Comodo Security Solutions
Antivirus, privacy protector, call-blocker and anti-theft in a single app
COMODO Mobile Security provides real-time protection against known and emerging threats on your mobile device while helping to protect your privacy and keep your system optimized.
CMS combines a mobile-optimized antivirus scanning engine with a mobile security manager to safeguard against viruses, unsafe apps and potentially risky settings. You can filter out annoying calls and text messages by configuring white and black contact lists or simply block messages by certain keywords. CMS also gives you “Private Space” – private calls, text messages and contacts that are for your eyes only. Anti-theft protection allows you to remotely locate, lock, take photograph of the possessor or wipe off your personal data and files if the device is mislaid or stolen.
download in google play
Tampilkan postingan dengan label Virus. Tampilkan semua postingan
Tampilkan postingan dengan label Virus. Tampilkan semua postingan
Rabu, 21 November 2012
Sabtu, 23 April 2011
USB Drive Security
Download USB Drive Security
Another antivirus software should regularly update virus database, and you can not effectively protect offline computer connected to the Internet. When new viruses, worms and other malicious attacks hit traditional signatures are not sufficient. Every minute a waiting for a virus signature update creates a window of vulnerability that could have devastating consequences. USB disk security uses proactive detection techniques advanced and closes the window of vulnerability by other reactive signature-based answers left open.
The world’s fastest and lightest antivirus software
USB disk security it is not necessary to sacrifice for detection and speed of scanning. Antivirus software to compare and you will discover that USB disk security is by far one of the easiest in the industry. For example, the program uses about 1 to 7 MB of RAM.
Compatible with all antivirus software and all Windows platforms
Incompatibility between antivirus programs is a problem; USB disk security is however fully compatible with other security software.
USB has designed disk security to perform effectively regardless of the user’s computer experience. Simply install and forget it.
Free updates
Other anti-virus products should be paid for updates every year. The USB disk security key are life. Get free all future program updates.
Free Software and Serial USB disk security Full Version download here
Selasa, 05 Januari 2010
Festival Museum Nusantara
Di awal tahun 2010 ada kontes seo dengan keyword Festival Museum Nusantara yang dimana bertujuan untuk menigkatkan mencintai budaya Indonesia serta melestarikan peninggalan yang berharga serta untuk menigkatkan program ke museum yuk. Di Indonesia ada Festival Museum Nusantara (TMII) yang teletak di Ibu Kota Jakarta di TMII museum sangat lengkap mulai dari Sabang sampai Merauke ada semua semisal di TMII ada Festival Museum Nusantara Olah Raga, Festival Museum Nusantara Penerangan, Festival Museum Nusantara Pusaka, Festival Museum Nusantara Keprajuritan, Festival Museum Nuantara Reptil, serta masih banyak lagi oke mari kita dukung Festival Museum Nuantara oke
Minggu, 02 Agustus 2009
How to remove the virus Trojan: Autorun.QBP "Love Map" virus spreader
Trojan: Autorun.QBP
"Love Map" spread of the virus
The functionality of the virus file
The characteristics of the virus file Autorun.QBP, including:
• Using the icon "Love File"
• Is the size of 793 kb
• type "Application"
• Berlin exe
Photo, file viruses W32/Autorun.QBP
Symptoms / virus effects
If you are infected with the virus Autorun.QBP will lead to symptoms and effects as follows
• In all virus files from file sharing appears with the name "[namaacak]. Exe and an empty file named" khq. Khq this file is also at the root of each drive.
• The virus is active in the computer's memory with the name "csrcs.exe" in the process with the user. You can check this by using the task manager on the Processes tab.
• Unable to files that are hidden inches (although the "folder options" in the pro-Fox time to time will return hidden)
Windows Registry
Despite not a lot of the action taken, Autorun.QBP changes to the registry
Broadcasting Media
Autorun.QBP virus can rapidly through the network and USB Flash / removable drive.
In the Flash USB / removable drive, it will create 2 files with the RHSA attribute (Read, Hidden, System and Archive), namely:
• Autorun.inf,
• [namaacak.exe], the virus file 793 kb
The network will create 2 files (in the root folder on the shared field, and enter the folder / network drive at all to share), including:
• khq, an empty file that is the impression that stopping viruses Autorun.QBP
• [namaacak.exe], the virus file 793 kb
How to clean manually:
1. Remove or disconnect the computer from the network is allowed.
2. Disable / turn off "System Restore" in the process of cleaning the virus.
3. Use the "Task Manager" to stop the virus is active. (probably with the name "csrsc.exe).
To open the Task Manager, can be made by pressing CTR + ALT + DELETE or right-click the Windows taskbar. Then turn off the virus, click [End Process] the process csrsc.exe.
4. Large files Autorun.QBP virus, which is located in C: \ WINDOWS \ system32, the name csrsc.exe Autorun.inf 793 kb in size and the size of 1 kb.
Use the search or find, looking for identical files to other viruses, particularly in the media to Flash or USB / removable disk, the file size of 793 kb of viruses, and many berextension exe application and khq file at the station . Do not forget to mark the "Show hidden files ..." and the feature "Hide protected works ..." in the Folder Options.
5. Remove the registry key string is created by the virus. To facilitate the registry using the following script.
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SOFTWARE\Classes\batfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \comfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \exefile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \scrfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \piffile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \regfile\shell\open\command,,, "regedit.exe "%1"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell, 0, Explorer.exe
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Use the notepad and save with the name "repair.inf" (use the Save as type option to All files, so the error does not occur).
Repair.inf run with the right button, then select [Install].
6. To optimize the cleaning of viruses Autorun.QBP use Norman Malware Cleaner is able to detect and eradicate this virus at a time. If you want free of viruses and other viruses from abroad, use antivirus Norman Security Suite (Single User) or Norman Endpoint Protection (Corporate user) that can prevent your computer infected with the virus abroad and viruses both specific and customers free on-site support by VAKSIN (PT technicians. Vaksincom).
You can download Norman Malware Cleaner the following link:
http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe
"Love Map" spread of the virus
The functionality of the virus file
The characteristics of the virus file Autorun.QBP, including:
• Using the icon "Love File"
• Is the size of 793 kb
• type "Application"
• Berlin exe
Photo, file viruses W32/Autorun.QBP
Symptoms / virus effects
If you are infected with the virus Autorun.QBP will lead to symptoms and effects as follows
• In all virus files from file sharing appears with the name "[namaacak]. Exe and an empty file named" khq. Khq this file is also at the root of each drive.
• The virus is active in the computer's memory with the name "csrcs.exe" in the process with the user. You can check this by using the task manager on the Processes tab.
• Unable to files that are hidden inches (although the "folder options" in the pro-Fox time to time will return hidden)
Windows Registry
Despite not a lot of the action taken, Autorun.QBP changes to the registry
Broadcasting Media
Autorun.QBP virus can rapidly through the network and USB Flash / removable drive.
In the Flash USB / removable drive, it will create 2 files with the RHSA attribute (Read, Hidden, System and Archive), namely:
• Autorun.inf,
• [namaacak.exe], the virus file 793 kb
The network will create 2 files (in the root folder on the shared field, and enter the folder / network drive at all to share), including:
• khq, an empty file that is the impression that stopping viruses Autorun.QBP
• [namaacak.exe], the virus file 793 kb
How to clean manually:
1. Remove or disconnect the computer from the network is allowed.
2. Disable / turn off "System Restore" in the process of cleaning the virus.
3. Use the "Task Manager" to stop the virus is active. (probably with the name "csrsc.exe).
To open the Task Manager, can be made by pressing CTR + ALT + DELETE or right-click the Windows taskbar. Then turn off the virus, click [End Process] the process csrsc.exe.
4. Large files Autorun.QBP virus, which is located in C: \ WINDOWS \ system32, the name csrsc.exe Autorun.inf 793 kb in size and the size of 1 kb.
Use the search or find, looking for identical files to other viruses, particularly in the media to Flash or USB / removable disk, the file size of 793 kb of viruses, and many berextension exe application and khq file at the station . Do not forget to mark the "Show hidden files ..." and the feature "Hide protected works ..." in the Folder Options.
5. Remove the registry key string is created by the virus. To facilitate the registry using the following script.
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, SOFTWARE\Classes\batfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \comfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \exefile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \scrfile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \piffile\shell\open\command,,, """%1"" %*"
HKLM, SOFTWARE\ Classes \regfile\shell\open\command,,, "regedit.exe "%1"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell, 0, Explorer.exe
[del]
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
Use the notepad and save with the name "repair.inf" (use the Save as type option to All files, so the error does not occur).
Repair.inf run with the right button, then select [Install].
6. To optimize the cleaning of viruses Autorun.QBP use Norman Malware Cleaner is able to detect and eradicate this virus at a time. If you want free of viruses and other viruses from abroad, use antivirus Norman Security Suite (Single User) or Norman Endpoint Protection (Corporate user) that can prevent your computer infected with the virus abroad and viruses both specific and customers free on-site support by VAKSIN (PT technicians. Vaksincom).
You can download Norman Malware Cleaner the following link:
http://normanasa.vo.llnwd.net/o29/public/Norman_Malware_Cleaner.exe
Kamis, 30 Juli 2009
Update nod offline
For those who use NOD32 Antivirus following tutorial to update NOD32 offline (for the computer does not connect the internet).
Follow the steps below:
1. Download the latest update offline (per. 29 March 2009).
2. Once completed downlad a folder on the hard disk (on C: or D:, it's up),
3. Then copy the link location of the folders stored earlier,
4. Open the NOD32 has been installed in the kompimu, open the Setup> Advanced Setup options,
5. Click the Update option
6. Then click the Update Server and click Edit Button
7. Paste the link that was before we copy to Update Servers and then click Add Button
8. Then click Ok button
9. Now update NOD32 computer.
10. Antivirus has been updated now,
Note: How to update the above is just one of the tutorial, although there are other ways to update. But we ends up in a way.
Follow the steps below:
1. Download the latest update offline (per. 29 March 2009).
2. Once completed downlad a folder on the hard disk (on C: or D:, it's up),
3. Then copy the link location of the folders stored earlier,
4. Open the NOD32 has been installed in the kompimu, open the Setup> Advanced Setup options,
5. Click the Update option
6. Then click the Update Server and click Edit Button
7. Paste the link that was before we copy to Update Servers and then click Add Button
8. Then click Ok button
9. Now update NOD32 computer.
10. Antivirus has been updated now,
Note: How to update the above is just one of the tutorial, although there are other ways to update. But we ends up in a way.
DownLoad Update Offline NOD32 versi 2 ( 4003 ) [Offline Update 13 April 2009]
Download Update Offline NOD32v 2 (4003)
Latest, the download link Update Offline NOD32 version 2 (as of 13 April 2009).
Download here:
Nod32V2FullOffLineUpdate4003.part1.rar
Nod32V2FullOffLineUpdate4003.part2.rar
Nod32V2FullOffLineUpdate4003.part3.rar
Nod32V2FullOffLineUpdate4003.part4.rar
Nod32V2FullOffLineUpdate4003.part5.rar
Nod32V2FullOffLineUpdate4003.part6.rar
Nod32V2FullOffLineUpdate4003.part7.rar
Steps download: All files (7 files) above MUST download all, then be a folder in the same file and extract on your computer, [if not all of the download, then extract the files will not work], if all the files already successful in the download, then you are ready in the NOD32 update.
Latest, the download link Update Offline NOD32 version 2 (as of 13 April 2009).
Download here:
Nod32V2FullOffLineUpdate4003.part1.rar
Nod32V2FullOffLineUpdate4003.part2.rar
Nod32V2FullOffLineUpdate4003.part3.rar
Nod32V2FullOffLineUpdate4003.part4.rar
Nod32V2FullOffLineUpdate4003.part5.rar
Nod32V2FullOffLineUpdate4003.part6.rar
Nod32V2FullOffLineUpdate4003.part7.rar
Steps download: All files (7 files) above MUST download all, then be a folder in the same file and extract on your computer, [if not all of the download, then extract the files will not work], if all the files already successful in the download, then you are ready in the NOD32 update.
Selasa, 21 Juli 2009
Cara membasmi Virus “Tak Gendong” oleh VBS/Cryf.A
Ciri-ciri virus “Tak Gendong” oleh VBS/Cryf.A
1.Pada saat komputer pertama kali dinyalakan, akan muncul program [Internet Explorer] yang menampilkan sosok yang cukup “menyeramkan”,
2.Merubah halaman utama [start page] program [Internet Explorer] untuk menjalankan file yang berada didirektori [C:\WINDOWS\windows.html] yang berisi pesan dari pembuat virus.
3.Ada folder “Album BOKEP” di setiap drive dan Flash Disk yang isinya seakan-akan file movie porno yang sebenarnya merupakan file virus yang siap “menggendong” komputer anda bila anda jalankan.
4.Merubah nama organisasi dan nama pemilik Windows menjadi Registered to CRY Shemale
5.Merubah type file “Shortcut” [.lnk] mejadi “Movie Clip”
Cara membersikan virus “Tak Gendong”
1. Matikan proses virus yang sedang aktif dimemori. Untuk mematikan proses virus ini silahkan gunakan tools pengganti task manager seperti [Currproses], kemudian matikan proses yang mempunyai product name “Microsoft (r) Windows Script Host” dengan cara :
o Pilih [blok] proses yang mempunyai product name “Microsoft (r) Windows Script Host”
o Klik kanan pada proses yang sudah di blok
o Pilih [Kill Selected Processes]
2. Blok agar file virus tidak dapat dijalankan untuk sementara selama proses pembersihan dengan menggunakan fitur “Software Restriction Policies”, fitur ini hanya ada di Windows XP/2003/Vista/2008.
Untuk blok file tesebut lakukan langkah berikut Klik menu [Start]
Klik [Run]
Pada dialog box [Run], ketik SECPOL.MSC kemudian klik tombol [OK]
Pada layar [Local Security Policy], klik [Software restriction policies]
Klik kanan pada [software restriction policies] dan pilih [Create new policies]
Kemudian klik kanan di [Additional Rule], dan pilih [New Hash Rule].
Di Kolom [File Hash], klik tombol [Browse] dan pilih file yang akan diblok. Pada kolom [File information] akan terisi informasi dari file tersebut secara otomatis.
Pada Security Level pilih [Disallowed]
Pada kolom “description” isi deskripsi dari nama file tersebut (bebas),
Pilih [OK]
Catatan:
Pada saat user menjalankan file yang sudah di add tersebut maka akan mucul pessan peringatan
3. Fix Registry dengan menjalankan file [FixRegistry.exe], silahkan download di alamat berikut : http://www.4shared.com/file/117095567/3ea8e8ce/_4__FixRegistry.html
1. Pada kolom [Register Owner] isi sesuai dengan nama pemilik Windows
2. Pada kolom [Register Organization] isi sesuai dengan nama organisasi pemilik Windows
3. Pada kolom [ShellWindows] isi dengan format explorer.exe
4. Pada kolom [Userinit Windows] isi dengan format berikut
Windows NT/2000 = C:\WinNT\System32\userinit.exe,
Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,
5. Kemudian klik tombol [Set]
6. Kemudian lik [Pulihkan Registry] untuk memperbaiki registry lain nya
4. Hapus file induk virus yang telah dibuat. File induk virus ini akan disembunyikan. Jika file induk tersebut tidak dapat ditampilkan silahkan gunakan tools penggganti Windows Explorer seperti “Explorer XP”. Silahkan download di alamat berikut:
http://www.explorerxp.com/explorerxpsetup.exe
Setelah software tersebut di install, cari dan hapus file berikut:
• %Drive%:\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
o svchost.vbs
o desktop.ini
o drvconfg.drv
o SHELL32.dll
• %Drive%:\Album BOKEP\Naughty America
• C:\windows
o appsys.exe
o Winupdt.scx
o appopen.scx
o Windowsopen.mht
o Windows.html
o Regedit.exe.lnk
o Help.htm
• C:\Windows\system\svchost.exe
• C:\WINDOWS\system32
o Taskmgr.exe.lnk
o CMD.exe.lnk
o Svchost.dls
o Corelsetup.scx
o Appsys.dls
o Kernel32.dls
o Winupdtsys.exe
o ssmarque.scr
• C:\Program Files\FarStone\qbtask.exe
• C:\Program Files\ACDsee\Launcher.exe
• C:\Program Files\Common Files\NeroChkup.exe
• C:\Program Files\ExeLauncher
• %ProgramFiles%\drivers\VGA\VGAdrv.lnk
• C:\Documents and Settings\%user%\Desktop\Local Disk (C).dls
• %Flash Disk:\>Dataku Penting Jangan Dihapus.lnk
Catatan:
%Drive%, menunjukan lokasi Drive [C:\ atau D:\]
%Flash Disk%, menunjukan lokasi Flash Disk
5. Tampilkan file [TaskMgr.exe/Regedt32.exe/Regedit.exe/CMD.exe/Logoff.exe] yang disembunyikan oleh virus, caranya :
1. Klik menu [Start]
2. Klik [Run]
3. Ketik CMD kemudian klik tombol [OK]
4. Pada layar “Dos Prompt” pindahkan posisi kursor ke drive yang akan di periksa
5. Ketik perintan ATTRIB –s –h –r regedit.exe kemudian klik tombol “enter”
6. Kemudian ketik perintah saya yang membedakan hanya nama file yang akan ditampilkan yakni Taskmgr.exe, cmd.exe dan Logoff.exe
6. Untuk pembersihan optimal dan mencegah infeksi ulang silahkan install dan scan dengan antivirus yang up-to-date.
Jika komputer sudah benar-bernar bersih dari virus, hapus rule blok file [WSCript.exe] yang telah dibuat pada langkah no. (2),
Klik menu [Start]
Klik [Run]
Pada dialog box [Run], ketik SECPOL.MSC kemudian klik tombol [OK]
Pada layar [Local Security Policy], klik 2x [Software restriction policies]
Klik [Additional Rule]
Hapus Rule yang pernah Anda buat sebelumnya
8. Untuk mencegah infeksi ulang, gunakan antivirus yang sudah dapat mendeteksi dan membasmi virus ini dengan baik.
1.Pada saat komputer pertama kali dinyalakan, akan muncul program [Internet Explorer] yang menampilkan sosok yang cukup “menyeramkan”,
2.Merubah halaman utama [start page] program [Internet Explorer] untuk menjalankan file yang berada didirektori [C:\WINDOWS\windows.html] yang berisi pesan dari pembuat virus.
3.Ada folder “Album BOKEP” di setiap drive dan Flash Disk yang isinya seakan-akan file movie porno yang sebenarnya merupakan file virus yang siap “menggendong” komputer anda bila anda jalankan.
4.Merubah nama organisasi dan nama pemilik Windows menjadi Registered to CRY Shemale
5.Merubah type file “Shortcut” [.lnk] mejadi “Movie Clip”
Cara membersikan virus “Tak Gendong”
1. Matikan proses virus yang sedang aktif dimemori. Untuk mematikan proses virus ini silahkan gunakan tools pengganti task manager seperti [Currproses], kemudian matikan proses yang mempunyai product name “Microsoft (r) Windows Script Host” dengan cara :
o Pilih [blok] proses yang mempunyai product name “Microsoft (r) Windows Script Host”
o Klik kanan pada proses yang sudah di blok
o Pilih [Kill Selected Processes]
2. Blok agar file virus tidak dapat dijalankan untuk sementara selama proses pembersihan dengan menggunakan fitur “Software Restriction Policies”, fitur ini hanya ada di Windows XP/2003/Vista/2008.
Untuk blok file tesebut lakukan langkah berikut Klik menu [Start]
Klik [Run]
Pada dialog box [Run], ketik SECPOL.MSC kemudian klik tombol [OK]
Pada layar [Local Security Policy], klik [Software restriction policies]
Klik kanan pada [software restriction policies] dan pilih [Create new policies]
Kemudian klik kanan di [Additional Rule], dan pilih [New Hash Rule].
Di Kolom [File Hash], klik tombol [Browse] dan pilih file yang akan diblok. Pada kolom [File information] akan terisi informasi dari file tersebut secara otomatis.
Pada Security Level pilih [Disallowed]
Pada kolom “description” isi deskripsi dari nama file tersebut (bebas),
Pilih [OK]
Catatan:
Pada saat user menjalankan file yang sudah di add tersebut maka akan mucul pessan peringatan
3. Fix Registry dengan menjalankan file [FixRegistry.exe], silahkan download di alamat berikut : http://www.4shared.com/file/117095567/3ea8e8ce/_4__FixRegistry.html
1. Pada kolom [Register Owner] isi sesuai dengan nama pemilik Windows
2. Pada kolom [Register Organization] isi sesuai dengan nama organisasi pemilik Windows
3. Pada kolom [ShellWindows] isi dengan format explorer.exe
4. Pada kolom [Userinit Windows] isi dengan format berikut
Windows NT/2000 = C:\WinNT\System32\userinit.exe,
Windows XP/2003/Vista = C:\Windows\System32\userinit.exe,
5. Kemudian klik tombol [Set]
6. Kemudian lik [Pulihkan Registry] untuk memperbaiki registry lain nya
4. Hapus file induk virus yang telah dibuat. File induk virus ini akan disembunyikan. Jika file induk tersebut tidak dapat ditampilkan silahkan gunakan tools penggganti Windows Explorer seperti “Explorer XP”. Silahkan download di alamat berikut:
http://www.explorerxp.com/explorerxpsetup.exe
Setelah software tersebut di install, cari dan hapus file berikut:
• %Drive%:\Recycled\S-1-5-21-343818398-18970151121-842a92511246-500\Thumbs.db
o svchost.vbs
o desktop.ini
o drvconfg.drv
o SHELL32.dll
• %Drive%:\Album BOKEP\Naughty America
• C:\windows
o appsys.exe
o Winupdt.scx
o appopen.scx
o Windowsopen.mht
o Windows.html
o Regedit.exe.lnk
o Help.htm
• C:\Windows\system\svchost.exe
• C:\WINDOWS\system32
o Taskmgr.exe.lnk
o CMD.exe.lnk
o Svchost.dls
o Corelsetup.scx
o Appsys.dls
o Kernel32.dls
o Winupdtsys.exe
o ssmarque.scr
• C:\Program Files\FarStone\qbtask.exe
• C:\Program Files\ACDsee\Launcher.exe
• C:\Program Files\Common Files\NeroChkup.exe
• C:\Program Files\ExeLauncher
• %ProgramFiles%\drivers\VGA\VGAdrv.lnk
• C:\Documents and Settings\%user%\Desktop\Local Disk (C).dls
• %Flash Disk:\>Dataku Penting Jangan Dihapus.lnk
Catatan:
%Drive%, menunjukan lokasi Drive [C:\ atau D:\]
%Flash Disk%, menunjukan lokasi Flash Disk
5. Tampilkan file [TaskMgr.exe/Regedt32.exe/Regedit.exe/CMD.exe/Logoff.exe] yang disembunyikan oleh virus, caranya :
1. Klik menu [Start]
2. Klik [Run]
3. Ketik CMD kemudian klik tombol [OK]
4. Pada layar “Dos Prompt” pindahkan posisi kursor ke drive yang akan di periksa
5. Ketik perintan ATTRIB –s –h –r regedit.exe kemudian klik tombol “enter”
6. Kemudian ketik perintah saya yang membedakan hanya nama file yang akan ditampilkan yakni Taskmgr.exe, cmd.exe dan Logoff.exe
6. Untuk pembersihan optimal dan mencegah infeksi ulang silahkan install dan scan dengan antivirus yang up-to-date.
Jika komputer sudah benar-bernar bersih dari virus, hapus rule blok file [WSCript.exe] yang telah dibuat pada langkah no. (2),
Klik menu [Start]
Klik [Run]
Pada dialog box [Run], ketik SECPOL.MSC kemudian klik tombol [OK]
Pada layar [Local Security Policy], klik 2x [Software restriction policies]
Klik [Additional Rule]
Hapus Rule yang pernah Anda buat sebelumnya
8. Untuk mencegah infeksi ulang, gunakan antivirus yang sudah dapat mendeteksi dan membasmi virus ini dengan baik.
Minggu, 14 Juni 2009
Cinta ditolak, SandraDewi bertindak
W32/Sadra.A
Cinta ditolak, SandraDewi bertindak
Cinta Ditolak VIRUS bertindak
Sangat sakit rasanya apabila cinta kita ditolak oleh seseorang,
pada zaman dahulu orang menggunakan fasilitas dukun sebagai media untuk mendapatkan cintanya
Seiring dengan berkembangnya Teknologi informasi,
File virus
Ciri-ciri dari file virus ini, diantaranya sebagai berikut :
- Memiliki ukuran file sebesar “132 kb”.
- Mempunyai type file “Application”.
- Berextension file “exe”.
- Memiliki icon gambar (JPEG image).
Pesan sebelum login
Masih ingat dengan virus Blue Fantasy, virus yang menampilkan pesan sebelum login, dan kini virus Sandra Dewi juga menampilkan sebuah pesan.
Blok fungsi Windows
Sebagai bentuk pertahanan, virus akan mencoba melakukan usaha blok terhadap beberapa fungsi Windows. Beberapa fungsi Windows yang di blok diantaranya sebagai berikut :
- Folder Options (dilakukan untuk mencegah akses terhadap file/folder yang disembunyikan)
- Registry Editor (dilakukan untuk mencegah akses perbaikan registry)
- Search/Find (dilakukan untuk mencegah dari pembersihan virus)
- Command Prompt (dilakukan untuk mencegah dari proses kill virus)
- Task Manager (dilakukan untuk mencegah proses monitoring virus) (lihat gambar 4)
- Control Panel (dilakukan untuk mencegah akses kontrol dari OS komputer)
- MsConfig/System Configuration Utility (dilakukan untuk mencegah akses pada startup)
Selain itu, virus juga mencoba melakukan usaha blok terhadap beberapa fungsi Windows yang lain seperti diantaranya :
- Disable klik kanan pada desktop.
- Disable “All Programs” pada Start Menu.
- Disable menu Log Off/Turn Off pada Start Menu.
Dengan usaha ini, virus mencoba agar pengguna komputer kesulitan dalam menjalankan program tertentu, dan bahkan kesulitan untuk me-restart, log-off maupun shutdown komputer.
Merubah informasi System Properties
Pada System Properties, virus akan merubah RegisteredOwner menjadi Dewi Bugil dan RegisteredOrganization menjadi Sandra.
Merubah header Internet Explorer
Virus akan merubah header Internet Explorer (IE) saat akan menjalankan aplikasi Internet Explorer, dengan tambahan ::CREATION::BUDI::DARMA::.
Aktif pada start up dengan menjalankan program Splash
- C:\Documents and Settings\%user%\Start Menu\Programs\Startup\Sandra Dewi Bugil.exe
File virus yang aktif ini menjalankan program Splash, program ini tidak dapat di geser ataupun di tutup kecuali pada tombol Keluar. Jika tombol Keluar di klik, maka akan muncul pop-up KONFIRMASI kirim email kepada budi_9***@yahoo.com. Apapun yg di klik, baik tombol Yes maupun No akan membuat shutdown komputer kita dengan memunculkan jendela System Shutdown dalam waktu 1 menit.
Metode Penyebaran
Virus ini menggunakan removable drive/usb sebagai sarana penyebaran dirinya. File yang akan di buat virus yaitu :
- Sandra Dewi Bugil.exe
Cara pembersihan virus Sandra Dewi
- Sebaiknya putuskan hubungan komputer yang akan dibersihkan dari jaringan.
- Matikan “System Restore” selama proses pembersihan virus (untuk Windows XP/Vista)
- Matikan proses virus yang aktif di memory. Gunakan tools pengganti task manager, seperti Process Explorer (dapat anda download pada alamat berikut)
http://www.sysinternals.com/utils/index.html
- Lakukan kill process, pada beberapa file virus yang aktif yaitu :
- C:\Documents and Settings\%user%\Start Menu\Programs\Startup\Sandra Dewi Bugil.exe
- C:\WINDOWS\ Sandra Dewi Bugil.exe
- Hapus string registry yang telah dibuat oleh virus. Untuk mempermudah dapat menggunakan script registry dibawah ini.
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,"""%1"" %*"
HKCR, comfile\shell\open\command,,,"""%1"" %*"
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, piffile\shell\open\command,,,"""%1"" %*"
HKCR, lnkfile\shell\open\command,,,"""%1"" %*"
HKCR, scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner"
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0x00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0x00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKCU, Software\Policies\Microsoft\Windows\system, DisableCMD
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, StartMenuLogoff
Gunakan notepad, kemudian simpan dengan nama “repair.inf” (gunakan pilihan Save As Type menjadi All Files agar tidak terjadi kesalahan).
Jalankan repair.inf dengan klik pada menu File pada windows explorer, kemudian pilih install.
Sebaiknya membuat file repair.inf di komputer yang clean, agar virus tidak aktif kembali.
- Hapus file virus yang mempunyai ciri-ciri sebagai berikut :
- Icon gambar (JPEG Image)
- Extension exe
- Ukuran 132 kb
Catatan
- Sebaiknya tampilkan file yang tersembunyi agar mempermudah dalam proses pencarian file virus.
- Untuk mempermudah proses pencarian sebaiknya gunakan "Search Windows" dengan filter file *.exe yang mempunyai ukuran 133 KB.
- Hapus file virus yang biasanya mempunyai date modified yang sama.
- Untuk pembersihan yang optimal dan mencegah infeksi ulang, sebaiknya menggunakan antivirus yang ter-update dan mengenali virus ini dengan baik. Anda dapat pula menggunakan tools Norman Malware Cleaner yang dapat anda download pada
Kamis, 11 Juni 2009
Ciri-ciri virus Mahadewa dan Cara Membersikan
VBS.Autorun.AM (MaHaDeWa yang berani tampil beda)
Ciri-Ciri MaHaDeWa
1. Merubah Judul internet Explorer menjadi MaHaDeWa Labkom UBL
2. Merubah start page Internet Explorer menjadi http://webkom
a. Merubah nama komputer dan nama pemilik Windows
b. RegisteredOrganization = Your pc has been clean from Nita Virus by MaHaDeWa
c. RegisteredOwner = MaHaDeWa
cara membersihkan VBS/Autorun.MA
1. Matikan proses virus dengan nama WSCript.exe. untuk mematikan proses virus ini anda dapat menggunakan “task manager” atau tools pengganti task manager lainnya seperti Procee Explorer. Silahkan download tools tersebut di alamat berikut (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
2. Untuk mengantsipasi agar proses virus tidak aktif kembali saat dijalankan, blok file MaHaDeWa.dll.vbs dengan menggunakan “Software Restriction Policies” [Jika menggunakan Windows XP Prof. Dan Windows 2003], caranya :
- Klik tombol “Start”
- Klik “Run”
- Ketik “secpol.msc” [tanpa tanda kutip)
- Kemudian pada layar “Local Security Settings”, klik kanan pada folder “Software Restriction Policies” kemudian klik “Crate new policies”
- Kemudian klik kanan pada folder “Additional Rules”
- Klik “New Hash Rule”
- Pada kolom “File hash”, klik tombol “Browse” dan arahkan ke file MaHaDeWa.dll.vbs
- Klik tombol “open”
Catatan:
Sebelum blok file tersebut sebaiknya tampilkan file yang tersembunyi terlebih dahulu dengan merubah setting pada Folder Options (show hiden file)
3. Repair registry yang sudah dibuat oleh MaHaDeWa. Untuk mempermudah proses perbaikan tersebut, salin script dibawah ini pada program notepad kemudian simpan dengan nama repair.inf. Jalankan file tersebut dengan cara:
- Klik kanan repair.inf
- Klik Install
[Version]
Signature="$Chicago$"
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, "About:blank"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoDriveTypeAutoRun,0x00010001,255
[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Ageia
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Systemdir
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeCaption
HKLM, Software\Microsoft\Windows\CurrentVersion\Winlogon, LegalNoticeText
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUList, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, a
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, NoChangingWallpaper
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoClose
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoControlPanel
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoStartMenuMorePrograms
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoTrayContextMenu
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoViewOnDrive
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoWinKeys
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Advanced, Hidden
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableMsConfig
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoControlPanel
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer, NoLogOff
4. Hapus file induk virus di direktori berikut:
- C:\MaHaDeWa.dll.vbs (semua drive)
- C:\autorun.inf (semua drive)
- C:\Windows\system32\WinXP.dll.vbs
sumber : Vaksin
Minggu, 31 Mei 2009
Nadia Saphira reinkarnasi Donal Bebek
Nadia Saphira reinkarnasi Donal Bebek
Hati hati virus Bulu Bebek ber mutasi menjadi Nadia Saphira sebagai W32/VBTroj.AOQB yang mempunyai cirri-ciri di bawah ini:
File virus
? Memiliki ukuran file sebesar “17 kb & 69 kb”.
? Mempunyai type file “Application”.
? Berekstensi file “exe & ini”.
? Memiliki icon folder.
? Membuat duplikat folder seduai dengan nama folder yang ada dan menyembunyikan folder aslinya.
? Menghilangkan pilihan “Folder Options”.
? CD Rom tidak bisa digunakan
? Command Prompt tidak bisa diakses.
Jika virus Nadia Saphira berhasil menginfeksi, maka ia akan membuat beberapa file virus diantaranya :
? C:\autorun.inf (pada semua root drive)
? C:\NadiaSaphira.ini (pada semua root drive)
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\Documents and Settings\%User%\NadiaSaphira.ini
? C:\WINDOWS\taskmgr.exe
? C:\WINDOWS\system32\.exe
? C:\WINDOWS\system32\allsys.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\system32\MS586.sys
? C:\WINDOWS\system32\System
? C:\WINDOWS\system32\wtoolsb.exe
? C:\WINDOWS\system32\dllcache\.exe
? C:\WINDOWS\system32\ dllcache\System
? Membuat duplikat file virus pada setiap folder yang ada pada removable drive/usb.
Hidden folder & membuat duplikat virus
Virus Nadia Saphira ini hanya menyembunyikan folder / sub folder pada drive maupun pada flashdisk / external, untuk mengelabui user virus akan membuat duplikat di setiap folder/sub folder sesuai dengan nama folder yang disembunyikan. Selain itu virus juga membuat type file sesuai dengan type file folder.
Blok fungsi Windows
Virus Nadia Saphira akan mencoba melakukan usaha blok terhadap beberapa fungsi Windows. Beberapa fungsi Windows yang di blok diantaranya sebagai berikut :
? Folder Options (dilakukan untuk mencegah akses terhadap file/folder yang disembunyikan)
? Registry Editor (dilakukan untuk mencegah akses perbaikan registry)
? Search/Find (dilakukan untuk mencegah dari pembersihan virus)
? Command Prompt (dilakukan untuk mencegah dari proses kill virus)
Aktif pada start up
Virus Nadia Saphira menyisipkan file virus pada startup windows sehingga akan langsung aktif jika kita sudah masuk windows. File virus yang aktif pada startup yaitu :
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\taskmgr.exe
Metode Penyebaran
Dengan memanfaatkan system autoplay windows, virus ini menggunakan removable drive / usb sebagai sarana penyebaran dirinya. Beberapa file yang akan di buat virus yaitu :
? autorun.inf
? NadiaSaphira.ini
? Membuat file virus dan menggandakan diri pada setiap folder yang ada
Cara pembersihan virus Nadia Saphira
o Sebaiknya putuskan komputer yang akan dibersihkan dari jaringan.
o Matikan “System Restore” selama proses pembersihan virus (untuk Windows XP / Vista).
o Matikan proses virus yang aktif di memory. Gunakan tools pengganti task manager, seperti CProcess ( download pada alamat berikut http://www.nirsoft.net/utils/index.html)
Lakukan kill process, pada beberapa file virus yang aktif yaitu :
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\taskmgr.exe
o Hapus string registry yang telah dibuat oleh virus. Untuk mempermudah dapat menggunakan script registry dibawah ini.
[Version]
Signature=”$Chicago$”
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”””%1?” %*”
HKCR, comfile\shell\open\command,,,”””%1?” %*”
HKCR, exefile\shell\open\command,,,”””%1?” %*”
HKCR, piffile\shell\open\command,,,”””%1?” %*”
HKCR, lnkfile\shell\open\command,,,”””%1?” %*”
HKCR, scrfile\shell\open\command,,,”””%1?” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,””%1?”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe
Gunakan notepad, kemudian simpan dengan nama “repair.inf” Jalankan repair.inf dengan klik kanan, kemudian pilih install. Sebaiknya membuat file repair.inf di komputer yang clean, agar virus tidak aktif kembali.
o Hapus file virus yang mempunyai ciri-ciri sebagai berikut :
? Icon application/folder
? Ext. exe
? Ukuran 69 kb & 17 kb
Catatan
o Sebaiknya tampilkan file yang tersembunyi agar mempermudah dalam proses pencarian file virus.
o Untuk mempermudah proses pencarian sebaiknya gunakan “Search Windows” dengan filter file *.exe & *.ini yang mempunyai ukuran 69 KB & 17 KB.
• Hapus file virus yang biasanya mempunyai date modified yang sama.
o Tampilkan kembali folder yang disembunyikan pada drive atau flashdisk. Gunakan perintah “ATTRIB” pada command prompt.
? Klik “Start”
? Klik “Run”
? Ketik “CMD”, kemudian tekan tombol “Enter”
? Pindahkan posisi kursor ke drive Flash Disk
? Kemudian ketik perintah ATTRIB –s –h –r /s /d kemudian tekan tombol “enter
o Untuk pembersihan yang optimal dan mencegah infeksi ulang, sebaiknya menggunakan antivirus yang ter-update dan mengenali virus ini dengan baik.
sumber vaksin
Hati hati virus Bulu Bebek ber mutasi menjadi Nadia Saphira sebagai W32/VBTroj.AOQB yang mempunyai cirri-ciri di bawah ini:
File virus
? Memiliki ukuran file sebesar “17 kb & 69 kb”.
? Mempunyai type file “Application”.
? Berekstensi file “exe & ini”.
? Memiliki icon folder.
? Membuat duplikat folder seduai dengan nama folder yang ada dan menyembunyikan folder aslinya.
? Menghilangkan pilihan “Folder Options”.
? CD Rom tidak bisa digunakan
? Command Prompt tidak bisa diakses.
Jika virus Nadia Saphira berhasil menginfeksi, maka ia akan membuat beberapa file virus diantaranya :
? C:\autorun.inf (pada semua root drive)
? C:\NadiaSaphira.ini (pada semua root drive)
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\Documents and Settings\%User%\NadiaSaphira.ini
? C:\WINDOWS\taskmgr.exe
? C:\WINDOWS\system32\.exe
? C:\WINDOWS\system32\allsys.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\system32\MS586.sys
? C:\WINDOWS\system32\System
? C:\WINDOWS\system32\wtoolsb.exe
? C:\WINDOWS\system32\dllcache\.exe
? C:\WINDOWS\system32\ dllcache\System
? Membuat duplikat file virus pada setiap folder yang ada pada removable drive/usb.
Hidden folder & membuat duplikat virus
Virus Nadia Saphira ini hanya menyembunyikan folder / sub folder pada drive maupun pada flashdisk / external, untuk mengelabui user virus akan membuat duplikat di setiap folder/sub folder sesuai dengan nama folder yang disembunyikan. Selain itu virus juga membuat type file sesuai dengan type file folder.
Blok fungsi Windows
Virus Nadia Saphira akan mencoba melakukan usaha blok terhadap beberapa fungsi Windows. Beberapa fungsi Windows yang di blok diantaranya sebagai berikut :
? Folder Options (dilakukan untuk mencegah akses terhadap file/folder yang disembunyikan)
? Registry Editor (dilakukan untuk mencegah akses perbaikan registry)
? Search/Find (dilakukan untuk mencegah dari pembersihan virus)
? Command Prompt (dilakukan untuk mencegah dari proses kill virus)
Aktif pada start up
Virus Nadia Saphira menyisipkan file virus pada startup windows sehingga akan langsung aktif jika kita sudah masuk windows. File virus yang aktif pada startup yaitu :
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\taskmgr.exe
Metode Penyebaran
Dengan memanfaatkan system autoplay windows, virus ini menggunakan removable drive / usb sebagai sarana penyebaran dirinya. Beberapa file yang akan di buat virus yaitu :
? autorun.inf
? NadiaSaphira.ini
? Membuat file virus dan menggandakan diri pada setiap folder yang ada
Cara pembersihan virus Nadia Saphira
o Sebaiknya putuskan komputer yang akan dibersihkan dari jaringan.
o Matikan “System Restore” selama proses pembersihan virus (untuk Windows XP / Vista).
o Matikan proses virus yang aktif di memory. Gunakan tools pengganti task manager, seperti CProcess ( download pada alamat berikut http://www.nirsoft.net/utils/index.html)
Lakukan kill process, pada beberapa file virus yang aktif yaitu :
? C:\Documents and Settings\All User\Start Menu\Programs\Startup\lan.exe
? C:\WINDOWS\system32\misconfig.exe
? C:\WINDOWS\taskmgr.exe
o Hapus string registry yang telah dibuat oleh virus. Untuk mempermudah dapat menggunakan script registry dibawah ini.
[Version]
Signature=”$Chicago$”
Provider=Vaksincom Oyee
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKCR, batfile\shell\open\command,,,”””%1?” %*”
HKCR, comfile\shell\open\command,,,”””%1?” %*”
HKCR, exefile\shell\open\command,,,”””%1?” %*”
HKCR, piffile\shell\open\command,,,”””%1?” %*”
HKCR, lnkfile\shell\open\command,,,”””%1?” %*”
HKCR, scrfile\shell\open\command,,,”””%1?” %*”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced,
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,””%1?”
HKLM, SOFTWARE\Classes\exefile,,,”Application”
HKLM, SOFTWARE\Classes\exefile,infotip,0, “prop:FileDescription;Company;FileVersion;Create;Size”
HKLM, SOFTWARE\Classes\exefile,TileInfo,0, “prop:FileDescription;Company;FileVersion”
HKCU, Software\Microsoft\Command Processor, AutoRun,0,
HKLM, SOFTWARE\Microsoft\Command Processor, AutoRun,0,
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue, 0×00010001,1
HKLM,SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue, 0×00010001,2
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer, nofind
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sessmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SPYXX.exe
Gunakan notepad, kemudian simpan dengan nama “repair.inf” Jalankan repair.inf dengan klik kanan, kemudian pilih install. Sebaiknya membuat file repair.inf di komputer yang clean, agar virus tidak aktif kembali.
o Hapus file virus yang mempunyai ciri-ciri sebagai berikut :
? Icon application/folder
? Ext. exe
? Ukuran 69 kb & 17 kb
Catatan
o Sebaiknya tampilkan file yang tersembunyi agar mempermudah dalam proses pencarian file virus.
o Untuk mempermudah proses pencarian sebaiknya gunakan “Search Windows” dengan filter file *.exe & *.ini yang mempunyai ukuran 69 KB & 17 KB.
• Hapus file virus yang biasanya mempunyai date modified yang sama.
o Tampilkan kembali folder yang disembunyikan pada drive atau flashdisk. Gunakan perintah “ATTRIB” pada command prompt.
? Klik “Start”
? Klik “Run”
? Ketik “CMD”, kemudian tekan tombol “Enter”
? Pindahkan posisi kursor ke drive Flash Disk
? Kemudian ketik perintah ATTRIB –s –h –r /s /d kemudian tekan tombol “enter
o Untuk pembersihan yang optimal dan mencegah infeksi ulang, sebaiknya menggunakan antivirus yang ter-update dan mengenali virus ini dengan baik.
sumber vaksin
Selasa, 05 Mei 2009
8 Tools Conficker Killer
8 Tools Conficker Killer
Conficker the virus is also known by the name of Kido or Downadup it is certainly familiar in our ears all this in 2009. One type of worm virus comments that make the distribution of the very tremendous and has a very serious impact of computers on the network.
Now the race-vendor security tools and the race issue "claiming" as the most good and most powerful to eradicate Conficker.
Under this type of tool and symptoms:
Conficker and symptoms
some symptoms of computer infected Conficker:
!!. Can not access the domain name & web security can not update antivirus
This is one of the characteristics of conficker. Please check with the web access on some security such as www.microsoft.com, and www.norman.com www.kaspersky.com. Compare with access through the ip from the web page, http://65.55.12.249 (microsoft), http://195.27.181.34 (Kaspersky) and http://87.238.48.130 (norman). If your browser can not mengkases site by typing in the address on the site can be accessed BUT if the address Ipnya, the need to believe that the suspect komptuer infected Conficker (99%). This is done by Conficker with how to patch the DNS Query, DNS, so if access is blocked by certain akan conficker.
!!. shut-disabled men and some of the Windows Service.
To facilitate infection effectively, Conficker turn off some services such as Automatic Updates (wuauserv), Background Intelligent Transfer Service (Bits), Error Reporting Service (ERSvc), Help and Support (helpsvc), the Security Center (wscsvc).
!!. Create and run a new service with mendompleng svchost.
This is so easy and menginfeksi on another computer and download a virus file.
!!. Create a new firewall rule.
This can be used so that conficker exit (menginfeksi another computer) and enter (a new virus update) easily. Conficker use the port between 1024 s / d 10,000. if the port is used with the same virus program our application, the application will be delayed.
!!. Create a Scheduled task.
This used to be still running on the infected computer. To be optimal, some Conficker Scheduled task that running all the time.
!!. Disable Show Hidden Files & System Restore.
This is used so that the victim is not easy to do cleaning on the virus that had been successful and menginfeksi computers and flash drives / external.
!!. Disable System Restore.
Function so that the computer can not restore the victim to the computer before setting early in infection Conficker. As we know, is the System Restore feature in Windows XP / vista as a working time machine that can help us if there is one install / where the virus infected only with a few clicks we can restore the computer settings on the day / time before the virus infected the computer / installed incorrectly .
The Tools, Conficker Killer ...
Here are some tools that tesedia as follows:
1) AVP Kaspersky Removal Tool
Tools is the mainstay of Kaspersky Lab created as a substitute for anti-virus tools. You can download for free. But unfortunately, these tools must be installed first before using it, so if the computer has been infected with the virus if the virus is very difficult to block the installation of security tools or applications. To conficker / kido, AVP already includes its database. Interface design is very similar to its anti-virus interface. Unfortunately not able to repair registry, repair service and repair by the host that the virus changed.
2) Norman Malware Cleaner
Compared to previous versions, FREE tools made by the Norman www.norman.com progress rapidly. Tools can be used as an alternative if the computer infected with a virus, because it is able to restore the registry, and hosted service created by virus / spyware. To conficker, these tools can be used as an alternative to cleaning. Unfortunately, if this has the tools expire (± 14 days), so you will be required to download the latest version of the website norman http://norman.com/Virus/Virus_removal_tools/24789/. The actions that can be done Norman Malware
Cleaner is:
- Stopping the virus that is running.
- Memberishkan virus from the media file (Flash Disk, Harddisk etc), including ActiveX components and BHO (Browser Helper Object) that many in the exploitation by Spyware.
- Finding and killing rootkit.
- Restore the registry value was changed by a virus (not available on other removal tools)
- Clearing the changes in the hosts file (not available in the other removal tools).
- Justify the Windows Firewall rule made by the virus.
3) McAfee AVERT Stinger
McAfee user for you, of course familiar with this name. Stinger made AVERT that had become one of the precursor virus cleaning tools are the computer users in the early appear. Unfortunately, the development tools is a bit slow to get so many competing tools-new tools. To conficker, already include the stinger database. Still has a simple design as before but if it is used to eradicate Conficker, sometimes quite difficult to inject if the virus is a file system failed and the windows cleaned.
4) Microsoft Malicious Software Removal Tool
Belonging to the Microsoft tools can be used as an alternative to virus scan only. Tools can be downloaded automatically each month with features automatic updates of windows. Location of this file is located in C: \ WINDOWS \ system32, the name MRT.exe. Tools features the scan that can be adjusted with yours. If you find the virus active in memory, MRT will request the user to restart. Although it can detect conficker, but the tools are used only for virus scanning alone, without merepair registry that has been created by the virus.
While some of the special tools made for killing conficker is as follows:
1) KidoKiller (Kaspersky)
Special tools made to Kaspersky Lab virus Conficker. Tools have been signed in this revision 3 to detect the virus conficker versions of C / III. Feature was added continuously to be able to detect and mendelete Scheduled task, and able mngembalikan system restore. The advantages this tool that is able to function without a DNS Query must restart the computer. Tools is running at the command prompt. Unlike the Symantec, scanning tools are only on a certain path are suspected of being infected conficker, so that the scanning time becomes faster.
2) Fix Downad (Trend Micro)
Tools output for the Trend Micro conficker unfortunately this does not include database / patternnya when downloading, so we have to first download the pattern / its database. The database / page can be scanning pattern of the virus / worm another, so it can clean up another virus. If other tools consist of only one file, these tools have some good exe file and another file that consists of checking the database / pattern, check schedule task, checking the windows patch, virus checks, registry checks and check services. Even if it consists of many files, we just run the bat just 1 file (batch file), which will then execute the other file.
3) Removal W32.Downadup (Symantec)
Consistent with its name, this tool made by Symantec antivirus companies to overcome the virus conficker / downadup / kido. Overview of tools is very simple, there is only the start menu, and cancel about. This tool does not have the option of scanning the drive you want. For scanning, this tool is able to kill the virus, the virus mendelete file and fix the registry that has been modified by the virus. Unfortunately this tool does not remove the task schedule is created by the virus, does not remove the firewall rule is created by the virus and does not restore the system restore back to normal. But this tool gives a warning to the user so that immediate patching windows with MS08-067.
4) EConfickerRemover (ESET/NOD32)
ESET also issued conficker special tools for its users. This tool is very simple, in fact if a simple and powerful that it sought. Tools other than this virus can kill the process and mendeletenya.
Some of the changes made by Conficker that need to be a concern even have to use cleaning tools are as follows:
- Task Schedule
Delete schedule task that has been created by the virus.
- Firewall Rule
Delete a firewall rule is created by the virus.
- Registry Repair
Repair registry changed by the virus (the windows service is dead and show hidden files). Create a script in the notepad, then save as a repair.inf.
[Version]
Signature = "$ Chicago $"
Provider = Vaksincom
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, Hidden, 0 × 00000001.1
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced, SuperHidden, 0 × 00000001.1
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Advanced \ Folder \ Hidden \ SHOWALL, CheckedValue, 0 × 00000001.1
HKLM, SYSTEM \ CurrentControlSet \ Services \ Bits, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ ERSvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wscsvc, Start, 0 × 00000002.2
HKLM, SYSTEM \ CurrentControlSet \ Services \ wuauserv, Start, 0 × 00000002.2
[del]
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, dl
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ applets, ds
HKLM, SYSTEM \ CurrentControlSet \ Services \ TCPIP \ Parameters, TcpNumConnections
- Clean temporary files
Clean up temporary files, use disk cleanup, or can use tools such as cleaner ATF Cleaner.
Prevention ...
although the virus has been cleaned but / worm is still very easy to enter due to several factors as follows:
- Autoplay / Autorun Windows
Do with the prevention of men-disable autoplay function. This function makes it easy conficker entry and menginfeksi computer.
- Default Windows Share
This function is easy for the virus / worm attempted entry through the network easily. Disable this function if not needed. As an alternative if needed use a computer password (both local and network) that is unique and not standard and common letter combinations angkadan.
- Windows Patch
Always diligent patch windows. This will prevent the virus from attack at an internet connection. Would be better if you enable Automatic Updates.
- Install and Update Antivirus
Finally, do the installation of antivirus and always make sure to update both.
source: Vaksin
Senin, 30 Maret 2009
CONFICKER MOVES TO THE NEXT LEVEL
Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. In fact, C leaves as little as 15% of the original B code base untouched. Whereas the recently reported B++ variant represented a more surgical derivative of B, C incorporates a major restructuring of B's previous thread architecture and program logic, including major functional additions such as a new peer-to-peer (P2P) coordination channel, and a revision of the domain generation algorithm (DGA). It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses.
For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.
One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population. At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide. Through the use of these binary encryption methods, Conficker's authors have taken care to ensure that other groups cannot upload arbitrary binaries to their infected drone population, and these protections cover all Conficker updating services: Internet rendezvous point downloads, buffer overflow re-exploitation, and the latest P2P control protocol.
In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack. All three crypto-systems employed by Conficker's authors (RC4, RSA, and MD-6) also have one underlying commonality. They were all produced by Dr. Ron Rivest of MIT. Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date. The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker's own development time line. We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see http://groups.csail.mit.edu/cis/md6). While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).
Unfortunately for the Conficker authors, by mid-January, Dr. Rivest’s group submitted a revised version of the MD-6 algorithm, as a buffer overflow had been discovered in its implementation. This revision was inserted quietly, followed later by a more visible public announcement of the buffer overflow on 19 February 2009, with the release of the Fortify report (http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf). We confirmed that this buffer overflow was present in the Conficker B implementations. However, we also confirmed that this buffer overflow was not exploitable as a means to take control of Conficker hosts. Nevertheless, the Conficker developers were obviously aware of these developments, as they have now repaired their MD-6 implementation in Conficker C, using the identical fix made by Dr. Rivest's group. Clearly the authors are aware of, and adept at understanding and incorporating, the latest cryptographic advances, and are actively monitoring the latest developments in this community.
One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic, to help illustrate the comprehensive challenge that modern malware poses to security products, and to Microsoft's anti-malware efforts. Conficker offers a nice illustration of the degree to which security vendors are being actively challenged to not just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.
Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.
Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker. Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.
by:google surf
For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.
One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population. At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide. Through the use of these binary encryption methods, Conficker's authors have taken care to ensure that other groups cannot upload arbitrary binaries to their infected drone population, and these protections cover all Conficker updating services: Internet rendezvous point downloads, buffer overflow re-exploitation, and the latest P2P control protocol.
In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack. All three crypto-systems employed by Conficker's authors (RC4, RSA, and MD-6) also have one underlying commonality. They were all produced by Dr. Ron Rivest of MIT. Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date. The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker's own development time line. We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see http://groups.csail.mit.edu/cis/md6). While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).
Unfortunately for the Conficker authors, by mid-January, Dr. Rivest’s group submitted a revised version of the MD-6 algorithm, as a buffer overflow had been discovered in its implementation. This revision was inserted quietly, followed later by a more visible public announcement of the buffer overflow on 19 February 2009, with the release of the Fortify report (http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf). We confirmed that this buffer overflow was present in the Conficker B implementations. However, we also confirmed that this buffer overflow was not exploitable as a means to take control of Conficker hosts. Nevertheless, the Conficker developers were obviously aware of these developments, as they have now repaired their MD-6 implementation in Conficker C, using the identical fix made by Dr. Rivest's group. Clearly the authors are aware of, and adept at understanding and incorporating, the latest cryptographic advances, and are actively monitoring the latest developments in this community.
One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic, to help illustrate the comprehensive challenge that modern malware poses to security products, and to Microsoft's anti-malware efforts. Conficker offers a nice illustration of the degree to which security vendors are being actively challenged to not just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.
Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.
Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker. Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.
by:google surf
Langganan:
Postingan (Atom)
