Abis remove semua virus pake Norman, setelah di restart kok masih gak bisa jalanin CMD atau klik kanan (Pusing........) coba repair registrinya gak bisa dibuka registry editornya (s*t*n). akhirnya pas nyolokin flash disk gw secara gak sengaja kok file *.inf gw file tipenya NITA_WORM, ya udah deh di browsing mbah google dapet pencerahan di vaksin.com (http://www.vaksin.com/2008/1108/nita_worm/NITA_WORM.html) disitu ada cara betulinnya.
Jadi secara garis besarnya cara ngebersihin Trojan:W32/VBTroj.NYH alias (^_^)NITA_WORM :
1. Jalanin Norman_Malware_Cleaner.exe samapai selesai, restart kemudian jalanin lagi sampai selesai samapai gak ada virusnya lagi.
------- awal script -------
Dim oWSH: Set oWSH = CreateObject("WScript.Shell")
on error resume Next
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command\","""%1"" /S"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","Explorer.exe"
oWSH.RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\loader")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\loader")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofind")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title")
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\FriendlyTypeName","C:\Windows\System32\setupapi.dll,-2000"
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dxdiag.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.EXE\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE\")
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir","C:\Program Files"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\Info Tip","prop:FIleDescription;Company;FileVersion;Create;Size"
oWSH.RegDelete("HKEY_CLASSES_ROOT\sysfile")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sysfile")
oWSH.Regwrite "HKEY_CURRENT_USER\Control Panel\Desktop\CursorBlinkRate","530"
------- akhir script -------
Sumber : www.vaksin.com
No comments:
Post a Comment