Upcoming
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Your Link Here

Wednesday, September 29, 2010

Stop Virus Stargate

Computer And Internet There is virus attack my cybercafe server again yesterday. It’s identified as “Stargate” It’s Really hard to stop it first time my server got infected. I lost almost my public data caused by this virus :(
Here is the way for people looking to stop this virus, I’m not guarantee this way will make your system clean 100% but sure it will stop the virus.
1. Unplug all cable connected to and from your computers network.
2. Better clean your computer in safe mode
3. Kill Virus process, you can use KillVB to do this. Before you kill virus process better you rename that file from .exe to .scr to preventing stopped by virus.
killvb.jpg
4. Delete registry key made by virus, use this simple VBS script.
Dim oWSH: Set oWSH = CreateObject(“WScript.Shell”)
on error resume Next
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\lnkfile\shell\open\command\”,”"”%1″” %*”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command\”,”regedit.exe %1″
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools”)
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”,”cmd.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,”Explorer.exe”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\”,”Application”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\”,”Setup Information”
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger”,”"
oWSH.Regwrite “HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page”,”About:Blank”
oWSH.Regwrite “HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE”,”"
oWSH.Regwrite “HKEY_CLASSES_ROOT\exefile\DefaultIcon\”,”%1″
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetTaskbar”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableCMD”)
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableCMD”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI”)
oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Windows Title”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Monitoring “)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LogonNetworkService”)
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\st4rg4tE”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFind”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\”)
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun\”)
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun”)
oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFind”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav32.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avscan.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWinPortable.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.com\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\debugger\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViRemoval.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winamp.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winrar.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winzip.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antv-md5-pattern.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistriEditor.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killvb.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nip.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nipsvc.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvccf.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcoas.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zanda.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe\”)
oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\URemovalCRC32.exe\”)
oWSH.Regwrite “HKEY_CLASSES_ROOT\mp3file\DefaultIcon\”,”C:\Program Files\Windows Media Player\wmplayer.exe,-120″
oWSH.Regwrite “HKEY_CLASSES_ROOT\inffile\DefaultIcon\”,”shell32.dll,-151″
oWSH.Regwrite “HKEY_CLASSES_ROOT\inifile\DefaultIcon\”,”shell32.dll,-151″
oWSH.Regwrite “HKEY_CLASSES_ROOT\mpegfile\DefaultIcon\”,”shell32.dll,-120″
oWSH.Regwrite “HKEY_CLASSES_ROOT\mp3file\shell\open\command\”,”C:\Program Files\Windows Media Player\wmplayer.exe”
oWSH.Regwrite “HKEY_CLASSES_ROOT\mpegfile\shell\open\command\”,”C:\Program Files\Windows Media Player\wmplayer.exe”
oWSH.Regwrite “HKEY_CLASSES_ROOT\txtfile\”,”Text Documents”
oWSH.Regwrite “HKEY_CLASSES_ROOT\txtfile\DefaultIcon\”,”shell32.dll,-152″
oWSH.Regwrite “HKEY_CLASSES_ROOT\jpegfile\”,”JPEG Image”
oWSH.Regwrite “HKEY_CLASSES_ROOT\jpegfile\DefaultIcon\”,”shimgvw.dll,3″
oWSH.Regwrite “HKEY_CLASSES_ROOT\dllfile\DefaultIcon\”,”shell32.dll,-154″
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inifile\shell\open\command\”,”C:\WINDOWS\System32\notepad.exe %1″
oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\shell\open\command\”,”C:\WINDOWS\System32\notepad.exe %1″
oWSH.Regwrite “HKEY_CLASSES_ROOT\Directory\shell\”,”none”
oWSH.Regwrite “HKEY_CLASSES_ROOT\Folder\shell\”,”"
5. Delete the virus master using search function on windows
- Using Icon Folder
- At Most 46KB
- Type File “Application”
- File extension .com , .exe
7. To make sure your computers are clean from this virus after you doing 6 steps above better scan your computer again using good antivirus.
Diposkan oleh |

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Teknologi


Sponsors : Best Themes | New WP Themes | Best Blogger Themes
Copyright © 2013. Android Jelly Bean - All Rights Reserved
Template Design by Shihara | Published by New Blog Themes
Powered by Blogger
Blogger Widgets