Homebaok wrote:Upload dari sini.. Itu latest version yang aku upload kat 2shared..
- Code:
http://www.2shared.com/file/5046053/4d454c63/Kido.html
thanks Mr Baok.. gud job
+21
♥♠♠♥
mon678
mitutoyo
kodOk
biosfree
baok
daimon
keroncong
lpmike87
Haibara Ai
game4life
cisqo87
HyBriDz
amirul84
antivirus
kron1x
teri-chan
Aluda.AluQieY
e_charmed81
bDk L@g3NDa
zer0Nehza
25 posters
Virus winkido - kaspersky alert
♥♠♠♥- Ahli Baharu
- Number of posts : 27
Registration date : 14/03/2009
thanks Mr Baok.. gud job
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
- Spoiler:
- baok wrote:Hello zeronehza.. aku ada soalan sket...
Log ComboFix yang pertama
Running from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exe
Log ComboFix yang kedua
Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe
Kenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log
Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...
Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..
ATAU
Pernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)
Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee..
Buat step ini hanya untuk PC ccdiskmaserver sahaja..
1. Please open Notepad- If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:
- Code:
KillAll::
NetSvc::
svboygh
gfcqiwy
Driver::
svboygh
gfcqiwy
File::
c:\windows\system32\kwcvkyvm.dll
c:\windows\system32\tmp4EC3.tmp
c:\windows\system32\tmp4EC2.tmp
c:\windows\system32\Sys\AKV.exe
c:\windows\system32\Sys\QHUX.exe
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5848:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]
3. Save the above as CFScript.txt
4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new HijackThis log.
NEXT
Download avz4.zip from HERE- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window:
- Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.- After that, please restart AVZ again,
- From the "File" menu, choose "Standard Scripts"
- Put a check next to item 2: Advanced System Investigation
- Click Execute selected scripts
- At the next prompt, click the OK button
- Let the scan run and click "OK" when the completion prompt pops up
- Now Close out of the Standard Scripts window, and exit AVZ
- Navigate to the avz4 folder and locate the folder LOG
- Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
- Attach virusinfo_syscheck.htm to your next reply
NEXT
Please download GMER and unzip it to your Desktop. <<mirror>>- Open the program and click on the Rootkit tab.
- Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
- Click on Scan.
- When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result
Zip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini..
1. ComboFix
2. virusinfo_syscheck.htm
3. GMER
Masih ada kido ni. saya akan cuba step2 kat atas ni semula. wait for my feedback
mitutoyo- Ahli Baharu
- Number of posts : 430
Location : Bandaraya Anggerik
Job/hobbies : MemBZ kn diri
Registration date : 01/03/2009
zero,,..,ape simptom yg kame kna lg?
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
network browsing disable, av update disable, application sound disable, windows sound masih ada..
mitutoyo- Ahli Baharu
- Number of posts : 430
Location : Bandaraya Anggerik
Job/hobbies : MemBZ kn diri
Registration date : 01/03/2009
huh.,teruk,aku kena dlu setakat xbleh masuk website av sjh n update,now dh ok skit,cuma ada jenis2 varians avg xbleh del i-worm/brontok je dlm reports
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
betul la tu.. sympton dia.. tak leh surfing... av tak leh update.. tapi client aku ni pakai DF... restart pc ok la balik... masalahnya leceh la tiap kali jadi camtu.. kis detect delete memang delete... tapi restart pc ada balik.. autorun eater detect variant tu as autorun.inf / kido.ih atau kido.ex
tapi tak leh delete / access denied..
btw baok ni saya bagi log-log.
tapi tak leh delete / access denied..
btw baok ni saya bagi log-log.
- Code:
http://rapidshare.com/files/209380141/log.rar
mitutoyo- Ahli Baharu
- Number of posts : 430
Location : Bandaraya Anggerik
Job/hobbies : MemBZ kn diri
Registration date : 01/03/2009
dia makn apa nh kuat sgt,bayam jenis pa tah nh.,.,huhuhu.,
kido tool dr kaspersky pun xbleh pakai,f secured xbleh,avast nye pun xbleh.,apa yg bleh tah.,
kido tool dr kaspersky pun xbleh pakai,f secured xbleh,avast nye pun xbleh.,apa yg bleh tah.,
baok- Ahli Baharu
- Number of posts : 169
Registration date : 20/02/2009
I need some clarifications here..
1. Itu bukan pc kamu, tapi pc client? Wow.. Apa kata biar klien tu post kat sini.. At least boleh promote dia kat PUTERA..
2. DF = Deepfreeze?.. Saya tak boleh tolong sehingga user tu uninstall DeepFreeze.. Mana-mana Malware Helper pun akan keberatan nak tolong kalau user pakai DeepFreeze.. Bukan sebab DeepFreeze tu tak bagus.. DeepFreeze sangat bagus, tapi kalau nak clean komputer, DeepFreeze hanya akan merumitkan keadaan..
3. Jadi PC yang ccdiskmaserver tu PC kamu atau PC client? Still ada problem lagi dengan PC ccdiskmaserver tu?.. Sebab dari log ComboFix dan AVZ, aku dah tak nampak apa-apa yang malicious (kecuali dari System Restore..Itu boleh clear kemudian)..
Adakah PC ccdiskmaserver pakai DeepFreeze?
tapi client aku ni pakai DF
1. Itu bukan pc kamu, tapi pc client? Wow.. Apa kata biar klien tu post kat sini.. At least boleh promote dia kat PUTERA..
2. DF = Deepfreeze?.. Saya tak boleh tolong sehingga user tu uninstall DeepFreeze.. Mana-mana Malware Helper pun akan keberatan nak tolong kalau user pakai DeepFreeze.. Bukan sebab DeepFreeze tu tak bagus.. DeepFreeze sangat bagus, tapi kalau nak clean komputer, DeepFreeze hanya akan merumitkan keadaan..
3. Jadi PC yang ccdiskmaserver tu PC kamu atau PC client? Still ada problem lagi dengan PC ccdiskmaserver tu?.. Sebab dari log ComboFix dan AVZ, aku dah tak nampak apa-apa yang malicious (kecuali dari System Restore..Itu boleh clear kemudian)..
Adakah PC ccdiskmaserver pakai DeepFreeze?
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
camni macam dah salah faham..
client is my pc in cyber cafe... total is 25 client.. ccdiskmaserver(server game that contain a virus kido.ex.ih etc... _
client semua freeze.. server tak freeze.. client memang tak ada virus... kecuali server games itu up.. load cakeservice dari server.. baru akan detect virus dari server akan masuk client...
client kalau on standalone (server game off) memang clean dari virus...
virus ni macam dia sentiasa replicated.. walaupon status dah deleted.. reboot pc akan ada balik..
experiment.. saya dah buat pc server tu on standalone... pc2 lain tak on (memastikan virus bukan dari network pc yang lain)
jadi resultnya sama.. virus memang kekal dalam server ccdiskmaserver.. buntu jugak ni
client is my pc in cyber cafe... total is 25 client.. ccdiskmaserver(server game that contain a virus kido.ex.ih etc... _
client semua freeze.. server tak freeze.. client memang tak ada virus... kecuali server games itu up.. load cakeservice dari server.. baru akan detect virus dari server akan masuk client...
client kalau on standalone (server game off) memang clean dari virus...
virus ni macam dia sentiasa replicated.. walaupon status dah deleted.. reboot pc akan ada balik..
experiment.. saya dah buat pc server tu on standalone... pc2 lain tak on (memastikan virus bukan dari network pc yang lain)
jadi resultnya sama.. virus memang kekal dalam server ccdiskmaserver.. buntu jugak ni
baok- Ahli Baharu
- Number of posts : 169
Registration date : 20/02/2009
Maaf.. Saya salah faham...
Ok.. Reboot PC tu, then patch dulu dengan October Security update di bawah..
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Kemudian download dan run Microsoft Removal Tool.. Remove semua yang dia jumpa..
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
(kalau tak boleh masuk laman MS, masuk je kat mana-mana pc, dan burn kat CD (jangan pakai thumbdrive sbb Winkido boleh merebak melalui pendrive)
Then reboot dan run ComboFix sekali lagi..
Post Log ComboFix di sini.. Pada masa yang sama, lepas je run ComboFix, cuba masuk mana-mana website antivirus, boleh masuk atau tidak..
Ok.. Reboot PC tu, then patch dulu dengan October Security update di bawah..
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Kemudian download dan run Microsoft Removal Tool.. Remove semua yang dia jumpa..
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
(kalau tak boleh masuk laman MS, masuk je kat mana-mana pc, dan burn kat CD (jangan pakai thumbdrive sbb Winkido boleh merebak melalui pendrive)
Then reboot dan run ComboFix sekali lagi..
Post Log ComboFix di sini.. Pada masa yang sama, lepas je run ComboFix, cuba masuk mana-mana website antivirus, boleh masuk atau tidak..
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
saya dah buat step2 di atas.. boleh surf.. boleh update av, boleh masuk laman web av.. dan memang rasa dah tak ada virus..
tak apa.. the very last step saya try dekat beberapa client yang infected.. sebab tak semua client akan detect.. maybe kido ni dah menular kt partition.. (partition yang tak difreeze) dan akan aktif ke service selepas windows up..
saya cuba dulu macam mana...
tak apa.. the very last step saya try dekat beberapa client yang infected.. sebab tak semua client akan detect.. maybe kido ni dah menular kt partition.. (partition yang tak difreeze) dan akan aktif ke service selepas windows up..
saya cuba dulu macam mana...
ADi_CTeD- Ahli Baharu
- Number of posts : 6
Registration date : 18/03/2009
Guna link ni utk download scanner ni...just like patch
pastu run and scan...
bole pilih full scan atau custom scan
Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...
http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en
pastu run and scan...
bole pilih full scan atau custom scan
Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...
http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en
mitutoyo- Ahli Baharu
- Number of posts : 430
Location : Bandaraya Anggerik
Job/hobbies : MemBZ kn diri
Registration date : 01/03/2009
ADi_CTeD wrote:Guna link ni utk download scanner ni...just like patch
pastu run and scan...
bole pilih full scan atau custom scan
Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...
http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en
terima kasih saudara,aku rasa zero dh buat step tu,baok dh bg tuturial tu sblmnh (rujuk page 4)
baok- Ahli Baharu
- Number of posts : 169
Registration date : 20/02/2009
Hello.. Akhirnya, aku berjaya jugak infect test pc aku dengan Winkido/Downadup virus nih.. The best way is always manual removal but that will be a major hassle for newbies..
Ok, kalau nak guna tools, aku syorkan macam nih.. (mungkin kena download tools dari pc lain kemudian transfer kat pc yang ada virus tu melalui cd/pendrive)
Download semua program nih dan transfer kat PC yang ada virus.. Kemudian run ikut turutan di bawah..
1- Stinger_Conficker.exe dari McAfee
2- EConfickerRemover.exe dari ESET
3- Remover dari BitDefender
4- Microsoft Malicious Removal Tool
Kemudian reboot komputer dan patch dengan security updates nih..
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Ok, kalau nak guna tools, aku syorkan macam nih.. (mungkin kena download tools dari pc lain kemudian transfer kat pc yang ada virus tu melalui cd/pendrive)
Download semua program nih dan transfer kat PC yang ada virus.. Kemudian run ikut turutan di bawah..
1- Stinger_Conficker.exe dari McAfee
2- EConfickerRemover.exe dari ESET
3- Remover dari BitDefender
4- Microsoft Malicious Removal Tool
Kemudian reboot komputer dan patch dengan security updates nih..
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
baok skang ada malware baru..
Intrusion.Win.NETAPI.buffer-overflow.exploit
boleh guna step tool kt atas tu tak..
malware ni disablekan antivirus / spyware updater, tapi surfing internet masih boleh.. dan kadang2 dia ganngu certain part network yang lain macam printer sharing etc.
Intrusion.Win.NETAPI.buffer-overflow.exploit
boleh guna step tool kt atas tu tak..
malware ni disablekan antivirus / spyware updater, tapi surfing internet masih boleh.. dan kadang2 dia ganngu certain part network yang lain macam printer sharing etc.
e_sentinel- Ahli Baharu
- Number of posts : 479
Registration date : 02/03/2009
Intrusion.Win.NETAPI.buffer-overflow.exploit masih kategori Win.Kido tapi variant "r", dia attack port 445 (file sharing), kena disinfect satu persatu computer, putuskan dulu dari networking .. boleh cuba online scanning menggunakan Kaspersky Online Scanner, etc.
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
sudah jumpa cara berkesan atasi benda ni
kena dload 3 tool dari microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
last sekali scan pakai kido killer v3.4.6
last sekali restart pc, network, av updated, file printer sharing dah berkesan seperti biasa.. benda ni jadi sebab win xp SP2 tak lengkap ngn update patch latest microsoft, so dengan itu sape2 pakai win xp sp3, boleh dikatakan selamat
- Code:
Intrusion.Win.NETAPI.buffer-overflow.exploit! Protocol/service: TCP on local port 445
kena dload 3 tool dari microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx
last sekali scan pakai kido killer v3.4.6
- Code:
http://go2.wordpress.com/?id=725X1342&site=basilkp05.wordpress.com&url=http%3A%2F%2Fdata2.kaspersky.com%3A8080%2Fspecial%2FKK_v3.4.6.zip
last sekali restart pc, network, av updated, file printer sharing dah berkesan seperti biasa.. benda ni jadi sebab win xp SP2 tak lengkap ngn update patch latest microsoft, so dengan itu sape2 pakai win xp sp3, boleh dikatakan selamat
malaynux- Ahli Baharu
- Gender : Male Number of posts : 138
Age : 43
Location : Negeri Cik Siti Wan Kembang
Job/hobbies : Nyayi lagu - Tom tombak mak yong dedek
Registration date : 25/03/2009
Aku kena menatang ni gamaknya sebab tu xleh update KAV,
Aku tambah ni IP Kaspersky br leh update cam biasa.
(tengok topik aku buka kelmarin)
Wassalam
Aku tambah ni IP Kaspersky br leh update cam biasa.
(tengok topik aku buka kelmarin)
Wassalam
zer0Nehza- Supervisor
- Number of posts : 256
Location : P2P Server
Registration date : 12/02/2009
dah try cara ip ko tu.. tapi tak leh.. last2 aku jumpa solution kat atas
AhmadSyazwan- Ahli Baharu
- Gender : Male Number of posts : 414
Registration date : 26/02/2009
kido memg gerun juga..kido ni attack network dan website nt virus x blh access
Similar topics
