Kamis, 11 Juni 2009

Ciri-ciri virus Mahadewa dan Cara Membersikan

VBS.Autorun.AM (MaHaDeWa yang berani tampil beda)

Ciri-Ciri MaHaDeWa

1. Merubah Judul internet Explorer menjadi MaHaDeWa Labkom UBL
2. Merubah start page Internet Explorer menjadi http://webkom
a. Merubah nama komputer dan nama pemilik Windows
b. RegisteredOrganization = Your pc has been clean from Nita Virus by MaHaDeWa
c. RegisteredOwner = MaHaDeWa

cara membersihkan VBS/Autorun.MA

1. Matikan proses virus dengan nama WSCript.exe. untuk mematikan proses virus ini anda dapat menggunakan “task manager” atau tools pengganti task manager lainnya seperti Procee Explorer. Silahkan download tools tersebut di alamat berikut (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
2. Untuk mengantsipasi agar proses virus tidak aktif kembali saat dijalankan, blok file MaHaDeWa.dll.vbs dengan menggunakan “Software Restriction Policies” [Jika menggunakan Windows XP Prof. Dan Windows 2003], caranya :
- Klik tombol “Start”
- Klik “Run”
- Ketik “secpol.msc” [tanpa tanda kutip)
- Kemudian pada layar “Local Security Settings”, klik kanan pada folder “Software Restriction Policies” kemudian klik “Crate new policies”
- Kemudian klik kanan pada folder “Additional Rules”
- Klik “New Hash Rule”
- Pada kolom “File hash”, klik tombol “Browse” dan arahkan ke file MaHaDeWa.dll.vbs
- Klik tombol “open”

Catatan:
Sebelum blok file tersebut sebaiknya tampilkan file yang tersembunyi terlebih dahulu dengan merubah setting pada Folder Options (show hiden file)

3. Repair registry yang sudah dibuat oleh MaHaDeWa. Untuk mempermudah proses perbaikan tersebut, salin script dibawah ini pada program notepad kemudian simpan dengan nama repair.inf. Jalankan file tersebut dengan cara:

- Klik kanan repair.inf
- Klik Install

[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "About:blank"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, NoChangingWallpaper
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoLogOff

4. Hapus file induk virus di direktori berikut:
- C:\MaHaDeWa.dll.vbs (semua drive)
- C:\autorun.inf (semua drive)
- C:\Windows\system32\WinXP.dll.vbs

sumber : Vaksin
Diposting oleh Unknown di 01.27
Label: ,

Tidak ada komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)

Bookmarks

Blogs and More - Plugboard My Zimbio

Add to Google Reader or Homepage

Add to Pageflakes

Add to Google Reader or Homepage

Subscribe in Bloglines

Add to Plusmo

Add to Technorati Favorites blogarama - the blog directory Display Pagerank DigNow.org Computer Blogs - BlogCatalog Blog Directory free counters Buy Reviews