Script VB ini dimaksudkan utk mereset kembali bbrp entry registry yang biasa diacak-acak oleh virus, terutama virus lokal di Windows XP.
Contoh gejalanya:
- title IE diubah[/*:m:37v1vcyr]
- ada pesan waktu logon[/*:m:37v1vcyr]
- file hidden/system tak terlihat[/*:m:37v1vcyr]
- blokir Find, FolderOptions, Run, Regedit, Task Manager, System Restore, perubahan Wallpaper, Hotkey, Control Panel, Log Off[/*:m:37v1vcyr]
- blokir file-file exe milik Windows dan AV[/*:m:37v1vcyr]
- dlsb..[/*:m:37v1vcyr]
Caranya:
- Copy-Paste semu script yang ada di dlm tag code di bawah ini ke Notepad,
save dgn Save as type = Al Files dan File name = RegFix.vbs[/*:m:37v1vcyr]- Dobelklik RegFix.vbs[/*:m:37v1vcyr]
- Buka Task Manager dgn cara [Ctrl+Alt+Del] atau klik kanan Taskbar[/*:m:37v1vcyr]
- Endtask/Kill wscript.exe & cscript.exe kalo ada/running[/*:m:37v1vcyr]
- Tutup Task Manager[/*:m:37v1vcyr]
- Dobelklik lagi RegFix.vbs[/*:m:37v1vcyr]
Setelah itu, full scan kembali dgn AV lokal (ANSAV, GAV, PCMAV) DAN AV luar terupdate.Code:on error resume next Dim fso, WshShell, FlashDisk, Drives, winpath Dim autoruninf, dekstopini Set fso = CreateObject("Scripting.FileSystemObject") Set WshShell = Wscript.CreateObject("Wscript.Shell") Set Drives = fso.drives Set winpath = fso.GetSpecialFolder(0) Smwc = "\Software\Microsoft\Windows\CurrentVersion\" Smwnc = "\Software\Microsoft\Windows NT\CurrentVersion\" Spmn = "\Software\Policies\Microsoft\Windows NT\" Smie = "\Software\Microsoft\Internet Explorer\" Hsmwci = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\" WshShell.RegWrite "HKCR\.lnk\", "lnkfile" WshShell.RegWrite "HKCR\.vbs\", "VBSFile" WshShell.RegWrite "HKCR\vbsfile\", "VBScript Script File" WshShell.RegWrite "HKCR\vbsfile\DefaultIcon", "%SystemRoot%\System32\WScript.exe,2" WshShell.RegWrite "HKCR\vbsfile\FriendlyTypeName", "@%SystemRoot%\System32\wshext.dll,-4802", "REG_EXPAND_SZ" WshShell.RegDelete "HKCR\vbsfile\NeverShowExt" WshShell.RegWrite "HKCR\inffile\shell\Install\command\", "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1" WshShell.RegWrite "HKLM\Software\CLASSES\batfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\comfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\exefile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\piffile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKLM\Software\CLASSES\scrfile\shell\open\command\", """%1"" %*" WshShell.RegWrite "HKCR\regfile\shell\open\command\", "regedit.exe ""%1""" WshShell.RegWrite "HKCR\VBSFile\shell\edit\command\", "notepad.exe ""%1""" WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD" WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoFileAssociate", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Hidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideFileExt", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\SuperHidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowRun", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowSearch", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowHelp", "1", "REG_DWORD" WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideIcons", "0", "REG_DWORD" WshShell.RegWrite "HKCU"&Smie&"Main\Start Page", "about:blank" WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe" WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Userinit", winpath & "\system32\userinit.exe," WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\helpctr.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\" WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\msconfig.exe" WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\" WshShell.RegWrite "HKLM"&Smwnc&"SystemRestore\DisableSR", "0", "REG_DWORD" WshShell.RegDelete "HKLM"&Spmn&"SystemRestore\DisableSR" WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoLogOff" WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoControlPanel" WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeCaption" WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeText" WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeCaption" WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeText" WshShell.RegDelete "HKLM"&Smwc&"Run\Ageia" WshShell.RegDelete "HKCU"&Smie&"Main\Window Title" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFind" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFolderOptions" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoRun" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoViewContextMenu" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoTrayContextMenu" WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoWinKeys" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegistryTools" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableTaskMgr" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegedit" WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableCMD" WshShell.RegDelete "HKCU"&Smwc&"Policies\ActiveDesktop\NoChangingWallpaper" WshShell.RegDelete "HKCU"&Smwc&"Explorer\RunMRU\" WshShell.RegDelete Hsmwci&"cmd.exe\" WshShell.RegDelete Hsmwci&"helpctr.exe\" WshShell.RegDelete Hsmwci&"msconfig.exe\" WshShell.RegDelete Hsmwci&"regedit.exe\" WshShell.RegDelete Hsmwci&"regedt32.exe\" WshShell.RegDelete Hsmwci&"TaskMgr.exe\" WshShell.RegDelete Hsmwci&"attrib.exe\" WshShell.RegDelete Hsmwci&"install.exe\" WshShell.RegDelete Hsmwci&"setup.exe\" WshShell.RegDelete Hsmwci&"PCMAV.exe\" WshShell.RegDelete Hsmwci&"PCMAV-CLN.exe\" WshShell.RegDelete Hsmwci&"PCMAV-RTP.exe\" WshShell.RegDelete Hsmwci&"PCMAV-SE.exe\" WshShell.RegDelete Hsmwci&"VB6.exe\" WshShell.RegDelete Hsmwci&"autorun.exe\" WshShell.RegDelete Hsmwci&"ansav.exe\" WshShell.RegDelete Hsmwci&"ansavgd.exe\" WshShell.RegDelete Hsmwci&"avscan.exe\" WshShell.RegDelete Hsmwci&"avgnt.exe\" WshShell.RegDelete Hsmwci&"gav.exe\" WshShell.RegDelete Hsmwci&"iexplore.exe\" WshShell.RegDelete Hsmwci&"firefox.exe\" WshShell.RegDelete Hsmwci&"procexp.exe\" WshShell.RegDelete Hsmwci&"procexpNT.exe\" WshShell.RegDelete Hsmwci&"AppSvc32.exe\" WshShell.RegDelete Hsmwci&"ccApp.exe\" WshShell.RegDelete Hsmwci&"ccSvcHst.exe\" WshShell.RegDelete Hsmwci&"Rtvscan.exe\" WshShell.RegDelete Hsmwci&"Smc.exe\" WshShell.RegDelete Hsmwci&"SmcGui.exe\" WshShell.RegDelete Hsmwci&"egui.exe\" WshShell.RegDelete Hsmwci&"ekrn.exe\" WshShell.RegDelete Hsmwci&"RegistryEditor.exe\" WshShell.RegDelete Hsmwci&"wordpad.exe\" WshShell.RegDelete Hsmwci&"viremoval.exe\" WshShell.RegDelete Hsmwci&"viremover.exe\" For Each FlashDisk In fso.drives If (FlashDisk.drivetype = 1 Or FlashDisk.drivetype = 2) And FlashDisk.Path <> "A:" Then set autoruninf = fso.GetFile(FlashDisk.Path & "\autorun.inf") autoruninf.Delete true set dekstopini = fso.GetFile(FlashDisk.Path & "\dekstop.ini") dekstopini.Delete true End If Next
Catatan:
- Script diatas akan dicurigai ANSAV (saya tes v1.9.3) sbg VBS.Tunggul.E
gak masalah, itu cuma false alarm. saya sedang coba tanyakan ke ANVIE.[/*:m:37v1vcyr]- Jika masih Windows-nya masih ada gejala "aneh",
silakan posting disini, akan saya tambahkan scriptnya.[/*:m:37v1vcyr]
Subscribe to:
Post Comments
(
Atom
)
Post a Comment Blogger Facebook