Posts Subscribe to Revolution ChurchComments


Thursday, June 11, 2009

characteristics and how to remove the virus mahadewa


Labels: , , ,

VBS.Autorun.AM (MaHaDeWa who dare to be different)

The feature-MaHaDeWa

1. Changing Internet Explorer Title to be MaHaDeWa Labkom UBL
2. Changing the Internet Explorer start page to be http://webkom
a. Changing the computer name and the name of the owner of Windows
b. RegisteredOrganization = Your computer has been clean from Viruses by Nita MaHaDeWa
c. RegisteredOwner = MaHaDeWa

how to clean vbs / Autorun.MA

1. Turn off the virus with the name WSCript.exe. to turn off the virus, you can use the “task manager” or task manager replacement tools like Procee Explorer. Please download these tools at the following address (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
2. To mengantsipasi process so that the virus is not active again when running, block MaHaDeWa.dll.vbs file by using the “Software Restriction Policies” [If you use Windows XP Prof.. And Windows 2003], how:
- Click the “Start”
- Click “Run”
- Type “secpol.msc” [without the quotes)
- Then on the "Local Security Settings", right click on the folder "Software Restriction Policies" and click "Crate new policies"
- Then right click on the folder "Additional Rules"
- Click "New Hash Rule"
- On the "hash file", click the "Browse" button and navigate to the file MaHaDeWa.dll.vbs
- Click the "open"

Note:
Block before the file should show the hidden files that you must first change the settings in Folder Options (show hiden file)

3. Repair registry that has been created by MaHaDeWa. To simplify the process of repair, copy the script below on the notepad program and save it with the name repair.inf. Run the file in the following manner:

- Click right repair.inf
- Click Install

[Version]
Signature = “$ Chicago $”
Provider = Vaksincom Oyee
[DefaultInstall]
AddReg = UnhookRegKey
DelReg = del
[UnhookRegKey]
HKLM, Software \ CLASSES \ batfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, Software \ CLASSES \ comfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, Software \ CLASSES \ exefile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, Software \ CLASSES \ piffile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, Software \ CLASSES \ regfile \ shell \ open \ command,,, “regedit.exe”% 1 “”
HKLM, Software \ CLASSES \ scrfile \ shell \ open \ command ,,,”"”% 1 “”% * ”
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon, Shell, 0, “Explorer.exe”
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Start Page, 0, “About: blank”
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOrganization, 0, “Organization”
HKLM, SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion, RegisteredOwner, 0, “Owner”
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoDriveTypeAutoRun, 0×00010001, 255
HKLM, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoDriveTypeAutoRun, 0×00010001, 255
[del]
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window Title
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Ageia
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, Systemdir
HKCU, Software \ Microsoft \ Internet Explorer \ Main, Window Title
HKLM, Software \ Microsoft \ Windows \ CurrentVersion \ Winlogon, LegalNoticeCaption
HKLM, Software \ Microsoft \ Windows \ CurrentVersion \ Winlogon, LegalNoticeText
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU \ MRUList, a
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU, a
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ ActiveDesktop, NoChangingWallpaper
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoClose
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoControlPanel
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoFind
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoRun
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoStartMenuMorePrograms
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoTrayContextMenu
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoViewOnDrive
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer, NoWinKeys
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ Explorer \ Advanced, Hidden
HKCU, Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System, DisableMsConfig
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer, NoControlPanel
HKLM, SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ policies \ Explorer, NoLogOff

4. Remove the main virus file in the directory below:
- C: \ MaHaDeWa.dll.vbs (all drives)
- C: \ autorun.inf (all drives)
- C: \ Windows \ system32 \ WinXP.dll.vbs

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)
 

DOEL Blog versi beta ini berbicara tentang HIDUP SEHAT,BERITA,TEKNOLOGI,dan lain-lain. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com