Virus winkido - kaspersky alert

[baok_1 0]

takpe.. post aje kat sini aku nk tengok.. GVR tak detect ke?

Oh ye, stick external tu kat pc, then download >> run MS Malware Removal Tool..

http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en


---------edit--------------

Jangan lupa patch Windows Update di bawah kalau belum lagi..

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

[zer0Nehza 7]

ni log combofix

Code:

http://rapidshare.com/files/203546013/ComboFix.txt

memang combo fix delete.. lepas cucuk balik usb.. dia akan ada balik

[baok_1 0]

Itu server CC ke? Yang dekat gambar tu, copy/paste yang suspicious file 1 dan suspicious file 2 dan post fullpath kat sini..


Uninstall SweetIM if you don't use it..



NEXT


Pergi SINI dan download ERUNT

Kemudian install dan run ERUNT untuk backup Registry.. Rujuk SINI untuk cara backup Registry melalui ERUNT




NEXT


Buang ComboFix yang lama dan download yang baru dari link di bawah.. JANGAN run dulu..

Link 2




NEXT


1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

NetSvc::
nbagxs
ooolukg
liard

Driver::
nbagxs
ooolukg
liard

File::
c:\windows\system32\gzsuh.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2126:TCP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c9c86ac-e7b5-11dd-826c-00235494274e}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nbagxs]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ooolukg]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.
  

[zer0Nehza 7]

Hijackthis log

Code:

Logfile of HijackThis v1.99.1
Scan saved at 12:59:56 AM, on 3/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20861)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\CCDISK1.6\CakeService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\svchost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mercs2.com/
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{B8BC808E-8779-42FF-891C-8B08BBFCA67D}: NameServer = 202.188.1.5,202.188.0.133
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)
O23 - Service: iSCSICake (CakeService) - Unknown owner - C:\CCDISK1.6\CakeService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe



Combofix log

Code:

http://rapidshare.com/files/203665731/2ComboFix.txt

[biosfree 0]

aku pakia KIS09 ori....eh kalau x leh delete susah gak ni....

dah ler baru format......letih dah...

[baok_1 0]

Hello zeronehza.. aku ada soalan sket...

Log ComboFix yang pertama

Running from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exe

Log ComboFix yang kedua

Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe

Kenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log ::icon_smile::



Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...

Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..

ATAU

Pernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)

Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. ::icon_razz::


Buat step ini hanya untuk PC ccdiskmaserver sahaja..


1. Please open Notepad

• If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

KillAll::

NetSvc::
svboygh
gfcqiwy

Driver::
svboygh
gfcqiwy


File::
c:\windows\system32\kwcvkyvm.dll
c:\windows\system32\tmp4EC3.tmp
c:\windows\system32\tmp4EC2.tmp
c:\windows\system32\Sys\AKV.exe
c:\windows\system32\Sys\QHUX.exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5848:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
  
• A new HijackThis log.
  

NEXT


Download avz4.zip from HERE

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again



1. Start AVZ.
2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box.
3. Click on the Execute selected scripts.
4. Automatic scanning, healing and system check will be executed.
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
7. All applications will work properly after the system restart.

• After that, please restart AVZ again,
  
• From the "File" menu, choose "Standard Scripts"
  
• Put a check next to item 2: Advanced System Investigation
  
• Click Execute selected scripts
  
• At the next prompt, click the OK button
  
• Let the scan run and click "OK" when the completion prompt pops up
  
• Now Close out of the Standard Scripts window, and exit AVZ
  
• Navigate to the avz4 folder and locate the folder LOG
  
• Inside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zip
  
• Attach virusinfo_syscheck.htm to your next reply

NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>

• Open the program and click on the Rootkit tab.
  
• Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  
• Click on Scan.
  
• When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.

IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output result



Zip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini..

1. ComboFix
2. virusinfo_syscheck.htm
3. GMER

[zer0Nehza 7]

lol banyak lagi step.. ok2 no prob.. esk la kena test.. mlm ni tak sempat dah.. hehe..
btw dua pc berbeza, tapi dua2 cucuk itu external.. ok lepas ni akan buat dekat satu pc sahaja dekat pc ni

Code:

Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exe

btw, tak ada keylogger install. AV skang pakai satu sahaja, KIS 7, dulu test eset dan macam2, tapi dah uninstall.

[baok_1 0]

Ok.. takpe.. buat step di atas hanya untuk PC ccdiskmaserver

Take note that aku baru je edit step di atas.. ::icon_smile::

[baok_1 0]

::icon_arrow:: feedback please..

[kodOk 0]

Huiyo bro, panjangnya step tu.. ::icon_sad:: menangis aku baca step tu. hampir 200 pc kalau tempat aku kerja nih infect by kido/conficker/downad.ad.

[HyBriDz 0]

da try f-downadup??
aku try ari tu sbb KIS09 aku detect xle buang plak..wlupun bnyk kali try..tpi last bole pakai benda ni..
try search kt google

[zer0Nehza 7]

baok wrote:::icon_arrow:: feedback please..

sorry masih agak bz.. lagi pon pc tu running 14 jam++..(tanpa reboot/shutdown)
tak leh nak restart camtu je... tunggu skit masa lagi.. tak sempat nak test..

[baok_1 0]

Ok.. saya akan offline dari besok sampai hari selasa.. sebab amek cuti.. so, saya akan online semula hari selasa/rabu next week..

[zer0Nehza 7]

saya baru try kido killer v3.3 (latest)
dia dah detect kido dan dah delete. skang ni tengah test tengok camne ada lagi ke tak.. takat ni dah tak ada.

[baok_1 0]

saya baru try kido killer v3.3 (latest)

Yang mana satu?.. Yang Symantec punya ke atau yang F-Secure punya? Boleh bagi link?

remover untuk Winkido ni byk..

[zer0Nehza 7]

source link lupa kat mana.. tapi pakai yang ni

Code:

http://rapidshare.com/files/207214930/KidoKiller.rar

[baok_1 0]

Hello..Itu KidoKiller dari Kaspersky... Link RapidShare itu version lama.. Sentiasa gunakan version baru dari link di bawah..

Code:

http://support.kaspersky.com/faq?chapter=207800963&print=true&qid=208279973

Ada problem dengan Winkido lagi?..

[kodOk 0]

Aku tak dapat download kidokiller dari kaspersky. "The page cannot be displayed" ::icon_sad:: Nak dload dari rapidshare tak boleh pula. Kena blok. ::icon_pale::

[baok_1 0]

Upload dari sini.. Itu latest version yang aku upload kat 2shared..

Code:

http://www.2shared.com/file/5046053/4d454c63/Kido.html

[mitutoyo 0]

tq baok

[kodOk 0]

Capaian Disekat

Capaian anda ke laman web dc98.2shared.com/download/5046053/4d454c63/Kido.zip?tsid=20090310-205706-5074c3c6 telah disekat dan direkodkan
kerana mengandungi unsur-unsur Peer-to-Peer
yang melanggar polisi capaian internet, Bla bla bla bla...


::icon_sad:: ::icon_sad:: Wehh.. kat rumah aku takda internet la bro.. sadisnya.. Melopong lagi aku nak bunuh virus nih..

[baok_1 0]

kodOk, pm replied..

[mon678 48]

virus nieh infected kat win vista gak ker?ke win XP jerk?

[kodOk 0]

Thank bro baok. mon678, buat masa ni tak nampak pula tanda-tanda kido menceroboh os vista (pc yang aku pakai nih) ?? ataupun sebelum virus kido ketuk pintu pc aku, kaspersky dah awal2 sepak terajang kot ??.

Yang aku perhatikan kat tempat aku nih, kido merebak melalui thumdrive n juga dari network. Pc yang mmg telah di install perisian av bitdefender, kaspersky yang selalu di update terselamat daripada virus kido.

Pip pip.. masih lagi dalam pemerhatian. Minggu depan kat tempat aku kerja.. (kalau tiada aral melintang, operasi membelasah kido akan dijalankan oleh aku peserta berseorangan.)

[mitutoyo 0]

teruk jg kido nh,aku pun ada lg 1 pc blum pulih sepenuhnya,avg detect tp x leh delete pe th jenis varians yg tinggal,aku x sempat amik report g coz kat luar,xblum masuk kelas g