Malu bertanya sesat dijalan, tersesat memalukan

Home
About
- Profile
- Blog
- Facebook
E-Campus
- Database
- Information Technology
Hacking
Networking
OS
- Linux
- Mikrotik
- Windows
Intermezzo
- Corner
- Gosip
- Kocak
- Qalbu
Security
Tips N Trick
- Web Tips
  - E-Commerce
Links
- Store
- Projects
- Download
- Gallery
- Webmail

Trojan Amburadul

Written by pnyet

Artikel dibawah ini diambil dari ansav.com, semoga bermafaat

#########################
# TROJAN AMBURADUL/PARAYSUTKI #
################dexlip 2008#

File: FoToKu 15-4-2008.exe
Size: 51712 Bytes
MD5: 2249E246785B066C410DFD663B5E2204
CRC32: CBC8D6C2 & 53F5B340
Packer: None/Custom | VB 5 / 6

File Properties: CompanyName JPEG Image
FileDescríption 1024 x 768

# File yang dibuat:
###################

QUOTE:
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\services.exe
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\WINDOWS\system32\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll

bikin autorun di semua drive:

QUOTE:
[Autorun]
UseAutoPlay=1
Icon=%SystemRoot%\system32\SHELL32.dll,7
Shellexecute=MyImages.exe

# Registry
##########

QUOTE:
HKCU\Software\Microsoft\Internet Explorer\Main
''Window Title''

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
''EnableLUA''

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
''AVManager'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe''
''NarmonVirusAnti'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\smss.exe''
''NviDiaGT'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe''
''ConfigVir'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\services.exe''
''PaRaY_VM'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe''

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
''Shell''

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
''HideFileExt''
''SuperHidden''
''ShowSuperHidden''

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
''Type''
''UncheckedValue''
''DefaultValue''
''CheckedValue''

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt

HKCR\exefile
''NeverShowExt''

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
''DisableConfig''
''DisableSR''

HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
''LimitSystemRestoreCheckpointing''
''DisableMSI''

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
''NoFind''

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
''DisableRegistryTools''

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
RegDeleteKeyA {4D36E97D-E325-11CE-BFC1-08002BE10318}

# REMOVAL!
##########

Dia ngeblok banyak banget proses, termasuk ansav, dan juga beberapa trojan/worm lokal..
tapi trik kaya gini gampang banget di lewatin..

Kamu punya ansav kan? baguus! jangan lupa donlot juga smadav dan Dial'a'fix!

langkahnya:
1.Masuk ke folder Ansav, trus rename ansav.exe jadi apapun (contoh: ansavasd.exe)
2.dobel klik ansavasd.exe tadi sambil pencet tombol ''B''
3.Masuk ke Plugin ''process image finder'' dan di bagian bawah, pencet tombol kill all vb process
4.Jalanin SmadAV, dan pencet tombol scan system, tunggu 2 menitan dan pencet stop, kenapa? soalnya kita cuma ngescan registry yang dirubah.. abis itu pencet Fix All
5.pake maltrack/smadav buat hapus virus lewat sample..
6.buka regedit dan hapus semua key dibawah ini:

QUOTE:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
''AVManager'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\csrss.exe''
''NarmonVirusAnti'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\smss.exe''
''NviDiaGT'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\lsass.exe''
''ConfigVir'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\services.exe''
''PaRaY_VM'' = ''c:\windows\system32\~a~m~b~u~r~a~d~u~l~\winlogon.exe''

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe

7.buka dial'a'fix trus teken tombol yang gambarnya centang warna ijo.. dan run..
8.restart.. beres ^_^

goodluck..
nb: jangan lupa delete autorun.inf di semua drive..
kalo ada yang kehidden, reveal aja pake ansav hidden revealer..