Sign in to follow this  
Followers 0
SunYatSen

i need your help

44 posts in this topic

hi, i am from China and my name is Sun-Yat-Sen. first of all i want to tell that i have read all the posts on this thread http://www.autoitscript.com/forum/index.php?showtopic=81087 because i have a virus which renames all my computer to autoIt's blahblah

but it is not same as mentioned in another thread. it also blocks Internet Explorer from running and says "Internet explorer is banned please use mozilla or any other."

i also can not visit Orkut.com because it is already blocked by virus.

it have a file "Scandal by www.xboard.us" in all of my drives and Pen Drive.

please send me the remover as posted in my mentioned thread. i know there is some use smoke_n who makes virus removers. i will come back again tomorrow to see new posts and for downloading Remover.


Share this post


Link to post
Share on other sites



Hi SunYatSen,

1st Welcome to the AutoIt Forums! :idiot:

Some of the following tips may not apply to you, but it may make your life a bit easier here on the forum in the future.

CODE
  • Did you know that we have an awesome search feature?

    You can find many answers to your current questions, just by typing in the right search patterns.

  • A suggestion is to use the Advanced Search mode:

  • Type your specific search term in quotes.
  • Click the forum you want to search in (the one most likely to have your information would generally be the Example Script forum and or the General Help and Support Forum).
  • Click on "Search titles only" radio button.
  • Click perform search.
The above will help you narrow down your searches and prevent you from unneccesarily posting a new thread.

[*]Also, you should try to read the Sticky posts that are at the top of each of the AutoIt Forums you enter such as:

[*]Keep in mind, the help file will be your best friend, however you may find some of the tutorials written by some of our elite forum members helpful.

[*]Forum Etiquette:

  • Making a new thread:

    • Use the Search feature first to see if your question has already been answered.
    • Look in the help file as well before even thinking of posting (When what you want could be obtained by simply reading the help file, you don't generally get a good response from your AutoIt community).
    • Titles are very important here. 1 word titles or titles like "help me", "write something for me", "I'm a noob" etc... aren't tolerated.
    • Make sure you are posting in the correct forum:

      • General Help and Support:

        • This forum is for AutoIt related support questions only. If you have a question related to another language, or nothing at all to do with AutoIt then you need to post in the chat forum, or in that languages perspective forum.
      • Example Script:

        • This forum is for AutoIt scripts/executables only.
        • Source code is preferred but not necessary, you do have the right to just post the binary of your project if you wish.
        • Please don't post questions in this forum unless it's directly related to a thread already existing.
    • Use common sense when creating a new thread.

      Ask yourself if the title is descriptive enough to even interest someone (preferably those that know what they are talking about) to even look at your thread, let alone reply in it.

    • Think about how it would show in the search feature if someone were to look for something just like you are looking for (think of the keywords you used yourself and obviously didn't find anything (because we know you used the search feature :) ) and use those types of keywords in your title as well).
  • Thread content:

    • Be descriptive with your query. (Make sure we actually know what you want to do).
    • Show you've made an effort in coding what you want (provide the reproducer code (generally no more than 50 lines as people lose interest in debugging someones script for free)).
    • Don't talk in ebonics. A lot of the forum members are adults, and a lot of them know how to help you, but talk like a child, you'll be treated as such.
    • Don't ask for help making keyloggers, spam (even if it's to do as a prank), or anything that can be thought of as malicious. You'll more than likely have the thread locked by a moderator, and take a bashing from your fellow AutoIt community.
    • When posting code, use code boxes. This can be accomplished by using [code ]<content here>[/code ] (No spaces between the brackets []).

      Using code boxes will keep the indentation and make it easier to read for others to help you.

  • Bumping your threads:

    • Use common courtesy here.

      Keep in mind every time you bump your thread to the top of the forum, you knock the other threads down a notch.

      Everyone posting for help has just as much right for their threads to get read as you do.

      Because of that, do not bump your post more than once in a 24 hour period.

      A Bump is simply posting in your thread with nothing that pertains to your query with the sole purpose of moving it up.

      Deleting previous bumps, and posting new ones is not tolerated, and the moderators can find those deletions, so do yourself a favor and don't cross that line >_< .

  • Rude or obnoxious content:

    This falls pretty much under the common sense thing. If you use it (common sense) before posting, you won't have issues.

    • Don't use foul language, remember, a lot of the community is at work when they read these threads.
    • Don't provoke or instigate an argument with someone.
  • Double Posting:

    • It's understood that sometimes there's a lag in the system, and sometimes people don't see their post go up right aways so they post again.

      If this happens to you, simply notify a moderator with the report feature in the post, and politely ask them to delete it.

    • If you're just creating another topic because your original topic is not being answered the way you want or at all, this is not tolerated. You could lose your posting privileges all together over it.
  • Non-English languages

    • If English is not your primary language, please make an attempt to interpret (yourself or online) and post that interpretation.

      We have wonderful users from around the world, so after you've done your post in English, back it up with your question also in your native tongue (You may find your answer much quicker using both).

That's it for now, I hope you have a wonderful learning experience, and hope to see you contribute to the community as your knowledge grows.

Share this post


Link to post
Share on other sites

shame for the people who are using AutoIt for virus creations.


Share this post


Link to post
Share on other sites

Please Upload the virus file to www.rapidshare.com and post it's link here.

after analyzing Smoke_N will be able to help you because he have helped many people before.

also check the properties of file and tell us what was written there.


Website: www.cerescode.comForum: www.forum.cerescode.comIRC: irc.freenode.net , Channel: #Ceres--------------------Autoit Wrappers, Great additions to your script (Must See) (By: Valuater)Read It Befor Asking Question Click Here...--------------------Join Monoceres's Forums http://www.monoceres.se--------------------There are three kinds of people: Those who make things happen, those who watch things happen, and those who ask, ‘What happened?’” –Casey Stengel

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Please Upload the virus file to www.rapidshare.com and post it's link here.

after analyzing Smoke_N will be able to help you because he have helped many people before.

also check the properties of file and tell us what was written there.

Haha, no. Why does everyone use Rapidshare? It sucks. There is so many more file sharer's without the wait, and some with direct links.

www.Sendspace.com

Plus, SmOke_N, has already created a remover for this exact virus. Use it!

Edited by Alienware

Share this post


Link to post
Share on other sites

Haha, no. Why does everyone use Rapidshare? It sucks. There is so many more file sharer's without the wait, and some with direct links.

www.Sendspace.com

Plus, SmOke_N, has already created a remover for this exact virus. Use it!

the website is giving upload error. maybe they are upgrading or doing some settings.


Share this post


Link to post
Share on other sites

Please don't assume that anybody is going to write you a removal tool.

As with any file you download off the internet, you need to be careful and only execute compiled code that you KNOW to be good.

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

Please Upload the virus file to www.rapidshare.com and post it's link here.

after analyzing Smoke_N will be able to help you because he have helped many people before.

also check the properties of file and tell us what was written there.

i copied the virus file from all drives and zipped them.

download link

all zipped files are in rar archive. please now upload its remover. thanxXx

Edited by SmOke_N

Share this post


Link to post
Share on other sites

Plus, SmOke_N, has already created a remover for this exact virus. Use it!

i used it and it did not worked. i need a new remover.


Share this post


Link to post
Share on other sites

Please don't assume that anybody is going to write you a removal tool.

As with any file you download off the internet, you need to be careful and only execute compiled code that you KNOW to be good.

the virus was come in my USB. write??? is it not ReadyMade?

Share this post


Link to post
Share on other sites

Oh goody, I've been meaning to write a de-obfuscator...

In all seriousness, I will have a look when I can... but I find it humorous that every time I fix this thing, mysteriously another one appears.

Anyone get the feeling that they are being readily provided for us so the author can find better ways around it?


Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Share this post


Link to post
Share on other sites

Oh goody, I've been meaning to write a de-obfuscator...

In all seriousness, I will have a look when I can... but I find it humorous that every time I fix this thing, mysteriously another one appears.

Anyone get the feeling that they are being readily provided for us so the author can find better ways around it?

Both this guy and Sarah were new users so it could be. You should find out how to stop the de-obfuscator from functioning and then post your fixes like that, that would make it much harder for the author of these viruses to learn anything from them.

Share this post


Link to post
Share on other sites

#14 ·  Posted (edited)

ED::

*Re Fried Beans* :)

@AdmiralAlkex

No I think he is saying that the malicous au3 source is obfuscated in some way!?!

Edited by Mobius

Share this post


Link to post
Share on other sites

@AdmiralAlkex

No I think he is saying that the mal is obfuscated in some way!?!

Yes it's (probably) obfuscated with the obfuscator you get with SciTE but that was NOT what I was talking about, you may want to reread my post.

Share this post


Link to post
Share on other sites

No dude, I am fully aware of what you were talking about, and I am fully aware of ways to stop "What you were talking about".

If you know this tool you then you would know that currently used obfuscators are useless against it, for it to get the mod going,

it must be something new or unusual!

I know that tool yes and the obfuscators may be useless but it's possible to trick it, try it yourself on this virus. I was only pointing out that I think SmOke_N should use that trick too.

And what do you mean with this:

I am fully aware of ways to stop "What you were talking about"

That completely contradicts this:

currently used obfuscators are useless

Share this post


Link to post
Share on other sites

#17 ·  Posted (edited)

Obfuscation is dead and buried after that tool man, besides any good coder can see past the obfuscation with a little effort and determination.

I try to stop said tool from ever getting that far, not mere tricks as you put it!

but yeah you can also lead it astray in many ways also.

Edited by Mobius

Share this post


Link to post
Share on other sites

Wrong assumption is the mother of all fuck*ups.

You are speculating to much and being a bit paranoid. My suggestion to SmOke_N is to not respond to this things any more.

Or maybe he crates this things... aha!! :)

You see, it makes the same sense as other speculations.

...so, I'm I the only one with impression that decompilers and deobfuscators are something that every other people here have? >_<


♡♡♡

.

eMyvnE

Share this post


Link to post
Share on other sites

#19 ·  Posted (edited)

ED::

*See post directly below this one*

Edited by Mobius

Share this post


Link to post
Share on other sites

#20 ·  Posted (edited)

... Anyone get the feeling that they are being readily provided for us so the author can find better ways around it?

That was the point of my PM to you on 19 Sept. If we post virus removing code in a public forum, it is available for all to see including the author of the virus.

What a wonder way to improve one's virus - peer review.

@All,

As to the coding skill of the person that wrote the virus. I too thought that it sucked. But a skilled coder knows how to appear unskilled - including putting in lines of code that do not work correctly. Sort of like a skilled actor in a show. The decompiled code that I saw "got the job done" - so, no matter the skill level of the author, he/she/they are learning & morphing the code. Seemingly based on info posted in the AutoIt forum and a few other forums that I've seen discussing this same type of thing.

So, what to do? Maybe stop posting fixes or even sending PMs to complete strangers that can decompile and un-obfuscate* (*yes, this has already been done) to "learn more". The AV companies will do their jobs, it just might take days.

~MSP~

Edited by herewasplato

[size="1"][font="Arial"].[u].[/u][/font][/size]

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0