♥♠♠♥ 0 Report post Posted March 14, 2009 baok wrote:Upload dari sini.. Itu latest version yang aku upload kat 2shared.. Code:http://www.2shared.com/file/5046053/4d454c63/Kido.htmlthanks Mr Baok.. gud job ::icon_cheers:: Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 15, 2009 Spoiler:baok wrote:Hello zeronehza.. aku ada soalan sket...Log ComboFix yang pertamaRunning from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exeLog ComboFix yang keduaRunning from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exeKenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log ::icon_smile::Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..ATAUPernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. ::icon_razz::Buat step ini hanya untuk PC ccdiskmaserver sahaja.. 1. Please open NotepadIf you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter2. Now copy/paste the entire content of the codebox below into the Notepad window:Code:KillAll::NetSvc::svboyghgfcqiwyDriver::svboyghgfcqiwyFile::c:\windows\system32\kwcvkyvm.dllc:\windows\system32\tmp4EC3.tmpc:\windows\system32\tmp4EC2.tmpc:\windows\system32\Sys\AKV.exec:\windows\system32\Sys\QHUX.exeRegistry::[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5848:TCP"=-[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.NEXTDownload avz4.zip from HEREUnzip it to your desktop to a folder named avz4Double click on AVZ.exe to run it.Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the updateNote: If you recieve an error message, chose a different source, then click Start again 1. Start AVZ. 2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box. 3. Click on the Execute selected scripts. 4. Automatic scanning, healing and system check will be executed. 5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. 6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. 7. All applications will work properly after the system restart.After that, please restart AVZ again, From the "File" menu, choose "Standard Scripts"Put a check next to item 2: Advanced System InvestigationClick Execute selected scriptsAt the next prompt, click the OK buttonLet the scan run and click "OK" when the completion prompt pops upNow Close out of the Standard Scripts window, and exit AVZNavigate to the avz4 folder and locate the folder LOGInside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zipAttach virusinfo_syscheck.htm to your next replyNEXTPlease download GMER and unzip it to your Desktop. <<mirror>>Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.Click on Scan.When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output resultZip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini.. 1. ComboFix2. virusinfo_syscheck.htm3. GMERMasih ada kido ni. saya akan cuba step2 kat atas ni semula. wait for my feedback Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 15, 2009 zero,,..,ape simptom yg kame kna lg? Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 15, 2009 network browsing disable, av update disable, application sound disable, windows sound masih ada.. Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 15, 2009 huh.,teruk,aku kena dlu setakat xbleh masuk website av sjh n update,now dh ok skit,cuma ada jenis2 varians avg xbleh del i-worm/brontok je dlm reports Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 15, 2009 betul la tu.. sympton dia.. tak leh surfing... av tak leh update.. tapi client aku ni pakai DF... restart pc ok la balik... masalahnya leceh la tiap kali jadi camtu.. kis detect delete memang delete... tapi restart pc ada balik.. autorun eater detect variant tu as autorun.inf / kido.ih atau kido.extapi tak leh delete / access denied..btw baok ni saya bagi log-log.Code:http://rapidshare.com/files/209380141/log.rar Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 15, 2009 dia makn apa nh kuat sgt,bayam jenis pa tah nh.,.,huhuhu.,kido tool dr kaspersky pun xbleh pakai,f secured xbleh,avast nye pun xbleh.,apa yg bleh tah., Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 15, 2009 I need some clarifications here..tapi client aku ni pakai DF1. Itu bukan pc kamu, tapi pc client? Wow.. Apa kata biar klien tu post kat sini.. At least boleh promote dia kat PUTERA..2. DF = Deepfreeze?.. Saya tak boleh tolong sehingga user tu uninstall DeepFreeze.. Mana-mana Malware Helper pun akan keberatan nak tolong kalau user pakai DeepFreeze.. Bukan sebab DeepFreeze tu tak bagus.. DeepFreeze sangat bagus, tapi kalau nak clean komputer, DeepFreeze hanya akan merumitkan keadaan..3. Jadi PC yang ccdiskmaserver tu PC kamu atau PC client? Still ada problem lagi dengan PC ccdiskmaserver tu?.. Sebab dari log ComboFix dan AVZ, aku dah tak nampak apa-apa yang malicious (kecuali dari System Restore..Itu boleh clear kemudian)..Adakah PC ccdiskmaserver pakai DeepFreeze? Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 15, 2009 camni macam dah salah faham.. client is my pc in cyber cafe... total is 25 client.. ccdiskmaserver(server game that contain a virus kido.ex.ih etc... _client semua freeze.. server tak freeze.. client memang tak ada virus... kecuali server games itu up.. load cakeservice dari server.. baru akan detect virus dari server akan masuk client...client kalau on standalone (server game off) memang clean dari virus...virus ni macam dia sentiasa replicated.. walaupon status dah deleted.. reboot pc akan ada balik..experiment.. saya dah buat pc server tu on standalone... pc2 lain tak on (memastikan virus bukan dari network pc yang lain)jadi resultnya sama.. virus memang kekal dalam server ccdiskmaserver.. buntu jugak ni ::icon_razz:: Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 15, 2009 Maaf.. Saya salah faham...Ok.. Reboot PC tu, then patch dulu dengan October Security update di bawah..http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspxKemudian download dan run Microsoft Removal Tool.. Remove semua yang dia jumpa..http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en(kalau tak boleh masuk laman MS, masuk je kat mana-mana pc, dan burn kat CD (jangan pakai thumbdrive sbb Winkido boleh merebak melalui pendrive)Then reboot dan run ComboFix sekali lagi..Post Log ComboFix di sini.. Pada masa yang sama, lepas je run ComboFix, cuba masuk mana-mana website antivirus, boleh masuk atau tidak.. Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 16, 2009 saya dah buat step2 di atas.. boleh surf.. boleh update av, boleh masuk laman web av.. dan memang rasa dah tak ada virus..tak apa.. the very last step saya try dekat beberapa client yang infected.. sebab tak semua client akan detect.. maybe kido ni dah menular kt partition.. (partition yang tak difreeze) dan akan aktif ke service selepas windows up..saya cuba dulu macam mana... ::icon_sad:: Quote Share this post Link to post Share on other sites
ADi_CTeD 0 Report post Posted March 21, 2009 Guna link ni utk download scanner ni...just like patchpastu run and scan...bole pilih full scan atau custom scanAku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 21, 2009 ADi_CTeD wrote:Guna link ni utk download scanner ni...just like patchpastu run and scan...bole pilih full scan atau custom scanAku pn sama juga kena benda ni,xleh delete sebelum ni...last2 jumpa link ni,alhamdulillah benda tu ilang dah...http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=enterima kasih saudara,aku rasa zero dh buat step tu,baok dh bg tuturial tu sblmnh (rujuk page 4) Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 29, 2009 Hello.. Akhirnya, aku berjaya jugak infect test pc aku dengan Winkido/Downadup virus nih.. The best way is always manual removal but that will be a major hassle for newbies..Ok, kalau nak guna tools, aku syorkan macam nih.. (mungkin kena download tools dari pc lain kemudian transfer kat pc yang ada virus tu melalui cd/pendrive)Download semua program nih dan transfer kat PC yang ada virus.. Kemudian run ikut turutan di bawah..1- Stinger_Conficker.exe dari McAfee2- EConfickerRemover.exe dari ESET3- Remover dari BitDefender4- Microsoft Malicious Removal ToolKemudian reboot komputer dan patch dengan security updates nih..http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted August 16, 2009 baok skang ada malware baru..Intrusion.Win.NETAPI.buffer-overflow.exploitboleh guna step tool kt atas tu tak..malware ni disablekan antivirus / spyware updater, tapi surfing internet masih boleh.. dan kadang2 dia ganngu certain part network yang lain macam printer sharing etc. Quote Share this post Link to post Share on other sites
e_sentinel 0 Report post Posted August 16, 2009 Intrusion.Win.NETAPI.buffer-overflow.exploit masih kategori Win.Kido tapi variant "r", dia attack port 445 (file sharing), kena disinfect satu persatu computer, putuskan dulu dari networking .. boleh cuba online scanning menggunakan Kaspersky Online Scanner, etc. Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted September 25, 2009 sudah jumpa cara berkesan atasi benda niCode:Intrusion.Win.NETAPI.buffer-overflow.exploit! Protocol/service: TCP on local port 445kena dload 3 tool dari microsofthttp://www.microsoft.com/technet/security/bulletin/MS08-067.mspxhttp://www.microsoft.com/technet/security/bulletin/ms08-068.mspxhttp://www.microsoft.com/technet/security/bulletin/ms09-001.mspxlast sekali scan pakai kido killer v3.4.6Code:http://go2.wordpress.com/?id=725X1342&site=basilkp05.wordpress.com&url=http%3A%2F%2Fdata2.kaspersky.com%3A8080%2Fspecial%2FKK_v3.4.6.ziplast sekali restart pc, network, av updated, file printer sharing dah berkesan seperti biasa.. benda ni jadi sebab win xp SP2 tak lengkap ngn update patch latest microsoft, so dengan itu sape2 pakai win xp sp3, boleh dikatakan selamat ::icon_smile:: Quote Share this post Link to post Share on other sites
malaynux 0 Report post Posted September 26, 2009 Aku kena menatang ni gamaknya sebab tu xleh update KAV,Aku tambah ni IP Kaspersky br leh update cam biasa.(tengok topik aku buka kelmarin)Wassalam Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted October 13, 2009 dah try cara ip ko tu.. tapi tak leh.. last2 aku jumpa solution kat atas Quote Share this post Link to post Share on other sites
AhmadSyazwan 1 Report post Posted October 31, 2009 kido memg gerun juga..kido ni attack network dan website nt virus x blh access Quote Share this post Link to post Share on other sites