03 Mar 2008 - 08:44:34 pm
ups gw balik lagi.....
crita na skarang gw ketemu virus yang super gila.....cerita nah dia dah matikan semua extensi file yang berhubungan dengan mengganggunnya proses hidup VIRUS tersebut [.BAT, .INF,etc]........
cara kerja nya simple aja mereka matiin dos,notepad,regedit,msconfig,MS.Word,etc........cara matiin na virus tersebut hanya meng-FORWARD program-program diatas ke program laen seperti SOLITAIRE,WINAMP,etc [tergantung kemauan si maker VIRI na]
otomatis file BALIKIN.INF yang gw bikin ga bisa di buka donk!!!!nah disini gw mulai berkreasi lagi..... selaen PROCCESSXP gw pake juga tools pengganti REGEDIT nama na RegAlizer
tapi proses penginstalan tools ini gw lakukan di SAFE MODE....gimana masuk na?[dah ada di awal topic ini brur!!!!]
nah setelah terinstall gw masuk ke dalam KEY ini:
HKEY_CLASSES_ROOT\inffile\shell\Install\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command
trus settingan default di dalam key tersebut gw ganti dengan:
C:\Windows\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
klo SO ente menggunakan WINDOWS NT/2000/2003 ente ganti dengan:
C:\Winnt\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
nah sampe disini berarti file BALIKIN.inf gw dah berfungsi.....so gw udah lakukan sedikit modifikasi source BALIKIN.inf, kira-kira gini bentuk source na:
[Version]
Signature="$Chicago$"
Provider=yooogy
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,"%1"
HKLM, SOFTWARE\Classes\VBSFile,,,"VBScript Script file"
HKLM, SOFTWARE\Classes\VBSFile\DefaultIcon,,,"C:\WIndows\System32\WScript.exe,2"
HKLM, SOFTWARE\Classes\VBSFile\Shell\Edit\Command,,,"C:\WIndows\system32\notepad.exe %1"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,CheckedValue,0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,DefaultValue,0x00010001,0
HKLM, SOFTWARE\Classes\VBSFile, FriendlyTypeName,0,"@C:\Windows\System32\wshext.dll,-4802"
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, Adobe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDesktop
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFileAssociate
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderoptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, DisableTaskmgr
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe, Debugger
HKLM, SOFTWARE\Classes\VBSFile, NeverShowExt
trus gw klik kanan di BALIKIN.INF n klik INSTALL
lalu gw restart tuh PC.....nah sampe disini gw blom puas soal ne so pasti ada file yang dah ke Infeksi disembunyiin...
gw masuk ke DOS [RUN-CMD] trus gw ketik:
attrib -s -h /s /d
n gw cek setiap drive yang ada file autorun.exe na gw delete
oh iya gw lupa.....sebelum melakukan proses install RegAlizer gw pake PROCCESSXP buat nge-KILL file wscript.exe yang aktif di memory!!!
soo......untuk sementara gw rasa PC gw agak sedikit aman!!!!!!
NB:
buat para master semua maaf kalo topic gw nieh rada nyinggung ato ada yang kurang berkenan di hati para master semua....but untuk semua na itu gw minta maaf sebesar-besar na, n se ridoh-ridoh na!!!!!
BERSEMANGAT!!!!!!!
Issue by : yooogy
Issue date : Sun Jan 20, 2008 9:05 pm
crita na skarang gw ketemu virus yang super gila.....cerita nah dia dah matikan semua extensi file yang berhubungan dengan mengganggunnya proses hidup VIRUS tersebut [.BAT, .INF,etc]........
cara kerja nya simple aja mereka matiin dos,notepad,regedit,msconfig,MS.Word,etc........cara matiin na virus tersebut hanya meng-FORWARD program-program diatas ke program laen seperti SOLITAIRE,WINAMP,etc [tergantung kemauan si maker VIRI na]
otomatis file BALIKIN.INF yang gw bikin ga bisa di buka donk!!!!nah disini gw mulai berkreasi lagi..... selaen PROCCESSXP gw pake juga tools pengganti REGEDIT nama na RegAlizer
tapi proses penginstalan tools ini gw lakukan di SAFE MODE....gimana masuk na?[dah ada di awal topic ini brur!!!!]
nah setelah terinstall gw masuk ke dalam KEY ini:
HKEY_CLASSES_ROOT\inffile\shell\Install\command
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\Install\command
trus settingan default di dalam key tersebut gw ganti dengan:
C:\Windows\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
klo SO ente menggunakan WINDOWS NT/2000/2003 ente ganti dengan:
C:\Winnt\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
nah sampe disini berarti file BALIKIN.inf gw dah berfungsi.....so gw udah lakukan sedikit modifikasi source BALIKIN.inf, kira-kira gini bentuk source na:
[Version]
Signature="$Chicago$"
Provider=yooogy
[DefaultInstall]
AddReg=UnhookRegKey
DelReg=del
[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, "Explorer.exe"
HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, "cmd.exe"
HKLM, SOFTWARE\Classes\exefile\DefaultIcon,,,"%1"
HKLM, SOFTWARE\Classes\VBSFile,,,"VBScript Script file"
HKLM, SOFTWARE\Classes\VBSFile\DefaultIcon,,,"C:\WIndows\System32\WScript.exe,2"
HKLM, SOFTWARE\Classes\VBSFile\Shell\Edit\Command,,,"C:\WIndows\system32\notepad.exe %1"
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,UncheckedValue,0x00010001,1
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,CheckedValue,0x00010001,0
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,DefaultValue,0x00010001,0
HKLM, SOFTWARE\Classes\VBSFile, FriendlyTypeName,0,"@C:\Windows\System32\wshext.dll,-4802"
[del]
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer,NoFolderOptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Run, Adobe
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoDesktop
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFileAssociate
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderoptions
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoRun
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFind
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableCMD
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistryTools
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr
HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system, DisableTaskmgr
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe, Debugger
HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe, Debugger
HKLM, SOFTWARE\Classes\VBSFile, NeverShowExt
trus gw klik kanan di BALIKIN.INF n klik INSTALL
lalu gw restart tuh PC.....nah sampe disini gw blom puas soal ne so pasti ada file yang dah ke Infeksi disembunyiin...
gw masuk ke DOS [RUN-CMD] trus gw ketik:
attrib -s -h /s /d
n gw cek setiap drive yang ada file autorun.exe na gw delete
oh iya gw lupa.....sebelum melakukan proses install RegAlizer gw pake PROCCESSXP buat nge-KILL file wscript.exe yang aktif di memory!!!
soo......untuk sementara gw rasa PC gw agak sedikit aman!!!!!!
NB:
buat para master semua maaf kalo topic gw nieh rada nyinggung ato ada yang kurang berkenan di hati para master semua....but untuk semua na itu gw minta maaf sebesar-besar na, n se ridoh-ridoh na!!!!!
BERSEMANGAT!!!!!!!
Issue by : yooogy
Issue date : Sun Jan 20, 2008 9:05 pm
Syndication
2010-01-18 @ 02:31:51 am
by rolex
tag heuer and rolex ...
2010-01-18 @ 02:29:34 am
by rolex
rolex Replica Watches It may ...
2009-12-23 @ 07:48:17 am
by rolex watches
Even though rolex it is ...
2009-12-23 @ 06:28:00 am
by rolex
His replica watches death replica ...
2009-12-19 @ 02:52:12 am
by cartier watches