KeBingUngAN

wadoh, lagi bener-bener bingung neh. Uang nya udah hampir terkuras habis buat biaya pernikahan. Namanya juga menikah kali yah, jadi butuh banyak uang, buat biaya ini itu, biaya semua tetek bengek.

“Kadang suka bingung, nanti habis menikah bagaimana yah ?
Takut gak bisa kasih makan ,
Takut gak bisa menjadi pemimpin yang baik,
Bagaimana bisnis aku sehabis menikah,
Padahal uang simpanan dan tabungan aku udah hampir abis, dan aku perkirakan bakalan habis ketika menikah ,
jadi bagaimana dong?
Ditengah kebutuhan yang begitu banyak, aku memberanikan diri mengikuti acara yang terbilang cukup mahal untuk di hadiri selama 2 hari. di jakarta pula.
Tapi aku pikir acara ini insyallah bermanfaat ..
Mudah-mudahan Allah SWT memberikan dan mengkaruniakan ilmu kepada aku lewat acara ini..
dan dapat digunakan untuk melanjutkan kehidupan di dunia ini.
Mudah-mudahan bisa terbayar berlipat-lipat ongkos acara ini, bela-belain bayar sebegini mahal buat acara itu, padahal kebutuhan pernikahan masih banyak ..
Mudah-mudahan Allah SWT meridhoi langkah aku..
Mudah-mudahan dikaruniakan Rezeki yang melimpah dan berkah serta halal an toyyibah..
Mudah-mudahan bisa menjadi keluarga yang sakinah mawadah warahmah ..
Mudah-mudahan bisnis aku jadi lancar, bisnis online nya jg lancar, bisnis properti nya jg bisa maju..Amin ya Allah Amin..

40 MISTAKES MEN MAKE WHILE HAVING SEX WITH WOMEN

1) NOT KISSING FIRST.
Avoiding her lips and diving straight for the erogenous zones makes her
feel like you’re paying by the hour and trying to get your money’s worth by
cutting out nonessentials. A proper passionate kiss is the ultimate form of
foreplay.

 

2) BLOWING TOO HARD IN HER EAR.
Admit it, some kid at school told you girls love this. Well, there’s a
difference between being erotic and blowing as if you’re trying to
extinguish
the candles on your 50th birthday cake. That hurts.

 

3) NOT SHAVING.
You often forget you have a porcupine strapped to your chin which you
rake
repeatedly across your partner’s face and thighs. When she turns her head
from side to side, it’s not passion, it’s avoidance.

 

4) SQUEEZING HER BREAST.
Most men act like a housewife testing a melon for ripeness when they
get
their hand on a pair. Stroke, caress, and smooth them.

 

5) BITING HER NIPPLES.
Why do men fasten onto a woman’s nipples, then clamp down like they’re
trying to deflate her body via her breasts? Nipples are highly sensitive.
They can’t stand up to chewing. Lick and suck them gently. Flicking your
tongue across them is good. Pretending they’re a doggie toy isn’t.

 

6) TWIDDLING HER NIPPLES.
Stop doing that thing where you twiddle the nipples between finger and
thumb like you’re trying to find a radio station in a hilly area. Focus on
the whole breasts, not just the exclamation points.

 

7) IGNORING THE OTHER PARTS OF HER BODY.
A woman is not a highway with just three turnoffs: Breastville East and
West, and the Midtown Tunnel. There are vast areas of her body which you’ve
ignored far too often as you go bombing straight into downtown Vagina.  So
start paying them some attention.

 

8) GETTING THE HAND TRAPPED.
Poor manual dexterity in the underskirt region can result in tangled
fingers and underpants.  If you’re going to be that aggressive, just ask
her
to take the damn things off.

 

9) LEAVING HER A LITTLE PRESENT.
Condom disposal is the man’s responsibility. You wore it, you store it.

 

10) ATTACKING THE CLITORIS.
Direct pressure is very unpleasant, so gently rotate your fingers along

side of the clitoris.

 

11) STOPPING FOR A BREAK.
Women, unlike men, don’t pick up where they left off. If you stop, they

plummet back to square one very fast. If you can tell she’s not there, keep

going at all costs, numb jaw or not.

 

12) UNDRESSING HER AWKWARDLY.
Women hate looking stupid, but stupid she will look when naked at the
waist with a sweater stuck over her head. Unwrap her like an elegant
present,
not a kid’s toy.

 

13) GIVING HER A WEDGIE DURING FOREPLAY.
Stroking her gently through her panties can be very sexy. Pulling the
material up between her thighs and yanking it back and forth is not.

 

14) BEING OBSESSED WITH THE VAGINA.
Although most men can find the clitoris without maps, they still
believe
that the vagina is where it’s all at. No sooner is your hand down there
than
you’re trying to stuff stolen banknotes up a chimney.  This is okay in
principle, but if you’re not careful, it can hurt – so don’t get carried
away. It’s best to pay more attention to her clitoris and the exterior of
her
vagina at first, then gently slip a finger inside her
and see if she likes it.

 

15) MASSAGING TOO ROUGHLY.
You’re attempting to give her a sensual, relaxing massage to get her in
the mood. Hands and fingertips are okay; elbows and knees are not.

 

16) UNDRESSING PREMATURELY.
Don’t force the issue by stripping before she’s at least made some move
toward getting your stuff off, even if it’s just undoing a couple of
buttons.

 

17) TAKING YOUR PANTS OFF FIRST.
A man in socks and underpants is at his worst.  Lose the socks first.

 

18) GOING TOO FAST.
When you get to the penis-in-vagina situation, the worst thing you can
do
is pump away like an industrial power tool – she’ll soon feel like an
assembly line worker made obsolete by your technology.  Build up slowly,
with
clean, straight, regular thrusts.

 

19) GOING TOO HARD.
If you bash your great triangular hip bones into her thigh or stomach,
the pain is equal to two weeks of horseback riding concentrated into a few
seconds.

 

20) COMING TOO SOON.
Every man’s fear. With reason. If you shoot before you see the whites
of
her eyes, make sure you have a backup plan to ensure her pleasure too.

 

21) NOT COMING SOON ENOUGH.
It may appear to you that humping for an hour without climaxing is the
mark of a sex god, but to her it’s more likely the mark of a numb vagina.
At
least buy some intriguing wall hangings, so she has something to hold her
interest while you’re playing Marathon Man.

 

22) ASKING IF SHE HAS COME.
You really ought to be able to tell. Most women make noise. But if you
really don’t know, don’t ask

 

23) PERFORMING ORAL SEX TOO GENTLY.
Don’t act like a giant cat at a saucer of milk. Get your whole mouth
down
there, and concentrate on gently rotating or flicking your tongue on her
clitoris.

 

24) NUDGING HER HEAD DOWN.
Men persist in doing this until she’s eyeball-to-penis, hoping that it
will lead very swiftly to mouth-to-penis. All women hate this. It’s about
three steps from being dragged to a cave by their hair. If you want her to
use her mouth, use yours; try talking seductively to her.

 

25) NOT WARNING HER BEFORE YOU CLIMAX.
Sperm tastes like sea water mixed with egg white.  Not everybody likes
it.
When she’s performing oral sex, warn her before you come so she can do
what’s
necessary.

 

26) MOVING AROUND DURING FELLATIO.
Don’t thrust. She’ll do all the moving during fellatio. You just lie
there. And don’t grab her head.

 

27) TAKING ETIQUETTE ADVICE FROM PORN MOVIES.
In X-rated movies, women seem to love it when men ejaculate over
them.
In real life, it just means more laundry to do.

 

28) MAKING HER RIDE ON TOP FOR AGES.
Asking her to be on top is fine. Lying there grunting while she does
all
the hard work is not. Caress her gently, so that she doesn’t feel quite so
much like the captain of a schooner. And let her have a rest.

 

29) ATTEMPTING ANAL SEX AND PRETENDING IT WAS AN ACCIDENT.
This is how men earn a reputation for not being able to follow
directions.
If you want to put it there, ask her first. And don’t think that being
drunk
is an excuse.

 

30) TAKING PICTURES.
When a man says, “Can I take a photo of you?” she’ll hear the
words”__to
show my buddies.” At least let her have custody of them.

 

31) NOT BEING IMAGINATIVE ENOUGH.
Imagination is anything from drawing patterns on her back to pouring
honey
on her and licking it off. Fruit, vegetables, ice and feathers are all
handy
props; hot candle wax and permanent dye are a no no.

 

32) SLAPPING YOUR STOMACH AGAINST HERS.
There is no less erotic noise. It’s as sexy as a belching contest.

 

33) ARRANGING HER IN STUPID POSES.
If she wants to do advanced yoga in bed, fine, but unless she’s a
Romanian
gymnast, don’t get too ambitious. Ask yourself if you want a sexual partner
with snapped hamstrings.

 

34) LOOKING FOR HER PROSTATE.
Read this carefully: Anal stimulation feels good for men because they
have
a prostate. Women don’t.

 

35) GIVING LOVE BITES.
It is highly erotic to exert some gentle suction on the sides of the
neck,
if you do it carefully. No woman wants to have to wear turtlenecks and
jaunty
scarves for weeks on end.

 

36) BARKING INSTRUCTIONS.
Don’t shout encouragement like a coach with a megaphone. It’s not a big
turn-on.

 

37) TALKING DIRTY.
It makes you sound like a lonely magazine editor calling a 1-900line.
If
she likes nasty talk, she’ll let you know

 

38) NOT CARING WHETHER SHE COMES.
You have to finish the job. Keep on trying until you get it right, and
she
might even do the same for you.

 

39) SQUASHING HER.
Men generally weigh more than women, so if you lie on her a bit too
heavily, she will turn blue.

 

40) THANKING HER.
Never thank a woman for having sex with you. Your bedroom is not a
soup kitchen.

Blokir Fungsi-fungsi Windows

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer

§ NoFolderOptions = 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avscan.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWinPortable.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.com

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe\\debugger

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViRemoval.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winamp.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winrar.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winzip.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antv-md5-pattern.exe

§ Debugger = “”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN

§ CheckedValue = 2

§ DefaultValue = 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

§ CheckedValue = 1

§ DefaultValue = 1

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

o NoClose

o NoFInd

o NoFolderOptions

o NoRun

o NoTrayContextMenu

o NoViewContextMenu

o NoWinLeys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

o DisableRegistryTools

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System

o DisableCMD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

o DisableMSI

o NoClose

o NoFolderOptions

o NoViewContextMenu

o NoWinKeys

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\shell\open\command

o Default = cmd.exe /c del “%1”

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile

o NeverShowExt [menyembunyikan ext. exe]

HKEY_CLASSES_ROOT\exefile

o NeverShowExt [menyembunyikan ext. exe]

Untuk menyamarkan tipe file ia membuat string registry :

o HKCR\exefile

(default) ===> icon

Nevershowext ===>

o HKLM\SOFTWARE\Classes\exefile

(default) ===> icon

Nevershowext ===>

Seperti kita ketahui virus ini tidak memblok fungsi windows seperti folder options, tetapi akan mencoba melakukan perubahan terhadap setting folder options. Untuk itu ia akan membuat string registry (lihat gambar 4) :

o HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\

ShowSuperHidden ===> 0

o HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden

CheckedValue ===> 1

DefaultValue ===> 1

Sebagai penunjang, ia akan membuat string registry pada :

o HKLM\SOFTWARE\Microsoft\Windows|CurrentVersion\Run

def ===> C:\WINDOWS\Temp\Vel.exe

SysRestore ===> c:\windows\system32\restoration.msd

o HKCU\Control Panel\Desktop

SCRNSAVE.exe ===> C:\WINDOWS\Temp\%fileduplikat%.exe

Aktif pada Safe Mode & Safe Mode with Command Prompt

Selain aktif pada mode “normal”, virus ini pun aktif pada mode “safe mode” dan “safe mode with command prompt”. Untuk itu ia membuat string registry pada :

o HKLM\SYSTEM\ControlSet001\Control\SafeBoot

AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm

o HKLM\SYSTEM\ControlSet002\Control\SafeBoot

AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm

o HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot

AlternateShell ===> c:\windows\system32\CommandPrompt.Sysm

Mengganti Task Manager, Regedit dan Solitaire dengan game FreeCel

Untuk menjaga eksistensinya, VBWorm.NUJ akan mencoba untuk blok beberapa fungsi Windows seperti Folder Option/regedit/maupun Task Manager dengan menggantinya dengan program game seperti yang pernah dilakukan oleh varian FaceCool, untuk melakukan hal tersebut VBWorm.NUJ akan mencoba untuk membuat string pada registry berikut :

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

debugger = C:\WINDOWS\system32\freecell.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

debugger = C:\WINDOWS\system32\sol.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

debuger = C:\WINDOWS\system32\spider.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer

DisableMSI =1

LimitSystemRestoreCheckpointing = 1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore

DisableConfig

DisableSR

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore

DisableCOnfig = 1

DisableSR = 1

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoFolderOptions

NORun

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

DisableRegistryTools

DisableTaskMgr

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

NoFolderOption

NoRun

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

DisableRegistryTools

DisabletaskMgr

· HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Hidden = 0

HideFileExt = 1

ShowSuperHidden = 0

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN

text = @shell32.dll,-30501

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

text = @shell32.dll,-30500 esan dari pembuat virus

Salah satu aksi yang aka dilakukan oleh VBWorm.NUJ adalah akan menampilkan sebuah kendela Internet Explorer setiap kali komputer dinyalakan dengan menjalankan file C:\Message From Indonesia.htm yang diiringingi dengan lagu kebangsaan Indonesia Raya.

Berikut petikan pesan yang akan ditampilkan dari Internet Explorer

Untuk melakukan hal ini, VBWorm.NUJ akan mencoba untuk membuat string pada registry berikut:

· HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

o Start Page = C:\Message From Indonesia.htm

VBWorm.NUJ juga akan mencoba untuk merubah nama perusahaan dan nama pemilik Windows dengan membuat string pada registry berikut:

· HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor

o ProcessorNameString = Core 2 Duo Extreme

· HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

o RegisteredOrganization = Paraysutki #VM Community

o RegisteredOwner = W32.Moontox.Bro [B-2]

o ProductId = Hacker@Cracker@Indonesia

 

File Exe berubah menjadi File Folder

Untuk melakukan hal tersebut, VBWorm.NUJ akan membuat string pada registry berikut:

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile

– Default = file folder

– InfoTip = file folder

– NeverShowExt

– TileInfo = file folder

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\DefaultIcon

Default = %SystemRoot%\System32\shell32.dll,4

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory

AlwaysShowExt = FIle Folder

InfoTip = File Folder

NeverShowExt = File Folder

VBWorm.NUJ juga akan membut string pada registry berikut:

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIServer

Description = !!! Sory ya Ngk boleh buka Aplication Microsoft (.msi) Kecuali buka Executable (.exe) !!!

imagePath = Go To Vagina

ObjectPath = Dasar Buaya Darat

DisplayName = WIndows Installer

start = 4

type = 4

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc

description = !!! Maaf yee Fitur Security Center gue Non aktifkan dulu…biar aman !!!

imagepath= Go To Mak Erot

objectpath = LocalMoontox

DisplayName =Security Center

start = 4

type = 4

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alerter

description = !!! Hi..hi..hi biar ngak ketauan gue non aktif aja fitur ini (:-p) wee !!!

imagepath = Mulutmu Harimaumu

objectpath = Mulutmu Harimaumu

DisplayName = Alerter

DependOnService = LanmanWorkstation

start = 4

type = 4

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry

Start = 4

Type = 4

· HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ansavgd

Description = !!! ANSAV kga Mempan sama Moontox Bro (>_<)

Imagepath = Go To Mak Erot

ObjectName = !!! Kasian Dech lo, Cape dech !!!

start = 4

type = 4

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice

Description = !!! Tak akan kubiarkan kau mengembalikan keadaan !!!

Display name = System Restore Service

imagepath = %SystemRoot%\System32\svchost.exe -k netsvcs (ok)

start = 4

stop = 4

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srservice\Parameters

ServiceDll = C:\WINDOWS\service.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole

EnableRemoteConnect = N

Logoff jika akses Regedit / VBS file

Dalam rangka melindungi dirinya dari pembasmian, virus ini menambahkan blok akses file INF/VBS dan Registry file sehingga jika user menjalankan file yang mempunyai ekstensi tersebut maka komputer akan langsung logoff. Untuk melakukan hal tersebut ia akan membuat string pada registry berikut:

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command

§ Default = logoff.exe

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\inffile\Shell\Install\Command

§ Default = logoff.exe

· HKEY_LOCAL_MACHINE\SOFTWARE\Classes\regfile\Shell\open\Command

§ Default = logoff.exe

· HKCR\inffile\shell\Install\command

§ Default = logoff.exe

· HKCR\regfile\shell\open\command

§ Default = logoff.exe

· HKCR\VBSFile\Shell\Edit\Command

§ Default = logoff.exe

Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\winlogon

· Userinit = C:\windows\system32\userinit.exe, c:\documents and settings\localservice\local settings\spoolsv.exe

· Shell = explorer.exe C:\documents and settings\localservice\local settings\svchost.exe

· System = C:\Documents and Settings\LocalService\Local Settings\mencerdaskan_Bangsa.exe

Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

· Load = c:\documents and settings\%user%\local settings\application data\csrss.exe

Ø HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AEDebug

· Debugger = C:\Documents and Settings\LocalService\Local Settings\Application Data\lsass.exe

Ø HKEY_CURRENT_USER\Software\Microsoft\Command Processor

· Autorun

 

Bersihkan Registry Virus Windows

Buat File inf

[Version]

Signature=”$Chicago$”

Provider=Vaksincom Oye

[DefaultInstall]

AddReg=UnhookRegKey

DelReg=del

[UnhookRegKey]

HKLM, Software\CLASSES\batfile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\comfile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\exefile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\piffile\shell\open\command,,,”””%1″” %*”

HKLM, Software\CLASSES\regfile\shell\open\command,,,”regedit.exe “%1″”

HKLM, Software\CLASSES\scrfile\shell\open\command,,,”””%1″” %*”

HKLM< SOFTWARE\Classes\lnkfile\shell\open\command,,,”””%1″” %*”

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, Shell,0, “Explorer.exe”

HKLM, SYSTEM\ControlSet001\Control\SafeBoot, AlternateShell,0, “cmd.exe”

HKLM, SYSTEM\ControlSet002\Control\SafeBoot, AlternateShell,0, “cmd.exe”

HKLM, SYSTEM\CurrentControlSet\Control\SafeBoot, AlternateShell,0, “cmd.exe”

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden,UncheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN, CheckedValue,0x00010001,2

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDDEN, DefaultValue,0x00010001,2

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, CheckedValue,0x00010001,1

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL, DefaultValue,0x00010001,1

[del]

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistriTools

HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegistriTools

HKLM, Software\Microsoft\Windows\CurrentVersion\Policies\Explorer, NoFolderOptions

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegistriEditor.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe

HKLM, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, winsystem

HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Microfost

HKCU, SOFTWARE\Microsoft\Windows\CurrentVersion\Run, sysedit

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansavgd.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avguard.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Avscan.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWinPortable.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\command.com

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-SE.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe, debugger

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ViRemoval.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winamp.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winrar.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winzip.exe

HKLM, SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antv-md5-pattern.exe

im oWSH: Set oWSH = CreateObject(“WScript.Shell”)

on error resume Next

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\batfile\shell\open\command\”,”””%1″” %*”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\comfile\shell\open\command\”,”””%1″” %*”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\open\command\”,”””%1″” %*”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\piffile\shell\open\command\”,”””%1″” %*”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\scrfile\shell\open\command\”,”””%1″” /S”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\Software\CLASSES\regfile\shell\open\command\”,”regedit.exe %1″

oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell”,”cmd.exe”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\AlternateShell”,”cmd.exe”

oWSH.Regwrite “HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\AlternateShell”,”cmd.exe”

oWSH.Regwrite

“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell”,”cmd.exe”oWSH.Regwrite “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell”,”Explorer.exe”

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Word”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Printer Cpl”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\DisableMSI”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\LimitSystemRestoreCheckpointing”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinLeys”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoTrayContextMenu”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCLose”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Nofind”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisableMSI”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewContextMenu”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinLeys”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NOLogoff”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr”)

oWSH.RegDelete(“HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWinKeys”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogoff”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispApprearancePage”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCpl”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispSettingsPage”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\

System\NoScrSavPage”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp\”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\SOFTWARE\Classes\exefile\NeverShowExt”)

oWSH.RegDelete(“HKEY_CLASSES_ROOT\exefile\NeverShowExt”)

oWSH.RegDelete(“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions”)

oWSH.RegDelete(“HKEY_CURRENT_USER\Software\policies\Microsoft\system\DisableCMD”)

Mencegah Virus Autoinfect via Flash Disk

Seperti cara yang anda baca di artikel “Mencegah Virus Autoinfect via Flash Disk” kita mendisable Autorun/Autoplay melalui Group Policy [GPEDIT.MCS] :

  1. Klik menu [START],
  2. Klik [Run]
  3. Ketik GPEDIT.MSC pada kolom “RUN”
  4. Pilih Administrative Templates pada menu Computer Configuration.
  5. Klik pada View kemudian pilih Filtering
  6. Klik un-select pada check-box untuk mematikan pilihan “Only show policy settings that can be fully managed” dan kemudian klik OK
  7. Klik kanan pada menu Administrative Template, pilih Add/Remove Template
  8. Pastikan bahwa file write_protect_removable_drives.adm ada di direktori C:\Window\INF. Kalau belum ada bisa di download di http://www.petri.co.il/software/usb_write_protect_adm.zip
  9. Setelah selesai di download, un-pack file tersebut kemudian jalankan file batch-nya. Sehingga file write_protect_removable_drives.adm tercopy di direktori C:\Windows\INF
  10. Kemudian Anda klik tombol ADD, pilih file write_protect_removable_drives.adm. Klik tombol OPEN
  11. Kalau berhasil pada Add/Remove Templates akan nampak file write_protect_removable_drives.adm tersebut. Klik tombol CLOSE untuk mengakhiri sesi tersebut.
  12. Setelah ditutup, maka akan terlihat sebuah menu baru dengan nama “Custom Policy Settings” dengan sub menu “Write Protection” dengan status “disable
  13. Klik 2 (dua) kali pada Write Protect USB Removable Drives. Akan nampak Write Protect USB Removable Drives Properties. Pada tab Setting pilih ENABLED dan statusnya Anda rubah menjadi ON. Klik Apply, dan untuk mengakhiri klik OK
  14. Kalau berhasil, maka Statenya berubah menjadi Enable (lihat gambar 9).Untuk mengakhiri klik File, kemudian Exit.
  15. Untuk merubah menjadi DISABLE, Anda ikuti langkah no. 12 dan 13 pada tab Setting pilih DISABLE dan statusnya Anda rubah menjadi OFF.

Ada cara lain untuk memproteksi penulisan pada Flash disk dengan menggunakan REGEDIT sebagai berikut :

i. Jalankan Regedit.exe, kemudian masuk ke :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\StorageDevicePolicies

buat sebuah value (DWORD)

WriteProtect dan beri nilai 1

ii. Kemudian tutup Registry Editor, Anda tidak perlu merestart computer untuk menjalankan fungsi tersebut. Untuk men-disable-kan fungsi di atas, ganti Value data-nya menjadi 0. File-file registri untuk masalah tersebut bisa Anda download di http://www.petri.co.il/software/usb_write_protect.zip. Pilih salah satu file REG-nya Disable atau Enable.

Registry Buat Virus

Start Up

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

microfost = C:\windows\system32\hanny.exe

sysedit = C:\windows\iexplorer.exe

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

winsystem = c:\windows\system32\aniee.exe

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Printer Cpl = C:\WINDOWS\SPOOL32.EXE

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Word = C:\WINDOWS\system32\WINWORD.EXE

o HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4LLI

o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\ CurrentControlSet\Services\4LLI

o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\ CurrentControlSet\Services\4LLI

o HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\ CurrentControlSet\Services\4LLI

o HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

§ windowsapp = C:\WINDOWS\windowsapp.exe

Tools-Tools Buat Babat Virus

Berikut ini tools-tools buat babat virus

Security Task Manager
CurrProcess http://www.nirsoft.net/utils/cprocess.html