Virus/Spyware cina .cn

salam warga putera..saya nak mintak pertolongan dr semua..pc kawan saya kna virus ni..tah spyware kot..dia akan bukak ie ngan sendirinya..pastu kuar tulisan cina ngan pengiraan..contoh 5+6=9 daalam bentuk susunan lidi..pastu kat bawah ade iklan ipod,mp3..cmane nak buang yer..name website yg slalu auto terbuakak tu..ade .cn kat belakang..cth..dcdgov.cn..gitu r lebih kurang

buat pengetahuan..ekin da coba guna malwarebytes xleh buang..pastu dia detect smss.exe..tu virus..da guna super antispyware,avira,dan restore balik..tapi still x berubah

spyware scan

Cube masuk melalui SAFE MODE,lepas
tu scan balik...

virus tetap ade lepas format..rasanya virus tu ade dalam cd window kot..caner nak baung virus yg ade dalam window ni..dalam system32 plak tu..bla quarantine dia kuar error..aduh pening

Mungkin dalam CD, mungkin boot sector dah infected ... jadi bila format tetap ada ... scan HijackThis ambik log, paste sini ..

benda ni dipanggil adware... <<nak gitau ni je

nanti saya letak log hijack

aik.bkan ke arie tu topik nie kat tanyasystm.x silap ak ICEBOX suruh u scan gune a squared free.u dah cube ke

ke msalh u x selesai lgi. x pe kite mintak tlong kat pro IT kat putera nie.hiihi

C:\WINDOWS\System32\reader_s.exe

malware!!

http://www.google.com.my/search?q=reader_s.exe&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Huh .. seram betul tengok log awak ekin ... banyak sangat nasty ..

Code:

C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\hazrulhaffiz\reader_s.exe
C:\WINDOWS\services.exe
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\hazrulhaffiz\reader_s.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe (User 'Default user')


Ikut guide ni:

muat turun Combofix by sUBs and save to your desktop:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
atau dari sini :
http://subs.geekstogo.com/ComboFix.exe

Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Click on Start/Run,copy and paste the following bold text into the 'Open:' space,then press OK [See image below]:
"%userprofile%\desktop\combofix.exe" /killall



Combofix.exe will start,please follow the prompts.
When it's finished it will produce a log.

Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Awak boleh dapatkan log Combofix di C:\ComboFix.txt

Note: sila ikut arahan dengan betul apabila menggunakan Combofix

ekin_mache, run dulu ComboFix macam yang e-sentinel cakap, then terus sambung dengan Dr.Web CureIt... Suspek ada polymorphic file infector kat computer tu.. Kalau ada, maka terpaksa buat full-format kat semua partition..



muat turun Dr.Web CureIt dan save kat Desktop

1.Double-click launch.exe dan biarkan ia jalankan express scan. Tekan Yes untuk semua infection yang dijumpai
2. Pilih Complete Scan dan tekan butang panah hijau untuk mulakan scan.
3. Apabila scan habis, tandakan kotak Select all >> tekan Cure dan pilih Move incurable >> Biarkan proses pembersihan tamat.
3. Pergi ke menu >> click File >> pilih Save report list >> Save ke Desktop sebagai DrWeb.csv
4. Reboot ke Normal Mode >> buka DrWeb.csv sebagai Notepad >> Post kandungan DrWeb.csv di sini

mmg ekin da letak kat tanyasystm..tapi ekin da pening..kat situ org x ramai lagi..ekin da guna asquared..pc blackout..x leh buang virus..kalau ekin buang satu2pc restrat x brnti..ekin cuba yg ni dulu..ekin da bengang gila ngan pc ni..x penah ag mengahadapi masalah yg teruk cani..biasa format mesti ilang..ni format bertambah lak virus..ekin cuba yg ni dulu

ekin rasa la kan..sape yg pro boleh x tgk pc ekin...dgn teamviewer ker..ekin da x tau nak wat per ni

ekin.. completekan dulu 2 step tu, ComboFix dan Dr.Web...

Saya suspect pc tu ada Win32.Virut.. jadi kene tengok dulu 2 log tersebut.. rujuk post e-sentinel dan post saya di muka belakang...


Kalau betul kene Win32.Virut, variant baru memang tak ada cure.. Kene buat full format.. Rujuk post di bawah..

A quote from a malware expert (sUBs)

http://forum.lowyat.net/index.php?showtopic=538671&view=findpost&p=23701573

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

full reformat means, format on ALL partitions..


sUBs ialah pembuat ComboFix

ok2..ekin cuba dulu..erk

kna buat macammane ngan combofix ni

reader_s.exe;c:\documents and settings\user;Trojan.DownLoad.29459;Deleted.;
msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Incurable.Moved.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Incurable.Moved.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Cured.;
ati7ptxx.sys;c:\windows\system32\drivers;BackDoor.Bulknet.240;Deleted.;
ndis.sys;c:\windows\system32\drivers;Trojan.NtRootKit.2670;Deleted.;
logonui.exe;c:\windows\system32;Win32.Virut.56;Cured.;
netdde.exe;c:\windows\system32;Win32.Virut.56;Cured.;
reader_s.exe;c:\windows\system32;Trojan.DownLoad.29459;Deleted.;
svchost.exe:ext.exe;c:\windows\system32;Win32.Virut.56;Cured.;
svchost.exe:ext.exe;c:\windows\system32;Trojan.Spambot.4348;Deleted.;
sxepetxv.dll;c:\windows\system32;BackDoor.JackBot.1;Deleted.;
sxepetxv32.dll;c:\windows\system32;BackDoor.JackBot.1;Deleted.;
wscntfy.exe;c:\windows\system32;Win32.Virut.56;Cured.;
bn1.tmp;c:\windows\temp;Trojan.Packed.438;Deleted.;
lxd2d.tmp;c:\windows\temp;BackDoor.JackBot.1;Deleted.;

lepas ekin deleted n cure ni kan..internet lak x leh connect..so ekin restore balik..cane erk

guna dr web

Ekin..

netdde.exe;c:\windows\system32;Win32.Virut.56;Cured.;

Itu Virut variant baru.. Nothing cure that one, not even Dr.Web at this time...

Please backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installer/screensaver and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar/.php/.asp files...

Make sure you back-up everything ONLY via CD or DVD (non-rewritable).. If you need to backup into external hard drive or thumbdrive, make sure it is EMPTY.. Meaning NO FILE inside it.. Format the external drive first before attach it to the infected computer.. A single .exe file inside the external drive may infected other computers as well..


A quote from an expert (sUBs)

http://forum.lowyat.net/index.php?showtopic=538671&view=findpost&p=23701573

Virut is not disinfectable. Your only option is to perform a full reformat. Do NOT attempt a repair install. It shall be a waste of time. If you do so, the infected executables remain on the machine & you shall likely trigger another bout of Virut.

If you do not know how to perform a fresh install, use this website > http://www.windowsreinstall.com/

Note: If you have to backup files, do so only for MS Office documents & any non executable file. Burn them to CD/DVD. Do NOT copy files from the infected machine to your pendrive OR another machine. You risk infecting the other machine.

full reformat means, format on ALL partitions..

Lagi satu, carik file dibawah, zip kan die, upload kat Rapidshare atau 2shared, pm link die kat aku.. aku perlukan sample tersebut...

C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\hazrulhaffiz\reader_s.exe

virus ada kt tgn awak kot ekin? hahhahaha