Sekilas ttg Virus Babon
Virus Babon ini dibikin pake VB, jadi masih bisa dilumpuhkan dengan cara me-rename file runtime VB MSVBVM60.DLL. Saya masuk lewat Recovery Console untuk melakukan proses renamenya. Beberapa key Registry bisa dengan cepat dipulihkan dengan menjalankan file VBS yang ada di bawah ini (Terima kasih kepada vaksin.com)
Dim oWSH: Set oWSH = CreateObject("WScript.Shell")
on error resume Next
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\","""%1"" %*"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\","""%1"" %*"
oWSH.RegDelete("HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools")
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell","cmd.exe"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell","Explorer.exe"
oWSH.Regwrite "HKEY_CURRENT_USER\Control Panel\International\s1159","AM"
oWSH.Regwrite "HKEY_CURRENT_USER\Control Panel\International\s2359", "PM"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization","Your Organization"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner","YourOwner"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName","Windows XP"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId","Product ID"
oWSH.Regwrite "HKEY_CLASSES_ROOT\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\LocalizedString","Recycle Bin"
oWSH.Regwrite "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString","My Computer"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\LocalizedString","My Computer"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\","Application"
oWSH.Regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger",""
oWSH.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page","About:Blank"
oWSH.Regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page","About:Blank"
oWSH.Regwrite "HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE",""
oWSH.RegDelete("HKEY_LOCAL_MACHINESOFTWARE\Classes\inffile\shell\Install\command\Default")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\babon")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableCMD")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing")
oWSH.RegDelete("HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9227")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-8964")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9217")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\shell32.dll,-9104")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9216")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\shell32.dll,-9218")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-30503")
oWSH.RegDelete("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Windows Title")
(Sumber: vaksin.com)
Setelah itu masih harus menghapus file2 virus yang biasanya bercokol di folder Windows dan Windows\System32. Ada dua file bernama IExplorer.exe dan IExplorer .exe. Kedua file ini keliatan sama, tetapi yang satu lagi ada spasi di nama file belakangnya.
Yang perlu diperhatikan adalah kalau kita menjalankan file aplikasi EXE pada saat si Babon aktif, file ini akan diHidden oleh Babon, jadi kita harus mengubah atributnya lagi.
Basmi Total???
Ada satu hal lagi yang masih mengganjal. Setelah semua langkah di atas, ternyata masih ada kejanggalan, yaitu pada saat kita memasukkan flashdisk, kita tidak dapat mendouble klik icon flashdisk, akan muncul ERROR, Windows cannot find Cewek_Imoet.Exe, file ini dipastikan adalah file pemicu virus Babon. Setelah disearch di Registry, ternyata key ini masih ada dan tidak dapat dihapus! Apakah ini berarti virusnya masih aktif dan ada di proses? Waktu saya cek proses, yang ada hanya file RunDLL32.exe yang diproses berulang2 sekalipun saya sudah mengkill proses tersebut.
Wahai para pakar virus, ada yang bisa beri solusi???
Mohon pencerahan...
Blog Ini Bkn Hanya Seputar Virus dan Komputer Juga Menerima Layanan Pembuatan website Profile CMS, Web Store Toko Online,Web Profil Statis.dll Jika Anda Berminat Silahkan Hubungi Saya di 
Atau Lansung Ke FADIA KHATULISTIWA
Tukeran link
ShoutMix chat widget
Blog Friends
.png){kind=small}
Masukkan Code ini K1-351C97-1
untuk berbelanja di KutuKutuBuku.com
Tidak ada komentar:
Posting Komentar