baok_1 0 Report post Posted February 26, 2009 takpe.. post aje kat sini aku nk tengok.. GVR tak detect ke? Oh ye, stick external tu kat pc, then download >> run MS Malware Removal Tool..http://www.microsoft.com/downloads/details.aspx?familyid=ad724ae0-e72d-4f54-9ab3-75b8eb148356&displaylang=en---------edit--------------Jangan lupa patch Windows Update di bawah kalau belum lagi..http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted February 28, 2009 ni log combofixCode:http://rapidshare.com/files/203546013/ComboFix.txtmemang combo fix delete.. lepas cucuk balik usb.. dia akan ada balik Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted February 28, 2009 Itu server CC ke? Yang dekat gambar tu, copy/paste yang suspicious file 1 dan suspicious file 2 dan post fullpath kat sini.. Uninstall SweetIM if you don't use it..NEXTPergi SINI dan download ERUNTKemudian install dan run ERUNT untuk backup Registry.. Rujuk SINI untuk cara backup Registry melalui ERUNTNEXTBuang ComboFix yang lama dan download yang baru dari link di bawah.. JANGAN run dulu..Link 2NEXT1. Please open NotepadIf you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter2. Now copy/paste the entire content of the codebox below into the Notepad window:Code:KillAll::NetSvc::nbagxsooolukgliardDriver::nbagxsooolukgliardFile::c:\windows\system32\gzsuh.dllRegistry::[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"2126:TCP"=-[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c9c86ac-e7b5-11dd-826c-00235494274e}][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nbagxs][-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ooolukg]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log. Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 1, 2009 Hijackthis logCode:Logfile of HijackThis v1.99.1Scan saved at 12:59:56 AM, on 3/1/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.20861)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\CCDISK1.6\CakeService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\DAEMON Tools Lite\daemon.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exeC:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\explorer.exeC:\Program Files\HijackThis\HijackThis.exeC:\WINDOWS\system32\mspaint.exeC:\WINDOWS\system32\svchost.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.mercs2.com/O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorunO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -schedulerO11 - Options group: [INTERNATIONAL] International*O11 - Options group: [TABS] Tabbed BrowsingO17 - HKLM\System\CCS\Services\Tcpip\..\{B8BC808E-8779-42FF-891C-8B08BBFCA67D}: NameServer = 202.188.1.5,202.188.0.133O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dllO21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dllO23 - Service: Kaspersky Internet Security 7.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" -r (file missing)O23 - Service: iSCSICake (CakeService) - Unknown owner - C:\CCDISK1.6\CakeService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exeCombofix logCode:http://rapidshare.com/files/203665731/2ComboFix.txt Quote Share this post Link to post Share on other sites
biosfree 0 Report post Posted March 1, 2009 aku pakia KIS09 ori....eh kalau x leh delete susah gak ni....dah ler baru format......letih dah... Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 1, 2009 Hello zeronehza.. aku ada soalan sket...Log ComboFix yang pertamaRunning from: c:\documents and settings\HandyCafe Server\Desktop\ComboFix.exeLog ComboFix yang keduaRunning from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exeKenapa macam tu?.. Itu dari PC yang sama atau PC yang lain? Please jangan edit log ::icon_smile::Erm.. Not awesome.. Samada file tu tukar nama selepas reboot.. Atau kamu buat step yang sama ke atas 2 PC berbeza.. Please jangan buat step yang sama untuk PC berbeza.. Lets do this...Tapi, nak tanya.. Firstly aku detect file yang associate dengan commercial keylogger kat pc tu... Ada tak install apa2 keylogger (jenis macam Ardamax).. Aku tanak buang lagi file tu, just tanya dulu kat tuan punya komputer..ATAUPernah tak pc tu install apa-apa jenis antivirus/software yang pakai biskut tawar (terutama jenis ESET atau TuneUp)Kita akan buat dua deep scan utk tengok apa services/driver yang mungkin tersembunyi.. Banyak scan ni.. Sabar je la yee.. ::icon_razz::Buat step ini hanya untuk PC ccdiskmaserver sahaja.. 1. Please open NotepadIf you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter2. Now copy/paste the entire content of the codebox below into the Notepad window:Code:KillAll::NetSvc::svboyghgfcqiwyDriver::svboyghgfcqiwyFile::c:\windows\system32\kwcvkyvm.dllc:\windows\system32\tmp4EC3.tmpc:\windows\system32\tmp4EC2.tmpc:\windows\system32\Sys\AKV.exec:\windows\system32\Sys\QHUX.exeRegistry::[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5848:TCP"=-[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\svboygh][-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0252faf3-e562-11dd-96dc-806d6172696f}]3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.NEXTDownload avz4.zip from HEREUnzip it to your desktop to a folder named avz4Double click on AVZ.exe to run it.Run an update by clicking the Auto Update button on the Right of the Log window: Click Start to begin the updateNote: If you recieve an error message, chose a different source, then click Start again 1. Start AVZ. 2. Choose from the menu File => Standard scripts and mark the 3. Healing/Quarantine and Advanced System Investigation check box. 3. Click on the Execute selected scripts. 4. Automatic scanning, healing and system check will be executed. 5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip. 6. It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan. 7. All applications will work properly after the system restart.After that, please restart AVZ again, From the "File" menu, choose "Standard Scripts"Put a check next to item 2: Advanced System InvestigationClick Execute selected scriptsAt the next prompt, click the OK buttonLet the scan run and click "OK" when the completion prompt pops upNow Close out of the Standard Scripts window, and exit AVZNavigate to the avz4 folder and locate the folder LOGInside the LOG folder you will find virusinfo_syscheck.htm and virusinfo_syscheck.zipAttach virusinfo_syscheck.htm to your next replyNEXTPlease download GMER and unzip it to your Desktop. <<mirror>>Open the program and click on the Rootkit tab.Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.Click on Scan.When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.IMPORTANT: Do NOT run any program while you are doing this scan as it may interfere with the output resultZip kan log dibawah dalam satu folder dan upload kat RS macam biasa kat sini.. 1. ComboFix2. virusinfo_syscheck.htm3. GMER Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 1, 2009 lol banyak lagi step.. ok2 no prob.. esk la kena test.. mlm ni tak sempat dah.. hehe..btw dua pc berbeza, tapi dua2 cucuk itu external.. ok lepas ni akan buat dekat satu pc sahaja dekat pc ni Code:Running from: c:\documents and settings\ccdiskmaserver\Desktop\ComboFix.exebtw, tak ada keylogger install. AV skang pakai satu sahaja, KIS 7, dulu test eset dan macam2, tapi dah uninstall. Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 1, 2009 Ok.. takpe.. buat step di atas hanya untuk PC ccdiskmaserverTake note that aku baru je edit step di atas.. ::icon_smile:: Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 2, 2009 ::icon_arrow:: feedback please.. Quote Share this post Link to post Share on other sites
kodOk 0 Report post Posted March 5, 2009 Huiyo bro, panjangnya step tu.. ::icon_sad:: menangis aku baca step tu. hampir 200 pc kalau tempat aku kerja nih infect by kido/conficker/downad.ad. Quote Share this post Link to post Share on other sites
HyBriDz 0 Report post Posted March 5, 2009 da try f-downadup??aku try ari tu sbb KIS09 aku detect xle buang plak..wlupun bnyk kali try..tpi last bole pakai benda ni..try search kt google Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 5, 2009 baok wrote:::icon_arrow:: feedback please..sorry masih agak bz.. lagi pon pc tu running 14 jam++..(tanpa reboot/shutdown) tak leh nak restart camtu je... tunggu skit masa lagi.. tak sempat nak test.. Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 5, 2009 Ok.. saya akan offline dari besok sampai hari selasa.. sebab amek cuti.. so, saya akan online semula hari selasa/rabu next week.. Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 9, 2009 saya baru try kido killer v3.3 (latest)dia dah detect kido dan dah delete. skang ni tengah test tengok camne ada lagi ke tak.. takat ni dah tak ada. Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 9, 2009 saya baru try kido killer v3.3 (latest)Yang mana satu?.. Yang Symantec punya ke atau yang F-Secure punya? Boleh bagi link?remover untuk Winkido ni byk.. Quote Share this post Link to post Share on other sites
zer0Nehza 7 Report post Posted March 10, 2009 source link lupa kat mana.. tapi pakai yang ni Code:http://rapidshare.com/files/207214930/KidoKiller.rar Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 10, 2009 Hello..Itu KidoKiller dari Kaspersky... Link RapidShare itu version lama.. Sentiasa gunakan version baru dari link di bawah..Code:http://support.kaspersky.com/faq?chapter=207800963&print=true&qid=208279973Ada problem dengan Winkido lagi?.. Quote Share this post Link to post Share on other sites
kodOk 0 Report post Posted March 10, 2009 Aku tak dapat download kidokiller dari kaspersky. "The page cannot be displayed" ::icon_sad:: Nak dload dari rapidshare tak boleh pula. Kena blok. ::icon_pale:: Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 10, 2009 Upload dari sini.. Itu latest version yang aku upload kat 2shared.. Code:http://www.2shared.com/file/5046053/4d454c63/Kido.html Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 10, 2009 tq baok Quote Share this post Link to post Share on other sites
kodOk 0 Report post Posted March 11, 2009 Capaian DisekatCapaian anda ke laman web dc98.2shared.com/download/5046053/4d454c63/Kido.zip?tsid=20090310-205706-5074c3c6 telah disekat dan direkodkankerana mengandungi unsur-unsur Peer-to-Peeryang melanggar polisi capaian internet, Bla bla bla bla... ::icon_sad:: ::icon_sad:: Wehh.. kat rumah aku takda internet la bro.. sadisnya.. Melopong lagi aku nak bunuh virus nih.. Quote Share this post Link to post Share on other sites
baok_1 0 Report post Posted March 11, 2009 kodOk, pm replied.. Quote Share this post Link to post Share on other sites
mon678 48 Report post Posted March 11, 2009 virus nieh infected kat win vista gak ker?ke win XP jerk? Quote Share this post Link to post Share on other sites
kodOk 0 Report post Posted March 12, 2009 Thank bro baok. mon678, buat masa ni tak nampak pula tanda-tanda kido menceroboh os vista (pc yang aku pakai nih) ?? ataupun sebelum virus kido ketuk pintu pc aku, kaspersky dah awal2 sepak terajang kot ??.Yang aku perhatikan kat tempat aku nih, kido merebak melalui thumdrive n juga dari network. Pc yang mmg telah di install perisian av bitdefender, kaspersky yang selalu di update terselamat daripada virus kido.Pip pip.. masih lagi dalam pemerhatian. Minggu depan kat tempat aku kerja.. (kalau tiada aral melintang, operasi membelasah kido akan dijalankan oleh aku peserta berseorangan.) Quote Share this post Link to post Share on other sites
mitutoyo 0 Report post Posted March 12, 2009 teruk jg kido nh,aku pun ada lg 1 pc blum pulih sepenuhnya,avg detect tp x leh delete pe th jenis varians yg tinggal,aku x sempat amik report g coz kat luar,xblum masuk kelas g Quote Share this post Link to post Share on other sites