Forum Sementara Putera.com

Bersama kita perkemaskan forum ini sementara forum asal dalam pemulihan.

Forum putera dah kembali. Masalah sudah berjaya diselesaikan. Sila lawati http://forum.putera.com/tanya


    Virus winkido - kaspersky alert

    Share

    ♥♠♠♥
    Ahli Baharu
    Ahli Baharu

    Number of posts : 27
    Registration date : 14/03/2009

    Re: Virus winkido - kaspersky alert

    Post by ♥♠♠♥ on Sat Mar 14, 2009 5:19 pm

    baok wrote:Upload dari sini.. Itu latest version yang aku upload kat 2shared..

    Code:
    http://www.2shared.com/file/5046053/4d454c63/Kido.html


    thanks Mr Baok.. gud job cheers

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 15, 2009 12:39 am

    Spoiler:
    baok wrote:Hello zeronehza.. aku ada soalan sket...

    Log ComboFix yang pertama

    Running from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exe

    Log ComboFix yang kedua

    Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe

    Kenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log Smile



    Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...

    Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..

    ATAU

    Pernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)

    Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. Razz


    Buat step ini hanya untuk PC ccdiskmaserver sahaja..


    1. Please open Notepad
    • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter


    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    KillAll::

    NetSvc::
    svboygh
    gfcqiwy

    Driver::
    svboygh
    gfcqiwy


    File::
    c:\windows\system32\kwcvkyvm.dll
    c:\windows\system32\tmp4EC3.tmp
    c:\windows\system32\tmp4EC2.tmp
    c:\windows\system32\Sys\AKV.exe
    c:\windows\system32\Sys\QHUX.exe

    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5848:TCP"=-
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

    • Combofix.txt
    • A new HijackThis log.





    NEXT


    Download avz4.zip from HERE

    • Unzip it to your desktop to a folder named avz4
    • Double click on AVZ.exe to run it.
    • Run an update by clicking the Auto Update button on the Right of the Log window:
    • Click Start to begin the update

    Note: If you recieve an error message, chose a different source, then click Start again



    1. Start AVZ.
    2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
    3. Click on the Execute selected scripts.
    4. Automatic scanning, healing and system check will be executed.
    5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
    6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
    7. All applications will work properly after the system restart.




    • After that, please restart AVZ again,
    • From the "File" menu, choose "Standard Scripts"
    • Put a check next to item 2: Advanced System Investigation
    • Click Execute selected scripts
    • At the next prompt, click the OK button
    • Let the scan run and click "OK" when the completion prompt pops up
    • Now Close out of the Standard Scripts window, and exit AVZ
    • Navigate to the avz4 folder and locate the folder LOG
    • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
    • Attach virusinfo_syscheck.htm to your next reply




    NEXT


    Please download GMER and unzip it to your Desktop. <<mirror>>
    • Open the program and click on the Rootkit tab.
    • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
    • Click on Scan.
    • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


    IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result



    Zip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini..

    1. ComboFix
    2. virusinfo_syscheck.htm
    3. GMER

    Masih ada kido ni. saya akan cuba step2 kat atas ni semula. wait for my feedback

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Sun Mar 15, 2009 1:19 am

    zero,,..,ape simptom yg kame kna lg?

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 15, 2009 7:07 am

    network browsing disable, av update disable, application sound disable, windows sound masih ada..


    --------------------------------------------

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Sun Mar 15, 2009 10:24 am

    huh.,teruk,aku kena dlu setakat xbleh masuk website av sjh n update,now dh ok skit,cuma ada jenis2 varians avg xbleh del i-worm/brontok je dlm reports

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 15, 2009 11:40 am

    betul la tu.. sympton dia.. tak leh surfing... av tak leh update.. tapi client aku ni pakai DF... restart pc ok la balik... masalahnya leceh la tiap kali jadi camtu.. kis detect delete memang delete... tapi restart pc ada balik.. autorun eater detect variant tu as autorun.inf / kido.ih atau kido.ex

    tapi tak leh delete / access denied..

    btw baok ni saya bagi log-log.
    Code:
    http://rapidshare.com/files/209380141/log.rar

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Sun Mar 15, 2009 12:05 pm

    dia makn apa nh kuat sgt,bayam jenis pa tah nh.,.,huhuhu.,

    kido tool dr kaspersky pun xbleh pakai,f secured xbleh,avast nye pun xbleh.,apa yg bleh tah.,

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sun Mar 15, 2009 3:43 pm

    I need some clarifications here..

    tapi client aku ni pakai DF

    1. Itu bukan pc kamu, tapi pc client? Wow.. Apa kata biar klien tu post kat sini.. At least boleh promote dia kat PUTERA..



    2. DF = Deepfreeze?.. Saya tak boleh tolong sehingga user tu uninstall DeepFreeze.. Mana-mana Malware Helper pun akan keberatan nak tolong kalau user pakai DeepFreeze.. Bukan sebab DeepFreeze tu tak bagus.. DeepFreeze sangat bagus, tapi kalau nak clean komputer, DeepFreeze hanya akan merumitkan keadaan..



    3. Jadi PC yang ccdiskmaserver tu PC kamu atau PC client? Still ada problem lagi dengan PC ccdiskmaserver tu?.. Sebab dari log ComboFix dan AVZ, aku dah tak nampak apa-apa yang malicious (kecuali dari System Restore..Itu boleh clear kemudian)..

    Adakah PC ccdiskmaserver pakai DeepFreeze?

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Mar 15, 2009 8:23 pm

    camni macam dah salah faham..

    client is my pc in cyber cafe... total is 25 client.. ccdiskmaserver(server game that contain a virus kido.ex.ih etc... _

    client semua freeze.. server tak freeze.. client memang tak ada virus... kecuali server games itu up.. load cakeservice dari server.. baru akan detect virus dari server akan masuk client...

    client kalau on standalone (server game off) memang clean dari virus...
    virus ni macam dia sentiasa replicated.. walaupon status dah deleted.. reboot pc akan ada balik..

    experiment.. saya dah buat pc server tu on standalone... pc2 lain tak on (memastikan virus bukan dari network pc yang lain)

    jadi resultnya sama.. virus memang kekal dalam server ccdiskmaserver.. buntu jugak ni Razz


    --------------------------------------------

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sun Mar 15, 2009 9:01 pm

    Maaf.. Saya salah faham...

    Ok.. Reboot PC tu, then patch dulu dengan October Security update di bawah..

    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx


    Kemudian download dan run Microsoft Removal Tool.. Remove semua yang dia jumpa..

    http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

    (kalau tak boleh masuk laman MS, masuk je kat mana-mana pc, dan burn kat CD (jangan pakai thumbdrive sbb Winkido boleh merebak melalui pendrive)


    Then reboot dan run ComboFix sekali lagi..

    Post Log ComboFix di sini.. Pada masa yang sama, lepas je run ComboFix, cuba masuk mana-mana website antivirus, boleh masuk atau tidak..

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Mon Mar 16, 2009 1:37 pm

    saya dah buat step2 di atas.. boleh surf.. boleh update av, boleh masuk laman web av.. dan memang rasa dah tak ada virus..
    tak apa.. the very last step saya try dekat beberapa client yang infected.. sebab tak semua client akan detect.. maybe kido ni dah menular kt partition.. (partition yang tak difreeze) dan akan aktif ke service selepas windows up..

    saya cuba dulu macam mana... Sad

    ADi_CTeD
    Ahli Baharu
    Ahli Baharu

    Number of posts : 6
    Registration date : 18/03/2009

    Re: Virus winkido - kaspersky alert

    Post by ADi_CTeD on Sat Mar 21, 2009 2:57 pm

    Guna link ni utk download scanner ni...just like patch

    pastu run and scan...

    bole pilih full scan atau custom scan

    Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...


    http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

    mitutoyo
    Ahli Baharu
    Ahli Baharu

    Number of posts : 430
    Location : Bandaraya Anggerik
    Job/hobbies : MemBZ kn diri
    Registration date : 01/03/2009

    Re: Virus winkido - kaspersky alert

    Post by mitutoyo on Sat Mar 21, 2009 4:44 pm

    ADi_CTeD wrote:Guna link ni utk download scanner ni...just like patch

    pastu run and scan...

    bole pilih full scan atau custom scan

    Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...


    http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en

    terima kasih saudara,aku rasa zero dh buat step tu,baok dh bg tuturial tu sblmnh (rujuk page 4)

    baok
    Ahli Baharu
    Ahli Baharu

    Number of posts : 169
    Registration date : 20/02/2009

    Re: Virus winkido - kaspersky alert

    Post by baok on Sun Mar 29, 2009 10:53 pm

    Hello.. Akhirnya, aku berjaya jugak infect test pc aku dengan Winkido/Downadup virus nih.. The best way is always manual removal but that will be a major hassle for newbies..

    Ok, kalau nak guna tools, aku syorkan macam nih.. (mungkin kena download tools dari pc lain kemudian transfer kat pc yang ada virus tu melalui cd/pendrive)


    Download semua program nih dan transfer kat PC yang ada virus.. Kemudian run ikut turutan di bawah..

    1- Stinger_Conficker.exe dari McAfee
    2- EConfickerRemover.exe dari ESET
    3- Remover dari BitDefender
    4- Microsoft Malicious Removal Tool


    Kemudian reboot komputer dan patch dengan security updates nih..
    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Sun Aug 16, 2009 2:47 pm

    baok skang ada malware baru..

    Intrusion.Win.NETAPI.buffer-overflow.exploit

    boleh guna step tool kt atas tu tak..

    malware ni disablekan antivirus / spyware updater, tapi surfing internet masih boleh.. dan kadang2 dia ganngu certain part network yang lain macam printer sharing etc.


    --------------------------------------------

    e_sentinel
    Ahli Baharu
    Ahli Baharu

    Number of posts : 479
    Registration date : 02/03/2009

    Re: Virus winkido - kaspersky alert

    Post by e_sentinel on Sun Aug 16, 2009 7:10 pm

    Intrusion.Win.NETAPI.buffer-overflow.exploit masih kategori Win.Kido tapi variant "r", dia attack port 445 (file sharing), kena disinfect satu persatu computer, putuskan dulu dari networking .. boleh cuba online scanning menggunakan Kaspersky Online Scanner, etc.

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Fri Sep 25, 2009 5:13 pm

    sudah jumpa cara berkesan atasi benda ni

    Code:
    Intrusion.Win.NETAPI.buffer-overflow.exploit! Protocol/service: TCP on local port 445

    kena dload 3 tool dari microsoft
    http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
    http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
    http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

    last sekali scan pakai kido killer v3.4.6
    Code:
    http://go2.wordpress.com/?id=725X1342&site=basilkp05.wordpress.com&url=http%3A%2F%2Fdata2.kaspersky.com%3A8080%2Fspecial%2FKK_v3.4.6.zip

    last sekali restart pc, network, av updated, file printer sharing dah berkesan seperti biasa.. benda ni jadi sebab win xp SP2 tak lengkap ngn update patch latest microsoft, so dengan itu sape2 pakai win xp sp3, boleh dikatakan selamat Smile


    --------------------------------------------

    malaynux
    Ahli Baharu
    Ahli Baharu

    Gender : Male Number of posts : 138
    Age : 35
    Location : Negeri Cik Siti Wan Kembang
    Job/hobbies : Nyayi lagu - Tom tombak mak yong dedek
    Registration date : 25/03/2009

    Re: Virus winkido - kaspersky alert

    Post by malaynux on Sat Sep 26, 2009 6:43 pm

    Aku kena menatang ni gamaknya sebab tu xleh update KAV,

    Aku tambah ni IP Kaspersky br leh update cam biasa.

    (tengok topik aku buka kelmarin)

    Wassalam

    zer0Nehza
    Supervisor
    Supervisor

    Number of posts : 256
    Location : P2P Server
    Registration date : 12/02/2009

    Re: Virus winkido - kaspersky alert

    Post by zer0Nehza on Tue Oct 13, 2009 1:22 am

    dah try cara ip ko tu.. tapi tak leh.. last2 aku jumpa solution kat atas


    --------------------------------------------

    AhmadSyazwan
    Ahli Baharu
    Ahli Baharu

    Gender : Male Number of posts : 414
    Age : 28
    Location : PERLIS
    Job/hobbies : Main Tuju Kasut
    Registration date : 26/02/2009

    Re: Virus winkido - kaspersky alert

    Post by AhmadSyazwan on Sat Oct 31, 2009 2:36 pm

    kido memg gerun juga..kido ni attack network dan website nt virus x blh access

    Sponsored content

    Re: Virus winkido - kaspersky alert

    Post by Sponsored content Today at 7:12 am


      Current date/time is Sat Dec 10, 2016 7:12 am