.: Dee Personal Blog :.

Subtitle

Blog

Tutorial Menghapus Trojan varian TheMediaFinder (TheMediaFinder-C)

Posted by Root on May 6, 2012 at 11:00 AM

 


Nama Alias :

Adware/Win32.BundleInstaller [ AhnLab-V3 ]

ADWARE/Adware.Gen [ Avira AntiVir ]

Win32:TheMediaFinder-C [PUP] [ Avast ]

Gen:Variant.Application.MediaFinder.1 [ BitDefender ]

W32/MediaFinder.A.gen!Eldorado [ Commtouch ]

Application.Win32.AdWare.MFinder.AS [ Comodo ]

Riskware.MediaFinder!IK [ Emisoft ]

W32/MediaFinder.A.gen!Eldorado [ F-Prot ]

Gen:Variant.Application.MediaFinder.1 [ F-Secure ]

Adware/MediaFinder [ Fortinet ]

Gen:Variant.Application.MediaFinder.1 [ GData ]

not-a-virus:MediaFinder [ Ikarus ]

MediaFinder [ VIPRE ]


 

Trojan ini kali pertama ditemukan pada akhir bulan Maret 2012 sampai dengan awal bulan April 2012, disinyalir Trojan ini tersebar di Internet dengan cara membundle dirinya pada sebuah Installer/File Setup bahkan menyamar sebagai Aplikasi/Piranti Lunak Palsu (Fake Application). Salah satu varian dari Trojan ini ada yang menyamar sebagai Piranti Lunak berupa Anti-Virus, dan tak heran jika salah satu vendor Anti-Virus menamainya sebagai FakeAV-N.bfr (Varian keluarga Malware Fake-AV-N). Dari data yang penulis dapat rata-rata Trojan ini menyamar sebagai Aplikasi/Piranti Lunak Palsu dengan menggunakan double-extension atau ekstensi berkas yang berganda, misal : internet_explorer_9_portable_setup.rar.exe, Hack_travian_account_XVID.mp4.exe, Contents310Circuits.pdf.exe dan lain sebagainya. Diperkirakan terdapat 14 Varian dari keluarga TheMediaFinder-C, meskipun ke-14 Varian keluarga TheMediaFinder-C memiliki karakteristik berbeda-beda akan tetapi tetap saja memiliki beberapa persamaan diantaranya adalah pembuatan berkas pada perangkat yang terinfeksi, menyamar sebagai Aplikasi Babylon, Media Get atau Media Finder dan Turbo Bit, Mendelete isi Direktori Babylon atau Babylon Pro yang terdapat di Direktori Program Files, Memodifikasi berkas index.dat pada Direktori Temporary Internet berkas\Content.IE5\

 


Berikut berkas yang biasanya (umumnya) dibuat oleh Trojan keluarga/varian dari TheMediaFinder-C ini :

Asumsikan X: adalah Drive C: (Drive yang biasanya dijadikan tempat di Installasi berkas-berkas WINDOWS)

 

X:Documents and Settings\All Users\Desktop\Media Finder.lnk

X:Documents and Settings\All Users\Start Menu\Programs\Media Finder\Get the Media Finder License.URL

X:Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder on the Web.url

X:Documents and Settings\All Users\Start Menu\Programs\Media Finder\Media Finder.lnk

X:Documents and Settings\All Users\Start Menu\Programs\Media Finder\Uninstall Media Finder.lnk

X:\Documents and Settings\Nama User Windows\Application Data\Babylon\log_file.txt

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\Extensions\gencrawler_gc.crx

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\Extensions\gencrawler_gc.dll

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\Extensions\IEPlugin32.dll

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\Extensions\mf_plugin_gc.crx

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\link.cfg

X:\Documents and Settings\Nama User Windows\Application Data\Media Finder\Temp\downloads.xml

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@[Domain Removed]\chrome.manifes

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@[Domain Removed]\install.rdf

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@[Domain Removed]\chrome.manifes

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\gencrawler@[Domain Removed]\install.rdf

X:\Program Files\\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarApp.dll

X:\Program Files\\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarsrv.exe

X:\Program Files\\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll

X:\Program Files\\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll

X:\Program Files\\BabylonToolbar\BabylonToolbar\1.5.3.17\uninstall.exe

X:\Program Files\\Media Finder\borlndmm.dat

X:\Program Files\\Media Finder\borlndmm.dll

X:\Program Files\\Media Finder\hook.html

X:\Program Files\\Media Finder\MF.exe

X:\Program Files\\Media Finder\mf.ico

X:\Program Files\\Media Finder\Plugins\_4shared.dll

X:\Program Files\\Media Finder\Plugins\depositfiles.dll

X:\Program Files\\Media Finder\Plugins\extabit.dll

X:\Program Files\\Media Finder\Plugins\filepost.dll

X:\Program Files\\Media Finder\Plugins\fileserve.dll

X:\Program Files\\Media Finder\Plugins\filesonic.dll

X:\Program Files\\Media Finder\Plugins\furk.dll

X:\Program Files\\Media Finder\Plugins\hotfile.dll

X:\Program Files\\Media Finder\Plugins\letitbit.dll

X:\Program Files\\Media Finder\Plugins\madshare.dll

X:\Program Files\\Media Finder\Plugins\oron.dll

X:\Program Files\\Media Finder\Plugins\rapidshare.dll

X:\Program Files\\Media Finder\Plugins\turbobit.dll

X:\Program Files\\Media Finder\Plugins\unibytes.dll

X:\Program Files\\Media Finder\Plugins\uploading.dll

X:\Program Files\\Media Finder\Plugins\uploadstation.dll

X:\Program Files\\Media Finder\Plugins\wupload.dll

X:\Program Files\\Media Finder\unins000.dat

X:\Program Files\\Media Finder\unins000.exe

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ffx.exe

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbar4ie.exe

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\BabylonToolbar\BabylonToolbar\1.5.3.17\nsis.js

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\is-[STRING ACAK].tmp\slide[ANGKA ACAK].png

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\bab033.tbinst.dat

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\bab091.norecovericon.dat

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\Babylon.dat

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\Babylon.dat

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\common.js

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\eula.html

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\page2.css

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\page2.html

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\page2.js

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\page2Lrg.css

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\page9.html

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\pBar.gif

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\title2.png

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\HtmlScreens\toolBar.jpg

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\Setup.exe

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\SetupStrings.dat

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\Setup-tbmntr903-9.0.3.19.zpb

X:\Documents and Settings\Nama User Windows\Local Settings\Application Data\Babylon\Setup\sqlite3.dll

C:\user.js

 


Terdapat Direktori Berikut :

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\3570283D-BAB0-7891-8422-6BB8958C6F2C\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\4FD4FC40-BAB0-7891-944E-F2FED9303534\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\4FD4FC40-BAB0-7891-944E-F2FED9303534\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\58E99436-BAB0-7891-85BB-AF543049C793\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\7154309A-BAB0-7891-8A52-37D49FB57ABB\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\84EAD061-BAB0-7891-B2A9-3DBD6B50936E\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\9DDCB3F2-BAB0-7891-A17F-185A9193788D\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\A1D62286-BAB0-7891-ADBA-2795141E94BB\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\B478B7FC-BAB0-7891-A530-5291D5A916F6\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\C1C2BD73-BAB0-7891-8284-250D9A56D1EE\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\C23EBAD7-BAB0-7891-94A0-8A7DDB666932\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\mediaget-installer-tmp\

X:\Documents and Settings\Nama User Windows\Local Settings\Temp\ns[3 DIGIT STRING ACAK].tmp

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\@themediafinder.com\

X:\Documents and Settings\Nama User Windows\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\[email protected]\

 


Direktori dan berkas tersebut umumnya tersembunyi, untuk dapat melihat Direktori dan berkas tersebut silahkan di atur melalui My Computer, klik menu Tools, klik menu Folder Options, pilih Tab View, kemudian cari dan pilih : Show Hidden Files and Folders dan Hapus centang pada Hide Protected Operating System Files, lalu klik Apply & OK [Windows XP] untuk Windows selain XP mungkin caranya agak sedikit berbeda. Nah setelah pembaca memeriksa keberadaan Trojan ini, jika ada dan ditemukan pembaca bisa menghapusnya secara manual berkas-berkas dan direktori-direktori yang sudah penulis sebutkan di atas. Kemudian silahkan pembaca lakukan Full Scanning menggunakan Avast Anti-Virus Free bisa diunduh gratis di (http://www.avast.com/free-antivirus-download) atau menggunakan BitDefender Free yang bisa diunduh gratis di (http://www.bitdefender.com/solutions/free.html). Jika pembaca sudah memiliki Anti-Virus selain Avast atau BitDefender yang terinstall di perangkat yang pembaca gunakan, silahkan lakukan Uninstall terhadap Anti-Virus tersebut! Kemudian baru-lah lakukan Installasi Avast atau BitDefender setelah itu lakukan Full Scanning sampai benar-benar tuntas. Jika dinilai sudah tuntas, silahkan kembali lagi menggunakan Anti-Virus yang sebelumnya pembaca pakai.

Categories: Malware Discussions

Post a Comment

Oops!

Oops, you forgot something.

Oops!

The words you entered did not match the given text. Please try again.

Already a member? Sign In

0 Comments