HOT NEWS

TIPS Membersihkan Virus Stargate

Senin, 10 Maret 2008

SENIN, 10 MARET 2008
Virus Stargate konon 'cukup' sulit untuk dibersihkan. Salah satu penyebab virus ini mampu bertahan adalah kemampuannya untuk me-redirect file eksekusi (exe/com/bat/pif/VBS/REG dan lnk) ke file virus. Namun bukan berarti virus ini tidak dapat dilumpuhkan. Ada satu celah yang dapat dimanfaatkan untuk membunuh virus tersebut. Virus ini tidak akan memblokir file yang berekstensi SCR.

Untuk membunuh virus ini Anda hanya membutuhkan beberapa tools seperti tools kill process (killvb.scr), registry viewer (regAlizer.scr) dan script untuk menghapus sisa string registry yang dibuat oleh virus (repair.vbs). Berikut cara membersihkan virus Stargate.
1. Putuskan hubungan komputer yang akan dibersihkan dari jaringan.
2. Sebaiknya lakukan pembersihan pada "safe mode".
3. Matikan proses virus. Untuk mematikan proses virus ini, Anda dapat menggunakan tools KillVB. Sebelum menjalankan file tersebut sebaiknya ganti ekstensi dari exe manjadi SCR agar
tidak diblok oleh virus.

4. Hapus registry yang dibuat oleh virus. Untuk mempermudah proses pembersihan, salin script di bawah ini pada program notepad kemudian simpan dengan nama repair.vbs. Jalankan file repair.vbs dengan cara klik 2x file tersebut.

Dim oWSH: Set oWSH = CreateObject("WScript.Shell")


on error resume Next
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command\","regedit.exe %1"
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools")
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","Explorer.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\","Application"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\","Setup Information"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger",""
oWSH.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","About:Blank"
oWSH.Regwrite "HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE",""
oWSH.Regwrite "HKEY_CLASSES_ROOT\exefile\DefaultIcon\","%1"
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableCMD")
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableCMD")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Windows Title")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring ")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LogonNetworkService")
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\st4rg4tE")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFind")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\")
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\")
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun")
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFind")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav32.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avscan.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWinPortable.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.com\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\debugger\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViRemoval.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winamp.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winrar.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winzip.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antv-md5-pattern.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistriEditor.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killvb.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nip.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nipsvc.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvccf.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcoas.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zanda.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe\")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe\")
oWSH.Regwrite "HKEY_CLASSES_ROOT\mp3file\DefaultIcon\","C:\Program Files\Windows Media Player\wmplayer.exe,-120"
oWSH.Regwrite "HKEY_CLASSES_ROOT\inffile\DefaultIcon\","shell32.dll,-151"
oWSH.Regwrite "HKEY_CLASSES_ROOT\inifile\DefaultIcon\","shell32.dll,-151"
oWSH.Regwrite "HKEY_CLASSES_ROOT\mpegfile\DefaultIcon\","shell32.dll,-120"
oWSH.Regwrite "HKEY_CLASSES_ROOT\mp3file\shell\open\command\","C:\Program Files\Windows Media Player\wmplayer.exe"
oWSH.Regwrite "HKEY_CLASSES_ROOT\mpegfile\shell\open\command\","C:\Program Files\Windows Media Player\wmplayer.exe"
oWSH.Regwrite "HKEY_CLASSES_ROOT\txtfile\","Text Documents"
oWSH.Regwrite "HKEY_CLASSES_ROOT\txtfile\DefaultIcon\","shell32.dll,-152"
oWSH.Regwrite "HKEY_CLASSES_ROOT\jpegfile\","JPEG Image"
oWSH.Regwrite "HKEY_CLASSES_ROOT\jpegfile\DefaultIcon\","shimgvw.dll,3"
oWSH.Regwrite "HKEY_CLASSES_ROOT\dllfile\DefaultIcon\","shell32.dll,-154"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\","C:\WINDOWS\System32\notepad.exe %1"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\","C:\WINDOWS\System32\notepad.exe %1"
oWSH.Regwrite "HKEY_CLASSES_ROOT\Directory\shell\","none"
oWSH.Regwrite "HKEY_CLASSES_ROOT\Folder\shell\",""

Sebelum menjalankan file repair.vbs sebaiknya Anda set terlebih dahulu registry berikut dengan tujuan agar dapat mejalankan file repair.vbs tersebut, karena jika tidak diubah maka file tersebut akan diblok karena berekstensi .VBS.

Berikut key yang harus anda set:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\shell\open\commandkemudian set registry pada string Default menjadi "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command

Kemudian set registry pada string Default menjadi %SystemRoot%\System32\WScript.exe "%1" %*


Untuk set string ini, Anda dapat menggunakan tools RegAlizer. Anda dapat men-download tools tersebut di sini. Kemudian jalankan file repair.vbs.


5. Hapus file induk dengan menggunakan gunakan fungsi "Search Windows". Ciri-ciri file tersebut sebagai berikut:

  • Menggunakan Icon Folder
  • Berukuran 46 KB
  • Type File "Application"
  • Ekstensi Exe dan Com

Sebelum mencari file virus tersebut, tampilkan terlebih dahulu file yang tersembunyi pada Folder Option, caranya adalah:

  • Buka Windows Explorer
  • Klik menu "Tools"
  • Klik "Folder Option"
  • Klik tabulasi "View"
  • Pada kolom "Advanced settings", pada "Hiddenfiles and folders" lakukan langkah berikut:
  • Pilih opsi "Show hidden files and folders"
  • Uncheck opsi "Hide extenton for known file types"
  • Uncheck opsi "Hide protected operating system files (Recommanded)"

  • Klik "Apply"
  • Klik "OK"

Setelah itu cari file virus dengan menggunakan "Search", kemudian hapus file induk dan file duplikat virus.

6. Ubah attribut file GPT.INI yang ada di direktori C:\Windows\system32 dengan cara:

  • Klik "Start"
  • Klik "Run"
  • Ketik CMD
  • Pada layar Dos Prompt, ketik CD\ [enter]
  • Ketik CD windows\system32\GroupPolicy [enter]
  • Ketik ATTRIB -s -h -r GPT.ini [enter]


7. Untuk pembersihan optimal dan mencegah infeksi ulang, scan komputer dengan antivirus yang up-to-date dan sudah mengenali virus ini dengan baik.


(sumber: detikinet.com dwn / dwn )

0 komentar:

Posting Komentar

 
 
 
eXTReMe Tracker
Powered By Blogger