuka drive
C:\ D:\ dan drive yang lain. Parahnya lagi, virus ini menyembunyikan semua folder yang ada pada drive drive tersebut, khususnya folder yang ada pada c:\ , c:\windows\ , dan d:\ serta drive lain nya... Selain disembunyikan, dia membuat copy diri ke lokasi dimana dia menyembunyikan folder tersebut dengan nama sesuai dengan folder folder yang disembunyikan.
Click this bar to view the full image.
Click the image to open in full size.

Pembersihan :
Gunakan OgAV 0.1 beta 4

Virus ini membuat file induk pada
start-program-startup dengan nama
Click the image to open in full size.

Sudah dapat dikenali dengan baik oleh ogav 1.0 beta 4
Click this bar to view the full image.
Click the image to open in full size.

Setelah semua file virus dihapus oleh ogav saatnya memperbaiki setting yang diubah oleh virus
Dengan mengcopy code dibawah ini, kemudian save as sebagai repair.inf, lalu klik kanan- install
File ini mengembalikan setting2an yang biasanya diubah oleh virus menjadi normal kembali

[Version]
Signature="$Chicago$"
Provider=UchuViruslabs

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet003\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Classes\exefile,,,Application
HKCU, Software\Microsoft\Internet Explorer\Main,start Page,0, "about:blank"
HKCU, Software\Microsoft\Internet Explorer\Main,Window Title,0,"Windows Explorer"
HKLM, software\microsoft\windows nt\currentversion\winlogon,Shell,0,"Explorer.exe"
HKCU, software\microsoft\windows nt\currentversion\windows,Userinit,0,"C:\WINDOWS\system32\userinit.exe"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache,"@C:\WINDOWS\system32\SHELL32.dll,-9216",0,"My Computer"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache,"@C:\WINDOWS\system32\SHELL32.dll,-9217",0,"My Network Places"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache,"@C:\WINDOWS\system32\SHELL32.dll,-9227",0,"My Documents"
HKCU, Software\Microsoft\Windows\ShellNoRoam\MUICache,"@shell32.dll,-21785",0,"Shared Folder"
HKLM, Software\Microsoft\Windows NT\Winlogon,LegalNoticeCaption,0,""
HKLM, Software\Microsoft\Windows NT\Winlogon,LegalNoticeText,0,""

[del]
HKLM, software\microsoft\windows\currentversion\run,SRVState_SIMULATOR
HKCU, software\microsoft\windows\currentversion\run,RPCall_SIMULATOR
HKCU, software\microsoft\command processor,AutoRun
HKCU, Software\Microsoft\Internet Explorer\Main,Local Page
HKCU, Software\Microsoft\Internet Explorer\Main,Search Page
HKCU, software\microsoft\windows nt\currentversion\windows,load
HKCU, software\microsoft\windows nt\currentversion\windows,System
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Shockwave Support
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,System
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeCaption
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon,LegalNoticeText
HKLM, Software\Microsoft\Windows\CurrentVersion\Run,RsWin
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispBackgroundPage
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispAppearancePage
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispScrSavPage
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispSettingsPage
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispCpl
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoFolderOptions
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoFind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoRun
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDrives
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoTrayContextMenu
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoViewContextMenu
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDispCpl
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDesktop
HKLM, SOFTWARE\Classes\exefile,NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run,Winup
HKLM, softwARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM, Software\Microsoft\Command Processor,Autorun
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Game House
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Service
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,System Check
HKCU, Software\Microsoft\Windows\CurrentVersion\Run,Apel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispBackgroundPage
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispAppearancePage
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispScrSavPage
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispSettingsPage
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoDispCpl
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoRun
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDrives
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoTrayContextMenu
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoViewContextMenu
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDispCpl
HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer,NoDesktop
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,DisableCurrentUserRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop,NoChangingWallPaper
HKCU, Control Panel\International,s1159


HKCU, Control Panel\International,s2359
Diposting oleh di

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)