39cent 0 Report post Posted December 14, 2009 salam..nak tanya cara nak solve virus nih1.pc aku jadi automatik shutdown lepas on shutdown balik2.Ada folder new folder setiap folder nak delete tak boleh dan dlm folder ada gak folder yg sama cth folder A kalo buka folder folder A tadi ada juga folder A kalau nak delete folder folder A yg virus ni tak bolehsekarang drive D dah penuh dengan folder yg tak boleh nak deletepc aku partition drive C & D ada sapa2 boleh tolong Quote Share this post Link to post Share on other sites
neology 0 Report post Posted December 14, 2009 run hijackthis dan post log hijackthis kat sini..nanti otai2 di sini cube tolong.. Quote Share this post Link to post Share on other sites
test0123 1 Report post Posted December 14, 2009 dah buat scan dgn malwarebytes Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 14, 2009 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:22:39 PM, on 12/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\WebcamMax\wcmmon.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\pisi3\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exeC:\Program Files\Messenger\msmsgs.exeC:\program files\internet explorer\IEXPLORE.EXEC:\WINDOWS\system32\svchost.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\lqexu.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\pgau.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winyacd.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\DOCUME~1\pisi3\LOCALS~1\Temp\winbdlq.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\DOCUME~1\pisi3\LOCALS~1\Temp\icmbe.exeC:\WINDOWS\system32\notepad.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\wintdmefc.exeC:\Program Files\ManyCam 2.4\ManyCam.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\wintmjsgb.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winqtrte.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO3 - Toolbar: FreshDownload Bar - {ED0E8CA5-42FB-4B18-997B-769E0408E79D} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdiebar.dllO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" /aO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\pisi3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: FreshDownload - {7CEE2180-23DE-4C25-BA6E-A1BBD15DCCBE} - C:\Program Files\FreshDevices\FreshDownload\fd.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Windows Recycled Services - Unknown owner - C:\Program.exe (file missing)--End of file - 5066 bytes Quote Share this post Link to post Share on other sites
B@zShâ„¢ 1 Report post Posted December 14, 2009 Bro guna AV apa yer?Nape xder dalam log HJT tuDah cuba scan ngan Malwarebytes? Quote Share this post Link to post Share on other sites
sofia_1 0 Report post Posted December 14, 2009 C:\DOCUME~1\pisi3\LOCALS~1\Temp\lqexu.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\pgau.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winyacd.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winbdlq.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\icmbe.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\wintdmefc.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\wintmjsgb.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winqtrte.exedelete semua benda ni (mungkin)update antivirus dan scan Quote Share this post Link to post Share on other sites
test0123 1 Report post Posted December 14, 2009 O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1removed ni juga Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 14, 2009 av dah delete ari tu pakai AVG blm scan nnt try scan dulu pakai Malwarebytes Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 14, 2009 ni logfile lepas scan ngan MalwarebytesLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:52:33 PM, on 12/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\WebcamMax\wcmmon.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\pisi3\Local Settings\Application Data\Google\Update\1.2.183.13\GoogleCrashHandler.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeD:\Software\New Folder.exeD:\Software\New Folder\New Folder.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winwrmbbi.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\windkdad.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winvycpy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXED:\Software\New Folder\New Folder.exeD:\Software\New Folder.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exeO2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCatch.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dllO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" /aO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\pisi3\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quietO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /backgroundO4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\RVHOST.exeO7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: FreshDownload - {7CEE2180-23DE-4C25-BA6E-A1BBD15DCCBE} - C:\Program Files\FreshDevices\FreshDownload\fd.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe--End of file - 4543 bytes Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 15, 2009 virus ni dah masuk setiap folder duplicate jadi folder asal size 23.8mbdrive D dah full Quote Share this post Link to post Share on other sites
test0123 1 Report post Posted December 15, 2009 R0 - HKCU\Software\Microsoft\InternetExplorer\Main,Local Page =F2 - REG:system.ini: Shell=Explorer.exe RVHOST.exeO4 - HKCU\..\Run: [Yahoo Messengger]C:\WINDOWS\System32\RVHOST.exeO7 -HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1C:\Documents and Settings\pisi3\LocalSettings\ApplicationData\Google\Update\1.2.183.13\GoogleCrashHandler.exeD:\Software\New Folder.exeD:\Software\New Folder\New Folder.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winwrmbbi.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\windkdad.exeC:\DOCUME~1\pisi3\LOCALS~1\Temp\winvycpy.exeO2 - BHO: SingleInstance Class -{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} -C:\ProgramFiles\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dllO4 - HKLM\..\Run: [Adobe ARM] "C:\ProgramFiles\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKCU\..\Run: [Google Update] "C:\Documentsand Settings\pisi3\Local Settings\ApplicationData\Google\Update\GoogleUpdate.exe" /cO9 - Extra button: FreshDownload -{7CEE2180-23DE-4C25-BA6E-A1BBD15DCCBE} -C:\Program Files\FreshDevices\FreshDownload\fd.exeremoved semua ni Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 15, 2009 dah removed semue scan pakai Malwarebytes pun sudahfolder clon tu masih ada lagisetiap folder dlm drive Dterdapat 1 folder clon Quote Share this post Link to post Share on other sites
test0123 1 Report post Posted December 15, 2009 New Folder.exe Virus Removal Tool buang folder exe tu Quote Share this post Link to post Share on other sites
Datuk_Seri 13 Report post Posted December 17, 2009 Dipindahkah kebahagian Utiliti dan Sekuriti... Quote Share this post Link to post Share on other sites
sayw 18 Report post Posted December 17, 2009 test advice japkalau jadilapergi folder optionuntick hide microsoft programclick yespergi ccari ntdetect(fail corrupt) dan deletefail sebenar ialah ntdetech(minta nasihat mod-tgh saiko masa menaip xD) Quote Share this post Link to post Share on other sites
B@zShâ„¢ 1 Report post Posted December 17, 2009 Cuba scan guna CaSIR Quote Share this post Link to post Share on other sites
39cent 0 Report post Posted December 18, 2009 ok dah settlethanx semua Quote Share this post Link to post Share on other sites