Forum Sementara Putera.com

Bersama kita perkemaskan forum ini sementara forum asal dalam pemulihan.

Forum putera dah kembali. Masalah sudah berjaya diselesaikan. Sila lawati http://forum.putera.com/tanya


    Virus winkido - kaspersky alert

    Share

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Thu Feb 26, 2009 9:01 pm

    takpe.. post aje kat sini aku nk tengok.. GVR tak detect ke?

    Oh ye, stick external tu kat pc, then download >> run MS Malware Removal Tool..

    http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en


    ---------edit--------------

    Jangan lupa patch Windows Update di bawah kalau belum lagi..

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sat Feb 28, 2009 6:58 pm

    ni log combofix
    Code:
    http://rapidshare.com/files/203546013/ComboFix.txt

    memang combo fix delete.. lepas cucuk balik usb.. dia akan ada balik



    --------------------------------------------

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sat Feb 28, 2009 10:36 pm

    Itu server CC ke? Yang dekat gambar tu, copy/paste yang suspicious file 1 dan suspicious file 2 dan post fullpath kat sini..


    Uninstall SweetIM if you don't use it..



    NEXT


    Pergi SINI dan download ERUNT

    Kemudian install dan run ERUNT untuk backup Registry.. Rujuk SINI untuk cara backup Registry melalui ERUNT




    NEXT


    Buang ComboFix yang lama dan download yang baru dari link di bawah.. JANGAN run dulu..

    Link 2




    NEXT


    1. Please open Notepad
    • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::

    NetSvc::
    nbagxs
    ooolukg
    liard

    Driver::
    nbagxs
    ooolukg
    liard

    File::
    c:\windows\system32\gzsuh.dll

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2126:TCP"=-
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c9c86ac-e7b5-11dd-826c-00235494274e}]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nbagxs]
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ooolukg]

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

    • Combofix.txt
    • A new HijackThis log.

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 01, 2009 1:04 am

    Hijackthis log
    Code:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:59:56 AM, on 3/1/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20861)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\CCDISK1.6\CakeService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\DAEMON Tools Lite\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\mspaint.exe
    C:\WINDOWS\system32\svchost.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mercs2.com/
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
    O11 - Options group: [INTERNATIONAL] International*
    O11 - Options group: [TABS] Tabbed Browsing
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BC808E-8779-42FF-891C-8B08BBFCA67D}: NameServer = 202.188.1.5,202.188.0.133
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
    O23 - Service: iSCSICake (CakeService) - Unknown owner - C:\CCDISK1.6\CakeService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe



    Combofix log
    Code:
    http://rapidshare.com/files/203665731/2ComboFix.txt


    --------------------------------------------

    biosfree
    Ahli Baharu
    Ahli Baharu

    Number of posts : 90
    Registration date : 22/02/2009

    Re: Virus winkido - kaspersky alert

    Post by biosfree on Sun Mar 01, 2009 1:38 am

    aku pakia KIS09 ori....eh kalau x leh delete susah gak ni....

    dah ler baru format......letih dah...

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sun Mar 01, 2009 2:37 am

    Hello zeronehza.. aku ada soalan sket...

    Log ComboFix yang pertama

    Running from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exe

    Log ComboFix yang kedua

    Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe

    Kenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log Smile



    Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...

    Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..

    ATAU

    Pernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)

    Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. Razz


    Buat step ini hanya untuk PC ccdiskmaserver sahaja..


    1. Please open Notepad
    • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::

    NetSvc::
    svboygh
    gfcqiwy

    Driver::
    svboygh
    gfcqiwy


    File::
    c:\windows\system32\kwcvkyvm.dll
    c:\windows\system32\tmp4EC3.tmp
    c:\windows\system32\tmp4EC2.tmp
    c:\windows\system32\Sys\AKV.exe
    c:\windows\system32\Sys\QHUX.exe

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5848:TCP"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

    • Combofix.txt
    • A new HijackThis log.





    NEXT


    Download avz4.zip from HERE

    • Unzip it to your desktop to a folder named avz4
    • Double click on AVZ.exe to run it.
    • Run an update by clicking the Auto Update button on the Right of the Log window:
    • Click Start to begin the update

    Note: If you recieve an error message, chose a different source, then click Start again



    1. Start AVZ.
    2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
    3. Click on the Execute selected scripts.
    4. Automatic scanning, healing and system check will be executed.
    5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
    6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
    7. All applications will work properly after the system restart.




    • After that, please restart AVZ again,
    • From the "File" menu, choose "Standard Scripts"
    • Put a check next to item 2: Advanced System Investigation
    • Click Execute selected scripts
    • At the next prompt, click the OK button
    • Let the scan run and click "OK" when the completion prompt pops up
    • Now Close out of the Standard Scripts window, and exit AVZ
    • Navigate to the avz4 folder and locate the folder LOG
    • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
    • Attach virusinfo_syscheck.htm to your next reply




    NEXT


    Please download GMER and unzip it to your Desktop. <<mirror>>
    • Open the program and click on the Rootkit tab.
    • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
    • Click on Scan.
    • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


    IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result



    Zip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini..

    1. ComboFix
    2. virusinfo_syscheck.htm
    3. GMER


    Last edited by baok on Sun Mar 01, 2009 4:12 am; edited 3 times in total

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 01, 2009 3:13 am

    lol banyak lagi step.. ok2 no prob.. esk la kena test.. mlm ni tak sempat dah.. hehe..
    btw dua pc berbeza, tapi dua2 cucuk itu external.. ok lepas ni akan buat dekat satu pc sahaja dekat pc ni
    Code:
    Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe

    btw, tak ada keylogger install. AV skang pakai satu sahaja, KIS 7, dulu test eset dan macam2, tapi dah uninstall.


    --------------------------------------------

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sun Mar 01, 2009 4:05 am

    Ok.. takpe.. buat step di atas hanya untuk PC ccdiskmaserver

    Take note that aku baru je edit step di atas.. Smile

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Mon Mar 02, 2009 10:11 pm

    Arrow feedback please..

    kodOk
    Ahli Baharu
    Ahli Baharu

    Number of posts : 34
    Registration date : 05/03/2009

    Re: Virus winkido - kaspersky alert

    Post by kodOk on Thu Mar 05, 2009 10:01 am

    Huiyo bro, panjangnya step tu.. Sad menangis aku baca step tu. hampir 200 pc kalau tempat aku kerja nih infect by kido/conficker/downad.ad.

    HyBriDz
    Ahli Baharu
    Ahli Baharu

    Gender : Male Number of posts : 54
    Age : 26
    Location : Clunk Valley
    Registration date : 13/02/2009

    Re: Virus winkido - kaspersky alert

    Post by HyBriDz on Thu Mar 05, 2009 12:04 pm

    da try f-downadup??
    aku try ari tu sbb KIS09 aku detect xle buang plak..wlupun bnyk kali try..tpi last bole pakai benda ni..
    try search kt google

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Thu Mar 05, 2009 1:18 pm

    baok wrote:Arrow feedback please..
    sorry masih agak bz.. lagi pon pc tu running 14 jam++..(tanpa reboot/shutdown)
    tak leh nak restart camtu je... tunggu skit masa lagi.. tak sempat nak test..


    --------------------------------------------

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Thu Mar 05, 2009 3:46 pm

    Ok.. saya akan offline dari besok sampai hari selasa.. sebab amek cuti.. so, saya akan online semula hari selasa/rabu next week..

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Mon Mar 09, 2009 8:28 pm

    saya baru try kido killer v3.3 (latest)
    dia dah detect kido dan dah delete. skang ni tengah test tengok camne ada lagi ke tak.. takat ni dah tak ada.


    --------------------------------------------

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Mon Mar 09, 2009 8:59 pm

    saya baru try kido killer v3.3 (latest)

    Yang mana satu?.. Yang Symantec punya ke atau yang F-Secure punya? Boleh bagi link?

    remover untuk Winkido ni byk..

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Tue Mar 10, 2009 1:00 am

    source link lupa kat mana.. tapi pakai yang ni

    Code:
    http://rapidshare.com/files/207214930/KidoKiller.rar

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Tue Mar 10, 2009 7:34 am

    Hello..Itu KidoKiller dari Kaspersky... Link RapidShare itu version lama.. Sentiasa gunakan version baru dari link di bawah..

    Code:
    http://support.kaspersky.com/faq?chapter=207800963&print=true&qid=208279973


    Ada problem dengan Winkido lagi?..

    kodOk
    Ahli Baharu
    Ahli Baharu

    Number of posts : 34
    Registration date : 05/03/2009

    Re: Virus winkido - kaspersky alert

    Post by kodOk on Tue Mar 10, 2009 11:18 am

    Aku tak dapat download kidokiller dari kaspersky. "The page cannot be displayed" Sad Nak dload dari rapidshare tak boleh pula. Kena blok. pale

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Tue Mar 10, 2009 12:04 pm

    Upload dari sini.. Itu latest version yang aku upload kat 2shared..

    Code:
    http://www.2shared.com/file/5046053/4d454c63/Kido.html

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Tue Mar 10, 2009 5:46 pm

    tq baok

    kodOk
    Ahli Baharu
    Ahli Baharu

    Number of posts : 34
    Registration date : 05/03/2009

    Re: Virus winkido - kaspersky alert

    Post by kodOk on Wed Mar 11, 2009 9:00 am

    Capaian Disekat

    Capaian anda ke laman web dc98.2shared.com/download/5046053/4d454c63/Kido.zip?tsid=20090310-205706-5074c3c6 telah disekat dan direkodkan
    kerana mengandungi unsur-unsur Peer-to-Peer
    yang melanggar polisi capaian internet, Bla bla bla bla...


    Sad Sad Wehh.. kat rumah aku takda internet la bro.. sadisnya.. Melopong lagi aku nak bunuh virus nih..

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Wed Mar 11, 2009 11:30 am

    kodOk, pm replied..

    mon678
    Ahli
    Ahli

    Gender : Male Number of posts : 503
    Age : 30
    Location : jb
    Job/hobbies : computer2....computer x habis2
    Registration date : 18/02/2009

    Re: Virus winkido - kaspersky alert

    Post by mon678 on Wed Mar 11, 2009 3:54 pm

    virus nieh infected kat win vista gak ker?ke win XP jerk?

    kodOk
    Ahli Baharu
    Ahli Baharu

    Number of posts : 34
    Registration date : 05/03/2009

    Re: Virus winkido - kaspersky alert

    Post by kodOk on Thu Mar 12, 2009 12:03 pm

    Thank bro baok. mon678, buat masa ni tak nampak pula tanda-tanda kido menceroboh os vista (pc yang aku pakai nih) ?? ataupun sebelum virus kido ketuk pintu pc aku, kaspersky dah awal2 sepak terajang kot ??.

    Yang aku perhatikan kat tempat aku nih, kido merebak melalui thumdrive n juga dari network. Pc yang mmg telah di install perisian av bitdefender, kaspersky yang selalu di update terselamat daripada virus kido.

    Pip pip.. masih lagi dalam pemerhatian. Minggu depan kat tempat aku kerja.. (kalau tiada aral melintang, operasi membelasah kido akan dijalankan oleh aku peserta berseorangan.)

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Thu Mar 12, 2009 12:15 pm

    teruk jg kido nh,aku pun ada lg 1 pc blum pulih sepenuhnya,avg detect tp x leh delete pe th jenis varians yg tinggal,aku x sempat amik report g coz kat luar,xblum masuk kelas g

    Sponsored content

    Re: Virus winkido - kaspersky alert

    Post by Sponsored content Today at 4:23 am


      Current date/time is Mon Dec 05, 2016 4:23 am