agakoi
Jumlah posting : 586 Age : 94 Alamat : Jl.Sukawati Kota : watampone Provinsi : Sulawesi Selatan Outlet : Murah Jaya Cell Toko : AgakoI KOMPUTER Poin : 10425 Reputation : 1014 Registration date : 24.12.08
| Subyek: 7 Langkah Membasmi Virus 'K0pL4xZ' Thu 25 Dec 2008 - 8:03 | |
| - Quote :
- Virus "K0pL4xZ" yang terdeteksi sebagai VBWorm.QTT mengincar pengguna komputer, khususnya yang memiliki banyak file Office, dengan cara mengganti icon dan tipe file Microsoft Office.
Namun untungnya, virus ini tidak sampai menghancurkan file Office. Virus ini dibuat dengan menggunakan Visual Basic. Agar tak disangka virus, ia menyamar dengan menggunakan icon "Windows Media Player Classic" dengan tipe file application (exe). Untuk membersihkannya, ikuti langkah berikut ini:
1. Putuskan komputer yang akan dibersihkan dari jaringan (LAN). 2. Matikan "System Restore" selama proses pembersihan. 3. Matikan proses virus yang aktif di memory. Gunakan tools KillVB untuk mematikan proses di memory. Silahkan downlod tools tersebut di: http://www.compactbyte.com/brontok/killvb.zip
4. Fix registry yang sudah diubah oleh virus. Untuk mempercepat proses perbaikan registry salin script dibawah ini pada program notepad, kemudian simpan dengan nama "Repair.inf". Jalankan file tersebut dengan cara:
- Klik kanan repair.inf - Klik Install
[Version] Signature="$Chicago$" Provider=Vaksincom Oyee
[DefaultInstall] AddReg=UnhookRegKey DelReg=del
[UnhookRegKey] HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*" HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1"" HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*" HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe" HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe" HKLM, SOFTWARE\Classes\exefile,,,application HKCU, Software\Microsoft\Internet Explorer\Main, start page,0, "about:blank" HKCU, Software\Microsoft\Internet Explorer\Main, Search Page,0, "about:blank" HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0x00010001,0 HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0x00010001,1 HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOrganization,0, "Organization" HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion, RegisteredOwner,0, "Owner" HKLM, SOFTWARE\Classes\txtfile, FriendlyTypeName,0, "@C:\Windows\system32\notepad.exe,-469" HKLM, SOFTWARE\Classes\Word.Document.8,,,"Microsoft Word Document" HKLM, SOFTWARE\Classes\Word.Document.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500 48383C9}\wordicon.exe,1" HKLM, SOFTWARE\Classes\PowerPoint.Show.8,,, "Microsoft PowerPoint Presentation" HKLM, SOFTWARE\Classes\PowerPoint.Show.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-015 0048383C9}\pptico.exe,1" HKLM, SOFTWARE\Classes\Excel.Sheet.8,,,"Microsoft Excel Worksheet" HKLM, SOFTWARE\Classes\Excel.Sheet.8\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01500483 83C9}\xlicons.exe,1" HKLM, SOFTWARE\Classes\Access.Application.11,,,"Microsoft Office Access Application" HKLM, SOFTWARE\Classes\Access.Application.11\DefaultIcon,,,"C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-01 50048383C9}\accicons.exe,1" HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, Hidden, 0x00010001,1 HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt, 0x00010001,0 HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden, 0x00010001,1 HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,WarningIfNotDefault,0,"@ shell32.dll,-28964"
[del] HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableTaskMgr HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DIsablecmd HKCU, Software\Microsoft\Internet Explorer\Main, Window Title HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer,NoFolderOptions HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableRegistryTools HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System,DisableTaskMgr HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore HKCU, Software\Microsoft\Windows\CurrentVersion\Run, System HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop HKCU, Software\Microsoft\Windows NT\CurrentVersion\Winlogon, shell HKCU, Software\Policies\Microsoft\Windows\System, DisableCMD HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, WarningIfNotDefault HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Run, cintaku HKLM, SOFTWARE\Classes\exefile, FriendlyTypeName
5. Hapus file "C:\Windows\desktop.ini" (file yang berfungsi untuk mengubah icon Windows menjadi icon Control Panel). Gunakan dos prompt untuk menghapus file tersebut.
6. Cari dan hapus file induk virus di Hard Disk dan Flash Disk dengan terlebih dahulu menampilkan file yang tersembunyi. Untuk mempercepat pencarian gunakan fungsi "Search Windows".
Berikut beberapa file induk yang akan dibuat oleh Koplaxz: C:\Documents and Settings\%user%\Start Menu\Programs\StartupWinhelp.exeC:\Documents and Settings\%user%\Start Menu\ProgramsHellloo_Gheea.exeC:\Documents and Settings\%user%\My DocumentsJangan_Dihapus_Apalagi_Dibuka.exeC:\Documents and Settings\%user%\Start MenuKoplaxz Kudo Shop.exeC:\Documents and Settings\%user%\Start Menu\ProgramsHellloo_Gheea..exeC:\WindowsTourWindowsXP.exesvchost.exeKudo.comcommand32.pifKopLaXz@KudoShop.exeC:\F4HM1_KudO_M4n4j3r.exeC:\G0d3G.exeC:\Ghe@_i_miss_u.3gp.exe (All Drive)C:\K0pL4xZ.exeC:\K 0 P L 4 X Z.exeC:\KopLaXz@KudoShoP.exe (All Drive)C:\R0n13G4N_G3Ndut_S3xY.exeC:\R3eve5.exeC:\K0pL4xZ@KudoShop (All Drive)folder.httmsvbvm60.dllK0pL4xZ.exeC:\K0pl4xZ@KudoShop\K0pL4xZ.exeC:\[spasi] WINDOWS\System_FriendZ_KopLaXz32F4HM1_KudO_M4n4j3r.exeG0d3G.exeK 0 P L 4 X Z.exeR0n13G4N_G3Ndut_S3xYR3eve5.exeC:\ [spasi] Windows\Zx4Lp0K.htmlC:\WIndows\system32\smkn2majalengka.scrC:\Windows\system32\PCMAV.exeC:\Windows\system32\Asholest.exeC:\Documents and Settings\%user%\SendTo\KoPLaXzKudo(e-mail).exeC:\Autorun.inf (semua Drive)C:\Desktop.ini (semua Drive)C:\A Letter 4 Ghe@.txt (semua Drive)C:\K0pL4xZ@kUdO_5h0P.txtC:\Documents and Settings\All Users\Desktop\A Letter 4 Ghe@.infC:\WIndows\desktop.ini Kemudian hapus file induk virus yang mempunyai ciri-ciri: Icon "Windows Media Player" clasic / 3GP Video FormatUkuran 31 KBEkstensi EXE, PIF, COM dan SCRType file "Application" Hapus juga file berikut: C:\Autorun.inf (setiap root drive: c:\ atau D:\)C:\Desktop.ini (setiap root drive: c:\ atau D:\)C:\A Letter 4 Ghe@.txt (setiap root drive: c:\ atau D:\)C:\K0pL4xZ@kUdO_5h0P.txt (setiap root drive: c:\ atau D:\)C:\K0pL4xZ@KudoShop (disetiap root drive dan Flash Disk)C:\Documents and Settings\All Users\Desktop\A Letter 4 Ghe@.infC:\[spasi] WINDOWSC:\[spasi] WIndows\Zx4Lp0K.html 7. Untuk pembersihan optimal dan mencegah infeksi ulang, scan dengan menggunakan anti virus yang up-to-date. Semoga bermanfaat............................. | |
|