Jump to content
Sign in to follow this  
Followers 0
zer0Nehza

Virus winkido - kaspersky alert

By zer0Nehza, in Utiliti & Sekuriti

Recommended Posts

zer0Nehza    7

zer0Nehza
Posted
Spoiler:
baok wrote:Hello zeronehza.. aku ada soalan sket...

Log ComboFix yang pertama

Running from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exe


Log ComboFix yang kedua

Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe


Kenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log ::icon_smile::



Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...

Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..

ATAU

Pernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)

Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. ::icon_razz::


Buat step ini hanya untuk PC ccdiskmaserver sahaja..


1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter


2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
KillAll::

NetSvc::
svboygh
gfcqiwy

Driver::
svboygh
gfcqiwy


File::
c:\windows\system32\kwcvkyvm.dll
c:\windows\system32\tmp4EC3.tmp
c:\windows\system32\tmp4EC2.tmp
c:\windows\system32\Sys\AKV.exe
c:\windows\system32\Sys\QHUX.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5848:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.





NEXT


Download avz4.zip from HERE

  • Unzip it to your desktop to a folder named avz4
  • Double click on AVZ.exe to run it.
  • Run an update by clicking the Auto Update button on the Right of the Log window:
  • Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.




  • After that, please restart AVZ again,
  • From the "File" menu, choose "Standard Scripts"
  • Put a check next to item 2: Advanced System Investigation
  • Click Execute selected scripts
  • At the next prompt, click the OK button
  • Let the scan run and click "OK" when the completion prompt pops up
  • Now Close out of the Standard Scripts window, and exit AVZ
  • Navigate to the avz4 folder and locate the folder LOG
  • Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  • Attach virusinfo_syscheck.htm to your next reply




NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result



Zip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini..

1. ComboFix
2. virusinfo_syscheck.htm
3. GMER


Masih ada kido ni. saya akan cuba step2 kat atas ni semula. wait for my feedback

Share this post

Link to post
Share on other sites

zer0Nehza    7

zer0Nehza
Posted
betul la tu.. sympton dia.. tak leh surfing... av tak leh update.. tapi client aku ni pakai DF... restart pc ok la balik... masalahnya leceh la tiap kali jadi camtu.. kis detect delete memang delete... tapi restart pc ada balik.. autorun eater detect variant tu as autorun.inf / kido.ih atau kido.ex

tapi tak leh delete / access denied..

btw baok ni saya bagi log-log.
Code:
http://rapidshare.com/files/209380141/log.rar

Share this post

Link to post
Share on other sites

baok_1    0

baok_1
Posted
I need some clarifications here..

tapi client aku ni pakai DF


1. Itu bukan pc kamu, tapi pc client? Wow.. Apa kata biar klien tu post kat sini.. At least boleh promote dia kat PUTERA..



2. DF = Deepfreeze?.. Saya tak boleh tolong sehingga user tu uninstall DeepFreeze.. Mana-mana Malware Helper pun akan keberatan nak tolong kalau user pakai DeepFreeze.. Bukan sebab DeepFreeze tu tak bagus.. DeepFreeze sangat bagus, tapi kalau nak clean komputer, DeepFreeze hanya akan merumitkan keadaan..



3. Jadi PC yang ccdiskmaserver tu PC kamu atau PC client? Still ada problem lagi dengan PC ccdiskmaserver tu?.. Sebab dari log ComboFix dan AVZ, aku dah tak nampak apa-apa yang malicious (kecuali dari System Restore..Itu boleh clear kemudian)..

Adakah PC ccdiskmaserver pakai DeepFreeze?

Share this post

Link to post
Share on other sites

zer0Nehza    7

zer0Nehza
Posted
camni macam dah salah faham..

client is my pc in cyber cafe... total is 25 client.. ccdiskmaserver(server game that contain a virus kido.ex.ih etc... _

client semua freeze.. server tak freeze.. client memang tak ada virus... kecuali server games itu up.. load cakeservice dari server.. baru akan detect virus dari server akan masuk client...

client kalau on standalone (server game off) memang clean dari virus...
virus ni macam dia sentiasa replicated.. walaupon status dah deleted.. reboot pc akan ada balik..

experiment.. saya dah buat pc server tu on standalone... pc2 lain tak on (memastikan virus bukan dari network pc yang lain)

jadi resultnya sama.. virus memang kekal dalam server ccdiskmaserver.. buntu jugak ni ::icon_razz::

Share this post

Link to post
Share on other sites

baok_1    0

baok_1
Posted
Maaf.. Saya salah faham...

Ok.. Reboot PC tu, then patch dulu dengan October Security update di bawah..

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx


Kemudian download dan run Microsoft Removal Tool.. Remove semua yang dia jumpa..

http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

(kalau tak boleh masuk laman MS, masuk je kat mana-mana pc, dan burn kat CD (jangan pakai thumbdrive sbb Winkido boleh merebak melalui pendrive)


Then reboot dan run ComboFix sekali lagi..

Post Log ComboFix di sini.. Pada masa yang sama, lepas je run ComboFix, cuba masuk mana-mana website antivirus, boleh masuk atau tidak..

Share this post

Link to post
Share on other sites

zer0Nehza    7

zer0Nehza
Posted
saya dah buat step2 di atas.. boleh surf.. boleh update av, boleh masuk laman web av.. dan memang rasa dah tak ada virus..
tak apa.. the very last step saya try dekat beberapa client yang infected.. sebab tak semua client akan detect.. maybe kido ni dah menular kt partition.. (partition yang tak difreeze) dan akan aktif ke service selepas windows up..

saya cuba dulu macam mana... ::icon_sad::

Share this post

Link to post
Share on other sites

mitutoyo    0

mitutoyo
Posted
ADi_CTeD wrote:Guna link ni utk download scanner ni...just like patch

pastu run and scan...

bole pilih full scan atau custom scan

Aku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...


http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en


terima kasih saudara,aku rasa zero dh buat step tu,baok dh bg tuturial tu sblmnh (rujuk page 4)

Share this post

Link to post
Share on other sites

baok_1    0

baok_1
Posted
Hello.. Akhirnya, aku berjaya jugak infect test pc aku dengan Winkido/Downadup virus nih.. The best way is always manual removal but that will be a major hassle for newbies..

Ok, kalau nak guna tools, aku syorkan macam nih.. (mungkin kena download tools dari pc lain kemudian transfer kat pc yang ada virus tu melalui cd/pendrive)


Download semua program nih dan transfer kat PC yang ada virus.. Kemudian run ikut turutan di bawah..

1- Stinger_Conficker.exe dari McAfee
2- EConfickerRemover.exe dari ESET
3- Remover dari BitDefender
4- Microsoft Malicious Removal Tool


Kemudian reboot komputer dan patch dengan security updates nih..
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Share this post

Link to post
Share on other sites

zer0Nehza    7

zer0Nehza
Posted
baok skang ada malware baru..

Intrusion.Win.NETAPI.buffer-overflow.exploit

boleh guna step tool kt atas tu tak..

malware ni disablekan antivirus / spyware updater, tapi surfing internet masih boleh.. dan kadang2 dia ganngu certain part network yang lain macam printer sharing etc.

Share this post

Link to post
Share on other sites

e_sentinel    0

e_sentinel
Posted
Intrusion.Win.NETAPI.buffer-overflow.exploit masih kategori Win.Kido tapi variant "r", dia attack port 445 (file sharing), kena disinfect satu persatu computer, putuskan dulu dari networking .. boleh cuba online scanning menggunakan Kaspersky Online Scanner, etc.

Share this post

Link to post
Share on other sites

zer0Nehza    7

zer0Nehza
Posted
sudah jumpa cara berkesan atasi benda ni

Code:
Intrusion.Win.NETAPI.buffer-overflow.exploit! Protocol/service: TCP on local port 445


kena dload 3 tool dari microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-001.mspx

last sekali scan pakai kido killer v3.4.6
Code:
http://go2.wordpress.com/?id=725X1342&site=basilkp05.wordpress.com&url=http%3A%2F%2Fdata2.kaspersky.com%3A8080%2Fspecial%2FKK_v3.4.6.zip


last sekali restart pc, network, av updated, file printer sharing dah berkesan seperti biasa.. benda ni jadi sebab win xp SP2 tak lengkap ngn update patch latest microsoft, so dengan itu sape2 pakai win xp sp3, boleh dikatakan selamat ::icon_smile::

Share this post

Link to post
Share on other sites

malaynux    0

malaynux
Posted
Aku kena menatang ni gamaknya sebab tu xleh update KAV,

Aku tambah ni IP Kaspersky br leh update cam biasa.

(tengok topik aku buka kelmarin)

Wassalam

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...