Script VB Virus Lokal (GALUH of King)

Script VB ini dimaksudkan utk mereset kembali bbrp entry registry yang biasa diacak-acak oleh virus, terutama virus lokal di Windows XP.

Contoh gejalanya:
- title IE diubah
- ada pesan waktu logon
- File hidden/system tak terlihat
- blokir Find, FolderOptions, Run, Regedit, Task Manager, System Restore, perubahan Wallpaper, Hotkey, Control Panel, Log Off
- blokir file-file exe milik Windows dan AV
- dlsb..

Caranya:
- Copy-Paste semu script yang ada di dlm tag code di bawah ini ke Notepad, save dgn Save as type = Al Files dan File name = RegFix.vbs
- Dobelklik RegFix.vbs
- Buka Task Manager dgn cara [Ctrl+Alt+Del] atau klik kanan Taskbar
- Endtask/Kill wscript.exe & cscript.exe kalo ada/running
- Tutup Task Manager
- Dobelklik lagi RegFix.vbs
Code:
on error resume next
Dim fso, WshShell, FlashDisk, Drives, winpath
Dim autoruninf, dekstopini
Set fso = CreateObject("Scripting.FileSystemObject")
Set WshShell = CreateObject("Wscript.Shell")
Set Drives = fso.drives
Set winpath = fso.GetSpecialFolder(0)

Smwc = "\Software\Microsoft\Windows\CurrentVersion\"
Smwnc = "\Software\Microsoft\Windows NT\CurrentVersion\"
Spmw = "\Software\Policies\Microsoft\Windows\"
Spmn = "\Software\Policies\Microsoft\Windows NT\"
Smie = "\Software\Microsoft\Internet Explorer\"
Hsmwci = "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\"
WshShell.RegWrite "HKCR\.lnk\", "lnkfile"
WshShell.RegWrite "HKCR\.vbs\", "VBSFile"
WshShell.RegWrite "HKCR\vbsfile\", "VBScript Script File"
WshShell.RegWrite "HKCR\vbsfile\DefaultIcon", "%SystemRoot%\System32\WScript.exe,2"
WshShell.RegWrite "HKCR\vbsfile\FriendlyTypeName", "@%SystemRoot%\System32\wshext.dll,-4802", "REG_EXPAND_SZ"
WshShell.RegDelete "HKCR\vbsfile\NeverShowExt"
WshShell.RegWrite "HKCR\inffile\shell\Install\command\", "%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1"
WshShell.RegWrite "HKLM\Software\CLASSES\batfile\shell\open\command\", """%1"" %*"
WshShell.RegWrite "HKLM\Software\CLASSES\comfile\shell\open\command\", """%1"" %*"
WshShell.RegWrite "HKLM\Software\CLASSES\exefile\shell\open\command\", """%1"" %*"
WshShell.RegWrite "HKLM\Software\CLASSES\piffile\shell\open\command\", """%1"" %*"
WshShell.RegWrite "HKLM\Software\CLASSES\scrfile\shell\open\command\", """%1"" %*"
WshShell.RegWrite "HKCR\regfile\shell\open\command\", "regedit.exe ""%1"""
WshShell.RegWrite "HKCR\VBSFile\shell\edit\command\", "notepad.exe ""%1"""
WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\RestrictRun", "0", "REG_DWORD"
WshShell.RegWrite "HKLM"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\DisallowRun", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Policies\Explorer\NoFileAssociate", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Hidden", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideFileExt", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\SuperHidden", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\ShowSuperHidden", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowRun", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowSearch", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\Start_ShowHelp", "1", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smwc&"Explorer\Advanced\HideIcons", "0", "REG_DWORD"
WshShell.RegWrite "HKCU"&Smie&"Main\Start Page", "about:blank"
WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe"
WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Userinit", winpath & "\system32\userinit.exe,"
WshShell.RegWrite "HKLM"&Smwnc&"Winlogon\Shell", "Explorer.exe"
WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\helpctr.exe"
WshShell.RegWrite "HKLM"&Smwc&"App Paths\HELPCTR.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\"
WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\", winpath & "\PCHealth\HelpCtr\Binaries\msconfig.exe"
WshShell.RegWrite "HKLM"&Smwc&"App Paths\MSCONFIG.EXE\Path", winpath & "\PCHealth\HelpCtr\Binaries\"
WshShell.RegWrite "HKLM"&Smwnc&"SystemRestore\DisableSR", "0", "REG_DWORD"
WshShell.RegDelete "HKLM"&Smwc&"App Paths\regedit.exe\"
WshShell.RegDelete "HKLM"&Smwc&"App Paths\regedt32.exe\"
WshShell.RegDelete "HKLM"&Spmn&"SystemRestore\DisableSR"
WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoLogOff"
WshShell.RegDelete "HKLM"&Smwc&"Policies\Explorer\NoControlPanel"
WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeCaption"
WshShell.RegDelete "HKLM"&Smwc&"Winlogon\LegalNoticeText"
WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeCaption"
WshShell.RegDelete "HKLM"&Smwnc&"Winlogon\LegalNoticeText"
WshShell.RegDelete "HKLM"&Smwc&"Run\Ageia"
WshShell.RegDelete "HKCU"&Smie&"Main\Window Title"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFind"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoFolderOptions"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoRun"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoViewContextMenu"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoTrayContextMenu"
WshShell.RegDelete "HKCU"&Smwc&"Policies\Explorer\NoWinKeys"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegistryTools"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableTaskMgr"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableRegedit"
WshShell.RegDelete "HKCU"&Smwc&"Policies\System\DisableCMD"
WshShell.RegDelete "HKCU"&Smwc&"Policies\ActiveDesktop\NoChangingWallpaper"
WshShell.RegDelete "HKCU"&Smwc&"Explorer\RunMRU\"
WshShell.RegDelete Hsmwci&"cmd.exe\"
WshShell.RegDelete Hsmwci&"helpctr.exe\"
WshShell.RegDelete Hsmwci&"msconfig.exe\"
WshShell.RegDelete Hsmwci&"regedit.exe\"
WshShell.RegDelete Hsmwci&"regedt32.exe\"
WshShell.RegDelete Hsmwci&"TaskMgr.exe\"
WshShell.RegDelete Hsmwci&"attrib.exe\"
WshShell.RegDelete Hsmwci&"install.exe\"
WshShell.RegDelete Hsmwci&"setup.exe\"
WshShell.RegDelete Hsmwci&"PCMAV.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-CLN.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-RTP.exe\"
WshShell.RegDelete Hsmwci&"PCMAV-SE.exe\"
WshShell.RegDelete Hsmwci&"VB6.exe\"
WshShell.RegDelete Hsmwci&"autorun.exe\"
WshShell.RegDelete Hsmwci&"ansav.exe\"
WshShell.RegDelete Hsmwci&"ansavgd.exe\"
WshShell.RegDelete Hsmwci&"avscan.exe\"
WshShell.RegDelete Hsmwci&"avgnt.exe\"
WshShell.RegDelete Hsmwci&"gav.exe\"
WshShell.RegDelete Hsmwci&"iexplore.exe\"
WshShell.RegDelete Hsmwci&"firefox.exe\"
WshShell.RegDelete Hsmwci&"procexp.exe\"
WshShell.RegDelete Hsmwci&"procexpNT.exe\"
WshShell.RegDelete Hsmwci&"AppSvc32.exe\"
WshShell.RegDelete Hsmwci&"ccApp.exe\"
WshShell.RegDelete Hsmwci&"ccSvcHst.exe\"
WshShell.RegDelete Hsmwci&"Rtvscan.exe\"
WshShell.RegDelete Hsmwci&"Smc.exe\"
WshShell.RegDelete Hsmwci&"SmcGui.exe\"
WshShell.RegDelete Hsmwci&"egui.exe\"
WshShell.RegDelete Hsmwci&"ekrn.exe\"
WshShell.RegDelete Hsmwci&"RegistryEditor.exe\"
WshShell.RegDelete Hsmwci&"wordpad.exe\"
WshShell.RegDelete Hsmwci&"viremoval.exe\"
WshShell.RegDelete Hsmwci&"viremover.exe\"

For Each FlashDisk In fso.drives
If (FlashDisk.drivetype = 1 Or FlashDisk.drivetype = 2) And FlashDisk.Path <> "A:" Then
set autoruninf = fso.GetFile(FlashDisk.Path & "\autorun.inf")
autoruninf.Delete true
set dekstopini = fso.GetFile(FlashDisk.Path & "\dekstop.ini")
dekstopini.Delete true
End If
Next



Setelah itu, full scan kembali dgn AV lokal (ANSAV, GAV, PCMAV) DAN AV luar terupdate.

Catatan:
- Script diatas akan dicurigai ANSAV (saya tes v1.9.3) sbg VBS.Tunggul.E
gak masalah, itu cuma false alarm. saya sedang coba tanyakan ke ANVIE.
_________________
"Knowing is nothing, applying what you know is everything" --Konosuke Matsushita, Founder National/Panasonic