help, monder?

[dioxxx]

something adds urreeswc.dll and hgGyywxw.dll to autostart and cannot be deleted, i can't browse some sites and use search on google and few others...

http://robertk.webd.pl/diox/avptool_syscheck.zip

http://robertk.webd.pl/diox/hijackthis.log

[kps]

Execute the following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\mlJCTKcc.dll','');
 QuarantineFile('C:\Program Files\Antispyware\Antispyware.exe','');
 QuarantineFile('C:\WINDOWS\system32\urreeswc.dll','');
 QuarantineFile('C:\WINDOWS\system32\hgGyywxw.dll','');
 DeleteFile('C:\WINDOWS\system32\hgGyywxw.dll');
 DeleteFile('C:\WINDOWS\system32\urreeswc.dll');
 DeleteFile('C:\WINDOWS\system32\mlJCTKcc.dll');
 DelBHO('FFFB03AD-A461-4B99-9A23-D3B127D7C995');
 DelBHO('12401F00-D6DD-4112-B187-E8681685D182');
DelWinlogonNotifyByKeyName('mlJCTKcc');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.
Upload the quarantined files according to the rules.

Uninstall the program "Antispyware".
Make new logs.

[dioxxx]

antispyware uninstalled, quarantined files sent

avptool_syscheck.zip

hijackthis.log

[kps]

Task Scheduler jobs - delete the task about Antispyware

Execute the script

Код:

begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\DOCUME~1\User\USTAWI~1\Temp\ewdmaudn.sys','');
 DeleteFile('C:\DOCUME~1\User\USTAWI~1\Temp\ewdmaudn.sys');
 DeleteFile('C:\WINDOWS\system32\hgGyywxw.dll');
 DelBHO('0C5B329C-A62E-40C4-ABB0-1459CBE328AA');
BC_ImportALL;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, false);
BC_DeleteSvc('ewdmaudn');
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.
Upload the quarantined files.
Make new logs.

[dioxxx]

scheduler task deleted

avptool_syscheck.zip

hijackthis.log

[Rene-gad]

-Fix it

Код:

O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)

- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
You must install the Service Pack 3.
It's no more any malware signs in your logs.

[kps]

I dont see anything bad in the logs anymore

Execute the script

Код:

begin
ExecuteWizard('TSW', 2, 2, true);
end.

I recommend to delete the program "Bonjour".

Any problems left?

[dioxxx]

thanks a lot, everything works well now, btw do i still need sp3 if i have legal xp with recent updates? and how to get rid of this "bonjour" thing? i know it's there but don't know how to get rid of it

[Rene-gad]

do i still need sp3 if i have legal xp with recent updates ?

Yes, you do.

and how to get rid of this "bonjour" thing?

Google knows just all: http://www.ajuaonline.com/2007/10/02...njour-service/

[dioxxx]

Yes, you do.

downloading immediately ;-D thanks a lot for quick help guys

[drongo]

dioxxx,i think, the best thing it is prevention infection in the future
Don't use an admin account in the internet, make a new, a limited one http://www.microsoft.com/protect/com...eraccount.mspx
Disable active scripting in browser by default, the best and comfortable way to do it - is using firefox+noscript
In these simple steps you can prevent function/installation about 90 percent of the malware

[dioxxx]

i'm using opera and don't want to switch to ff besides i got infected by my own stupidity downloading crap from unknown sites, anyway i'll think about this account thing, thanks for all your help