I keep having a antivirus pop ups evertime i get on internet. My computer freezes and you type a website it takes you to something else and then multiple tabs pop up.
I keep having a antivirus pop ups evertime i get on internet. My computer freezes and you type a website it takes you to something else and then multiple tabs pop up.
It was a problem to update database of avz before making your logs?
Why do i see in your logs: both AVG and trendmicro protection software? Basically,it is bad idea having them both in same time.
Uninstall both. After curing,you can choose something that you like.
Definitely,you have a lot of suspicious files.
You should disable an internet connection and disable protection of your "anti",
Only after that, please execute this script:
Your computer will reboot automatically.If not, do it manually.Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile('C:\autorun.inf',''); QuarantineFile('C:\WINDOWS\system32\T1IkQ2Na.exe',''); QuarantineFile('C:\Program Files\NetWaiting\NetWaiting.exe',''); QuarantineFile('C:\Program Files\Metacafe\MetacafeAgent.exe',''); QuarantineFile('C:\WINDOWS\system32\DRIVERS\wanatw4.sys',''); QuarantineFile('C:\WINDOWS\system32\tokivafa.dll',''); QuarantineFile('c:\windows\system32\vubebiye.dll',''); QuarantineFile('C:\WINDOWS\system32\mojujebu.dll',''); QuarantineFile('C:\WINDOWS\system32\kuwotevi.dll',''); QuarantineFile('C:\WINDOWS\system32\gigopero.dll',''); QuarantineFile('C:\Program Files\Dell\QuickSet\dadkeyb.dll',''); QuarantineFile('c:\program files\common files\akamai\rswin_3458.dll',''); BC_ImportALL; BC_Activate; RebootWindows(true); end.
Upload a quarantine according our rules by link http://virusinfo.info/upload_virus_eng.php?tid=36837
let us know, when you will done. It just will make a copy, it willn't solve your problem, yet.
Последний раз редактировалось drongo; 08.01.2009 в 19:20.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
I have uploaded the quarantine file.
File saved as 090108_213052_virus_4966465c54cb8.zip
File size 1430484
MD5 8c60d09c6814f03eace87ab7fa1ce6a8
thanks for your help.
Well done. Possible, a new fresh viruses were captured with your help. Heuristic of kaspersky antivirus does suspect them already. I am prefer to wait for answer from a human virus analyst, it is possible that they are from good programs too.
Meantime, please go to your recycled box, we want to find more( i think is some worm-virus )
you may find there a file boot.com, please copy it, zip with password "virus"
or better, just quarantine it with avz (read in our rules, Appendix 2. Searching files on disk with AVZ. ) if you can't find it, just look for boot.com on all your disks, and send us, like you did before.
You didn't answered me about your "anti". Why do you have both: AVG and Trendmicro ? Or you don't know about one of them?
Well, we have an answer- that they had found a new virus, but unfortunately didn't told us in what files. I will check it letter and come back to you.
Ok, here the names (kaspersky):
1 Worm.Win32.AutoRun.wzr - C:\autorun.inf
2 Trojan-GameThief.Win32.OnLineGames.ugld: C:\WINDOWS\system32\tokivafa.dll, C:\WINDOWS\system32\kuwotevi.dll , C:\WINDOWS\system32\gigopero.dll
3. Trojan-Spy.Win32.Agent.kso c:\windows\system32\vubebiye.dll
4. Trojan.Win32.Monder.akjf C:\WINDOWS\system32\mojujebu.dll
Here the cure instruction:
1. uninstall all your antiviruses
2. execute this script in avz:
3.update bases of avz.Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); DelBHO('{99b9e486-2a54-4e04-b67d-1ed8b8fc42e9}'); DeleteFile('C:\autorun.inf'); DeleteFile('C:\WINDOWS\system32\tokivafa.dll'); DeleteFile('C:\WINDOWS\system32\kuwotevi.dll'); DeleteFile('C:\WINDOWS\system32\gigopero.dll'); DeleteFile('c:\windows\system32\vubebiye.dll'); DeleteFile('C:\WINDOWS\system32\mojujebu.dll'); DeleteFileMask('%tmp% ','*.* ',true); BC_ImportAll; ExecuteSysClean; BC_Activate; ExecuteRepair(6); ExecuteRepair(8); ExecuteRepair(9); RebootWindows(true); end.
4. Go to system scheduler and delete all jobs, that you don't need.
5. Make a new logs.
6.Choose and install your antivirus/system protection you like, but without overlapping.I mean: just 1 antivirus, not 2 and not 3. Firewall just 1 , etc. Or you can choose one 1 complex suite, where all included.
7.consider uninstall bonjour service, i tunes & ipod will continue to work without it, don't worry.
8. change all your passwords, some of your viruses are keyloggers.
Последний раз редактировалось drongo; 10.01.2009 в 01:25.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
Thanks, I tried to exacute the script but and error message came up, Script error: Too many parameters, position [5:11]. The anti thing i forgot i had microtrend. Do I wait until i can run the script. To do everything else.
Sorry,my mistake.
I did repair the script, no more errors. Execute it now.
Remember to uninstall trendmicro and avg.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
i have exacuted the script and made new logs and i have uploaded them.
Interesting, your system as a new virus island
Please uninstall the old (from april) kaspersky virusremoval tool- it will not help us now, cause it can't be updated normally.It should be on your desktop-> just open KVRT (Kaspersky Virus Removal Tool) then click "Complete Antivirus Protection" . It will open default web browser (open Kaspersky website) and uninstall KVRT
Please disconnect from internet.
lunch hijack this again and check only these lines, click on "FiX"
Don't restart computer, lunch avz and execute this script in avz:Код:O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing) O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {99b9e486-2a54-4e04-b67d-1ed8b8fc42e9} - C:\WINDOWS\system32\dukeyiwa.dll O4 - HKLM\..\Run: [588b589a] rundll32.exe "C:\WINDOWS\system32\tayazuvo.dll",b O4 - HKLM\..\Run: [dogufenoyi] Rundll32.exe "C:\WINDOWS\system32\yajohilo.dll",s O4 - HKLM\..\Run: [CPM5bb86b06] Rundll32.exe "c:\windows\system32\tukowohu.dll",a O4 - HKUS\S-1-5-19\..\Run: [dogufenoyi] Rundll32.exe "C:\WINDOWS\system32\yajohilo.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [dogufenoyi] Rundll32.exe "C:\WINDOWS\system32\yajohilo.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: C:\WINDOWS\system32\jakiyohe.dll c:\windows\system32\tukowohu.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tukowohu.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\tukowohu.dll
Please upload a new quarantine, as you did before. + you didn't told me, did you find a file boot.exe ?Upload it too like i did described to you before.Код:begin ClearQuarantine; SearchRootkit(true, true); SetAVZGuardStatus(True); DelBHO('{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}'); QuarantineFile('C:\Program Files\Juno\toolbar.dll',''); QuarantineFile('C:\WINDOWS\svchost32.exe',''); DelBHO('{99b9e486-2a54-4e04-b67d-1ed8b8fc42e9}'); DelBHO('{7E853D72-626A-48EC-A868-BA8D5E23E045}'); DelBHO('{500BCA15-57A7-4eaf-8143-8C619470B13D}'); DelBHO('{02478D38-C3F9-4efb-9B51-7695ECA05670}'); QuarantineFile('C:\WINDOWS\stsystra.exe',''); QuarantineFile('C:\WINDOWS\System32\DLA\DLACTRLW.EXE',''); QuarantineFile('C:\Program Files\Juno\exec.exe',''); DeleteService('MHNDRV'); QuarantineFile('C:\WINDOWS\system32\DRIVERS\mhndrv.sys',''); QuarantineFile('C:\WINDOWS\system32\yajohilo.dll',''); QuarantineFile('c:\windows\system32\tukowohu.dll',''); QuarantineFile('C:\WINDOWS\system32\tayazuvo.dll',''); QuarantineFile('C:\WINDOWS\system32\jakiyohe.dll',''); QuarantineFile('C:\WINDOWS\system32\dukeyiwa.dll',''); DeleteFile('C:\WINDOWS\system32\dukeyiwa.dll'); DeleteFile('C:\WINDOWS\system32\jakiyohe.dll'); DeleteFile('C:\WINDOWS\system32\tayazuvo.dll'); DeleteFile('c:\windows\system32\tukowohu.dll'); DeleteFile('C:\WINDOWS\system32\yajohilo.dll'); DeleteFile('C:\WINDOWS\system32\DRIVERS\mhndrv.sys'); DeleteFile('C:\WINDOWS\svchost32.exe'); DeleteFile('C:\Program Files\AVG\AVG8\avgssie.dll'); BC_ImportAll; ExecuteSysClean; BC_Activate; ExecuteRepair(6); ExecuteRepair(8); ExecuteRepair(9); RebootWindows(true); end.
Do a new logs
Последний раз редактировалось drongo; 10.01.2009 в 12:30.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
I have found the boot.exe and uploaded it.
File saved as 090111_033305_virus_49693e419bc11.zip
File size 26646
MD5 e5c737fd2e98ecbbab58ed395047ea35
I have uploaded the other quarantine file
File saved as 090111_044638_virus_49694f7e55f93.zip
File size 3220417
MD5 70c55690628868c989cafc451ff4b661
and made new logs. Thanks for the help.
Your system is something from other world Now i see a new rootkit too What are you doing between curing, i am curious ?
1.Please download a special version avz from my signature.
Disconnect from internet .
lunch hijack this again and check only these lines, click on "FiX"
2.Don't restart computer, lunch special avz andКод:O2 - BHO: (no name) - {99b9e486-2a54-4e04-b67d-1ed8b8fc42e9} - C:\WINDOWS\system32\dukeyiwa.dll (file missing) O20 - AppInit_DLLs: c:\windows\system32\zagodowi.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zagodowi.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zagodowi.dll
and execute this script:
Please upload a new quarantine, as you did before.Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); DelBHO('{99b9e486-2a54-4e04-b67d-1ed8b8fc42e9}'); QuarantineFile('C:\WINDOWS\system32\dukeyiwa.dll',''); DeleteService('CLTNetCnService'); DeleteService('Automatisches LiveUpdate - Scheduler'); QuarantineFile('c:\windows\system32\drivers\msqpdxaltltxte.sys',''); QuarantineFile('c:\windows\system32\zagodowi.dll',''); QuarantineFile('C:\WINDOWS\system32\tilepilo.dll',''); QuarantineFile('C:\WINDOWS\system32\dll.dll',''); DeleteFile('C:\WINDOWS\system32\dll.dll'); DeleteFile('C:\WINDOWS\system32\tilepilo.dll'); DeleteFile('c:\windows\system32\zagodowi.dll'); DeleteFile('c:\windows\system32\drivers\msqpdxaltltxte.sys'); DeleteFile('C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe'); DeleteFile('C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe'); DeleteFile('C:\WINDOWS\system32\dukeyiwa.dll'); BC_ImportAll; ExecuteSysClean; BC_Activate; ExecuteRepair(6); ExecuteRepair(8); ExecuteRepair(9); RebootWindows(true); end.
3. Please download latest cureit (ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe ) Go to safe mode (push F8 button on keyboard, immediately after restart)
After an automatic scan, please choose all disks and make a scan.Cure what it find.Let us know what it will find if any.
Make a restart.
You may delete cureit.
4.Please download the latest version of kaspersky virus removal tool ( http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/ ), Go to safe mode (push F8 button on keyboard, immediately after restart)
please choose all disks and make a scan.Cure what it find.Let us know what it will find if any. Make a restart.
Open KVRT (Kaspersky Virus Removal Tool) then click "Complete Antivirus Protection" . It will open default web browser (open Kaspersky website) and uninstall KVRT.
5.Then, make a new logs in special avz and attach them to your next post with your results scanning from both tools.
Последний раз редактировалось drongo; 11.01.2009 в 10:11.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
I have executed the script and uploaded the quarantine file
File saved as 090111_095356_virus_4969978457adc.zip
File size 254148
MD5 b6f103547e023e9e0e02ec95a4632ed9
and i just get on the internet. lately I just been searching for pics of super heroes to draw since i bored.
I see, please don't search anything until we will finished.Cause you have got more and more new malware. I will learn you how to search safely, promise. Did you scan like i told you with cure it and avptooll ? If you didn't, do it now.
Also, you can delete boot.exe, as i said, it is a worm ( kaspersky call it Worm.Win32.AutoTDSS.aps )
It should be there : C:\resycled\boot.com
Последний раз редактировалось drongo; 11.01.2009 в 10:40. Причина: Добавлено
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
i have run both tools and made new logs. I also deleted the boot.com file. thanks for the help.
Better, but not enough.
Please do:
1.lunch hijack this again and check only these lines, click on "FiX"
2.execute this script in avzКод:O17 - HKLM\System\CCS\Services\Tcpip\..\{65C83781-A8E7-4784-8EE3-60D3BDAF1165}: NameServer = 85.255.114.84,85.255.112.198 O17 - HKLM\System\CCS\Services\Tcpip\..\{9824293A-16AB-4F8B-ABBA-00787E94D132}: NameServer = 85.255.114.84,85.255.112.198 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.84,85.255.112.198
Upload new quarantine.Код:begin ClearQuarantine; SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile('C:\autorun.inf',''); QuarantineFile('C:\WINDOWS\system32\MsSip3.dll',''); QuarantineFile('C:\WINDOWS\system32\MsSip2.dll',''); QuarantineFile('C:\WINDOWS\system32\MsSip1.dll',''); QuarantineFile('C:\WINDOWS\System32\mhn.dll',''); QuarantineFile('C:\WINDOWS\system32\Drivers\Pcouffin.sys',''); DeleteFile('C:\autorun.inf'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end.
Uninstall kaspersky virus removal tool, i did told you how to do it.
Install system protection system that you like most( i like from kaspersky) , but it is up to you. And use tips that i did send you in private message.
Make a new logs
Последний раз редактировалось drongo; 12.01.2009 в 16:28.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
I have uploaded the new quarantine file
File saved as 090113_120353_virus_496c58f96e810.zip
File size 54626
MD5 0ed67471bfd8502cfa6d916cd67769e5
and made the new logs. thanks for the help again.
one more
Upload new quarantine.Код:begin ClearQuarantine; SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile('C:\WINDOWS\xxxvideo.hta',''); QuarantineFile('C:\WINDOWS\system32\yajohilo.bak',''); QuarantineFile('C:\WINDOWS\system32\shdocvw.bak',''); QuarantineFile('C:\WINDOWS\system32\jakiyohe.bak',''); QuarantineFile('C:\WINDOWS\system32\dukeyiwa.bak',''); QuarantineFile('C:\Program Files\WildTangent\Apps\GameChannel\Games\989E4C3B-B2C9-4486-9A09-D5A8F953837C\WinBej2.exe.bak',''); QuarantineFile('C:\i386\shdocvw.bak',''); DeleteFile('C:\Program Files\WildTangent\Apps\GameChannel\Games\989E4C3B-B2C9-4486-9A09-D5A8F953837C\WinBej2.exe.bak'); DeleteFile('C:\WINDOWS\system32\dukeyiwa.bak'); DeleteFile('C:\WINDOWS\system32\jakiyohe.bak'); DeleteFile('C:\WINDOWS\system32\shdocvw.bak'); DeleteFile('C:\WINDOWS\system32\yajohilo.bak'); DeleteFile('C:\WINDOWS\xxxvideo.hta'); BC_ImportAll; ExecuteSysClean; BC_Activate; ExecuteRepair(6); ExecuteRepair(8); ExecuteRepair(9); RebootWindows(true); end.
Make a new logs
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
I have uploaded th7e new quarantine file
File saved as 090114_074204_virus_496d6d1cdf885.zip
File size 2389722
MD5 b940d24e083f728fd77af283ad8bebb5
and made new logs. Thanks for the help.
Very nice. Finally looks clean. How is your feeling?
The last thing you should fix this lines in HijackThis:
Reboot your computer.Код:O4 - HKUS\S-1-5-21-308161845-2162706330-1652178570-1006\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" (User 'web') O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZRxdm429YYUS O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/PopularScreenSaversInitialSetup1.0.1.1.cab
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D