Cara mengatasi VBWorm.NEE ( Virus Tukul )
Posted On1. Putuskan hubungan komputer yang akan dibersihkan dari jaringan
[jika
terhubung ke LAN]
2. Matikan proses virus, silahkan gunakan tools currprocess
http://www.nirsoft.net/utils/cprocess.html, kemudian matikan proses
yang
mepunyai gambar “Video
Media Player”, contohnya : (lihat gambar 7)
a. Spool32.exe
b. Winword.exe
(Embedded image moved to file: pic24648.jpg)
Gambar 7 Mematikan proses VBWorm.NEE
3. Hapus string registry yang dibuat oleh virus, untuk mempercepat
proses
penghapusan registry tersebut salin script dibawah ini pada notepad
kemudian
simpan dengan nama “repair.vbs” setelah itu jalankan file
tersebut
kemudian logoff komputer.
Dim oWSH: Set oWSH = CreateObject(”WScript.Shell”)
on error resume Next
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\”,”"”%1″”
%*”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\”,”"”%1″”
%*”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\”,”"”%1″”
%*”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\”,”"”%1″”
%*”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command\”,”"”%1″”
/S”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command\”,”regedit.exe
%1″
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite
“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”,”cmd.exe”oWSH.Regwrite
“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Shell”,”Explorer.exe”
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft
Word”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Printer
Cpl”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows
NT\SystemRestore\”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinLeys”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCLose”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofind”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableMSI”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinLeys”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NOLogoff”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(”HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispApprearancePage”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCpl”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
System\NoScrSavPage”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt”)
oWSH.RegDelete(”HKEY_CLASSES_ROOT\exefile\NeverShowExt”)
oWSH.RegDelete(”HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(”HKEY_CURRENT_USER\Software\policies\Microsoft\system\DisableCMD”)
4. Jika menggunakan Windows ME/XP, disable “System Restore” untuk
sementara
selama proses pembersihan berlangsung.
5. Hapus file induk dan file copy VBWorm.NEE yang dibuat oleh virus
dengan
terlebih dahulu menampilkan file/folder yang disembunyikan (gunakan
folder
option
untuk menampilkan file/folder yang disembunyikan), dengan
ciri-ciri:
· Ukuran 56 KB
· Ekstensi .DOC .EXE
· Type file Application
· Icon Video Media Player
§ C:\Windows\SPOOL32.exe
§ C:\WINDOWS\system32\winword.exe
§ C:\Documents and Settings\%user login%
· [System Process]BabII.doc .exe
· [System Process]Fileku.doc .exe
· [System Process]Jangan di buka .doc.exe
· [System Process]Tolong.doc .exe
· [System Process]data.doc .exe
· [System Process]Desposisi.doc .exe
· [System Process]Empat Mata.doc .exe
· [System Process]benci.doc .exe
· fileku.doc.exe [acak]
· SystemData.doc .exe [acak]
· SystemTolong.doc [acak]
· sYSTEMbENCI.doc.exe [acak]
· C:\Windows\config\system32.exe
· C:\WIndows\system32\ArekSuroboyo.html
Untuk mempercepat proses penghapusan virus tersebut, gunakan
tools
Search Windows, dengan setting berikut:
· All or part of the file name, isi dengan *.EXE
· Look in, isi dengan Drive yang Anda miliki
· What size it is? Pilih Specify size (in KB)
o At Most
o 57 KB
· More Advanced options, pilih
o Type of file : (All File and Folders)
o Search System folders
o Search hidden files and folders
o Search sub folders
6. Untuk pembersihan optimal dan mencegah infeksi ulang, lindungi
komputer
anda dengan Norman Virus Control up-to-date yang dapat mengenali dan
membasmi virus ini.
0 komentar:
:f
:D
:)
;;)
:x
:$
x(
:?
:@
:~
:|
:))
:(
:s
:((
:o
Posting Komentar