terkadang anda (bagi yang awam dengan komputer) tidak terlalu mengerti akan kehadiran Virus di komputer anda.
Berikut saya kutip dan saya ambil Script VB dari OprekPC.com yang saya coba dan ternyata ampuh saya gunakan di Laptop saya yang tidak bisa terinstall Anti Virus.
Script VB ini dimaksudkan utk mereset kembali beberapa entry registry yang biasa diacak-acak oleh virus, terutama virus lokal di Windows XP.
Contoh gejalanya:
- Title Browser IE (Internet Explorer) diubah
- Adanya pesan waktu logon Windows
- File hidden/system tak terlihat
- Blokir aplikasi / fasilitas windows : Find, Folder Options, Run, Regedit (Registry), Task Manager, System Restore, Perubahan Wallpaper, Hotkey, Control Panel, Log Off
- Memblokir file-file exe milik Windows dan Anti Virus
- dan lain sebagainya.
Caranya:
- Copy-Paste semua script yang ada di dalam tag code di bawah ini ke Notepad, save dgn Save as type = Al Files dan File name = RegFix.vbs
- Dobelklik RegFix.vbs
- Buka Task Manager dgn cara [Ctrl+Alt+Del] atau klik kanan Taskbar
- Endtask/Kill wscript.exe & cscript.exe (kalo ada/running)
- Tutup Task Manager
- Dobelklik lagi RegFix.vbs
| Code: |
| on error resume next Dim fso, WshShell, FlashDisk, Drives, winpath Dim autoruninf, dekstopini Set fso = CreateObject("Scripting.FileSystemObject") Set WshShell = CreateObject("Wscript.Shell") Set Drives = fso.drives Set winpath = fso.GetSpecialFolder(0) Smwc = "\Software\Microsoft\Windows\CurrentVersion\" Smwnc = "\Software\Microsoft\Windows NT\CurrentVersion\" Spmw = "\Software\Policies\Microsoft\Windows\" Spmn = "\Software\Policies\Microsoft\Windows NT\" Smie = "\Software\Microsoft\Internet Explorer\" Hsmwci = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" WshShell.RegWrite "HKCR\.lnk\", "lnkfile" WshShell.RegWrite "HKCR\.vbs\", "VBSFile" WshShell.RegWrite "HKCR\vbsfile\", "VBScript Script File" WshShell.RegWrite "HKCR\vbsfile\DefaultIcon", "%SystemRoot%\System32\WScript.exe,2" WshShell.RegWrite "HKCR\vbsfile\FriendlyTypeName", "@%SystemRoot%\System32\wshext.dll,-4802", "REG_EXPAND_SZ" WshShell.RegDelete "HKCR\vbsfile\NeverShowExt" WshShell.RegWrite "HKCR\inffile\shell\Install\command\", "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1" WshShell.RegWrite "HKLM\Software\CLASSES\batfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\comfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\exefile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\piffile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\scrfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKCR\regfile\shell\open\command\", "regedit.exe ""%1""" WshShell.RegWrite "HKCR\VBSFile\shell\edit\command\", "notepad.exe ""%1""" WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD" WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoFileAssociate", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Hidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideFileExt", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\SuperHidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowRun", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowSearch", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowHelp", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideIcons", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smie&"Main\Start Page", "about:blank" WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe" WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Userinit", winpath & "\system32\userinit.exe," WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\helpctr.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\" WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\msconfig.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\" WshShell.RegWrite "HKLM"&Smwnc&"SystemRestore\DisableSR", "0", "REG_DWORD" WshShell.RegDelete "HKLM"&Smwc&"App Paths\regedit.exe\" WshShell.RegDelete "HKLM"&Smwc&"App Paths\regedt32.exe\" WshShell.RegDelete "HKLM"&Spmn&"SystemRestore\DisableSR" WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoLogOff" WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoControlPanel" WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeCaption" WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeText" WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeCaption" WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeText" WshShell.RegDelete "HKLM"&Smwc&"Run\Ageia" WshShell.RegDelete "HKLM"&Smwc&"Run\r4n694-24y" WshShell.RegDelete "HKCU"&Smie&"Main\Window Title" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFind" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFolderOptions" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoRun" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoViewContextMenu" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoTrayContextMenu" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoWinKeys" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegistryTools" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableTaskMgr" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegedit" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableCMD" WshShell.RegDelete "HKCU"&Smwc&"Policies\ActiveDesktop\NoChangingWallpaper" WshShell.RegDelete "HKCU"&Smwc&"Explorer\RunMRU\" WshShell.RegDelete Hsmwci&"cmd.exe\" WshShell.RegDelete Hsmwci&"helpctr.exe\" WshShell.RegDelete Hsmwci&"msconfig.exe\" WshShell.RegDelete Hsmwci&"regedit.exe\" WshShell.RegDelete Hsmwci&"regedt32.exe\" WshShell.RegDelete Hsmwci&"TaskMgr.exe\" WshShell.RegDelete Hsmwci&"attrib.exe\" WshShell.RegDelete Hsmwci&"install.exe\" WshShell.RegDelete Hsmwci&"setup.exe\" WshShell.RegDelete Hsmwci&"PCMAV.exe\" WshShell.RegDelete Hsmwci&"PCMAV-CLN.exe\" WshShell.RegDelete Hsmwci&"PCMAV-RTP.exe\" WshShell.RegDelete Hsmwci&"PCMAV-SE.exe\" WshShell.RegDelete Hsmwci&"VB6.exe\" WshShell.RegDelete Hsmwci&"autorun.exe\" WshShell.RegDelete Hsmwci&"ansav.exe\" WshShell.RegDelete Hsmwci&"ansavgd.exe\" WshShell.RegDelete Hsmwci&"avscan.exe\" WshShell.RegDelete Hsmwci&"avgnt.exe\" WshShell.RegDelete Hsmwci&"gav.exe\" WshShell.RegDelete Hsmwci&"iexplore.exe\" WshShell.RegDelete Hsmwci&"firefox.exe\" WshShell.RegDelete Hsmwci&"procexp.exe\" WshShell.RegDelete Hsmwci&"procexpNT.exe\" WshShell.RegDelete Hsmwci&"AppSvc32.exe\" WshShell.RegDelete Hsmwci&"ccApp.exe\" WshShell.RegDelete Hsmwci&"ccSvcHst.exe\" WshShell.RegDelete Hsmwci&"Rtvscan.exe\" WshShell.RegDelete Hsmwci&"Smc.exe\" WshShell.RegDelete Hsmwci&"SmcGui.exe\" WshShell.RegDelete Hsmwci&"egui.exe\" WshShell.RegDelete Hsmwci&"ekrn.exe\" WshShell.RegDelete Hsmwci&"RegistryEditor.exe\" WshShell.RegDelete Hsmwci&"wordpad.exe\" WshShell.RegDelete Hsmwci&"viremoval.exe\" WshShell.RegDelete Hsmwci&"viremover.exe\" For Each FlashDisk In fso.drives If (FlashDisk.drivetype = 1 Or FlashDisk.drivetype = 2) And FlashDisk.Path <> "A:" Then set autoruninf = fso.GetFile(FlashDisk.Path & "\autorun.inf") autoruninf.Delete true set dekstopini = fso.GetFile(FlashDisk.Path & "\dekstop.ini") dekstopini.Delete true End If Next |
Setelah itu, full scan kembali dgn AV lokal (ANSAV, GAV, PCMAV) DAN AV luar terupdate.
Catatan:
Script diatas akan dicurigai bbrp AV, yaitu:
- ANSAV v1.9.3 sbg VBS.Tunggul.E
- AntiVir v7.8.0.64 (2008.07.11) sbg HEUR/HTML.Malware
- eSafe v7.0.17.0 (2008.07.10) sbg VBS.DelReg.
- Panda v9.0.0.4 (2008.07.10) sbg Suspicious file
- Rising v20.52.41.00 (2008.07.11) sbg Unknown Script Virus
- Webwasher-Gateway v6.6.2 (2008.07.11) sbg Heuristic.HTML.Malware
gak masalah, itu cuma false alarm.
AV lainnya spt AVG, NOD32, Symantec, Kaspersky, McAfee, BitDefender,.. tidak mendeteksi malware.
http://www.virustotal.com...6078b183dd8a983
Sumber : http://www.oprekpc.com/forum/topics37/memulihkan-registry-yang-dimanipulasi-virus-vt12404.htm
Tidak ada komentar:
Posting Komentar