Показано с 1 по 9 из 9.

Malware or Virus: Unable to Delete

  1. #1
    Junior Member Репутация
    Регистрация
    07.07.2009
    Сообщений
    5
    Вес репутации
    28

    Thumbs up Malware or Virus: Unable to Delete

    I have a particularly pesky virus or malware infection that has disabled several anti-spyware and anti-malware programs. I have used Spyware Doctor, Malwarebytes & AVG anti-virus successfully before this incident but this malicious program disabled all three. It also causes internet connectivity issues as I will typically receive a message that there is no connection upon startup. I have also experienced the inability to read data on USB thumb-drives and even heard mysterious Michael Jackson music and assorted commercials magically play with no programs open. I also noticed that I was unable to boot in safe mode and was also unable to disable system restore (Windows XP) as there was no "system restore" tab in the System Properties dialog box. Ialso seem to "jump" to Google when doing a search in my web browser. The logfiles are attached. Thank you in advance for any help that you can provide.
    Вложения Вложения

  2. #2
    Global Moderator Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    26.12.2006
    Адрес
    Vladivostok
    Сообщений
    23,300
    Вес репутации
    1551
    Please, make three logfiles following steps 1-3 in section Analysis of Rules.
    I am not young enough to know everything...

  3. #3
    Junior Member Репутация
    Регистрация
    07.07.2009
    Сообщений
    5
    Вес репутации
    28
    Sorry for attaching the wrong log files. I will try again.

    virusinfo syscheck & syscure attached in this response....hijackthis.log is in original post.

    Thanks again in advance for any help you can provide.
    Вложения Вложения

  4. #4
    Junior Member Репутация
    Регистрация
    07.07.2009
    Сообщений
    5
    Вес репутации
    28

    looking for help

    Just a reminder that requested log files are attached. Thanks again.

  5. #5
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Hi!
    Sorry for waiting.
    Switch off/Disable:
    - All (!) Antivirus , antispyware and and, if you have - Firewall.
    -internet connection

    Execute the script:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     QuarantineFile('C:\Documents and Settings\Owner\Local Settings\Temp\db.exe','');
     QuarantineFile('C:\Program Files\NotetoLookup\Unwise.exe','');
     QuarantineFile('D:\autorun.inf','');
     QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\db.EXE','');
     DelBHO('{D76AB2A1-00F3-42BD-F434-00BBC39C8953}');
     QuarantineFile('karna.dat','');
     QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\8929625645mxx.dll','');
     QuarantineFile('C:\WINDOWS\system32\Drivers\MASPINT.sys','');
     QuarantineFile('C:\WINDOWS\system32\sdjee3inf.dll','');
     QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\services.eC:\WINDOWS\system32\xe','');
     QuarantineFile('C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\oz6cb78e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metricsloader.dll','');
     QuarantineFile('C:\Documents and Settings\Owner\Application Data\Mozilla\C:\WINDOWS\system32\Firefox\Profiles\oz6cb78e.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll','');
     QuarantineFile('C:\WINDOWS\system32\UACpxqeqvdlllckaat.dll','');
     TerminateProcessByName('c:\docume~1\owner\locals~1\temp\services.exe');
     QuarantineFile('c:\docume~1\owner\locals~1\temp\services.exe','');
     DeleteFile('c:\docume~1\owner\locals~1\temp\services.exe');
     DeleteFile('C:\WINDOWS\system32\UACpxqeqvdlllckaat.dll');
     DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\services.exe');
     DeleteFile('C:\WINDOWS\system32\sdjee3inf.dll');
     DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\8929625645mxx.dll');
     DeleteFile('karna.dat');
     DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\db.EXE');
     DeleteFile('D:\autorun.inf');
     DeleteFile('C:\Program Files\NotetoLookup\Unwise.exe');
     DeleteFile('C:\Documents and Settings\Owner\Local Settings\Temp\db.exe');
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    CreateQurantineArchive('C:\quarantine.zip');
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    ExecuteRepair(11);
    ExecuteRepair(17);
    SetAVZPMStatus(true);
    RebootWindows(true);
    end.
    The computer will reboot.

    Upload file C:\quarantine.zip, by link Upload quarantined files in the top of this thread.
    Please

    In AVZ it is necessary to update the bases using automatic updates (File/Database update).
    Please make a set of new logs after doing this.
    Последний раз редактировалось drongo; 11.07.2009 в 16:35.

  6. #6
    Junior Member Репутация
    Регистрация
    07.07.2009
    Сообщений
    5
    Вес репутации
    28

    The new logs.

    After running the attached script, I was able to disable system restore before running the three checks again. I was not, however, able to update the bases using automatic update in AVZ as an error message kept coming up "error loading control file avzupd.zip". I also now seem to have malware called XP Deluxe Protector with annoying frequent popups that warn of viruses, trojans & spyware constantly. The new logfiles are attached. Any advice on how to update the AVZ bases would be appreciated. Thank you again.
    Вложения Вложения

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Please download special avz in my signature- don't need update it(how to use it:unzip all (2) files to new folder and click on run.cmd)
    Please uninstall all your antivirus (pctools and threatfire if i am correct)- it is possible that they don't let us delete your collection of rootkits.

    In hijack this fix these lines:
    Код:
    O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
    O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe
    O4 - HKCU\..\Run: [xpprotect] C:\Documents and Settings\Owner\XP Deluxe Protector\xpdeluxe.exe
    O4 - HKUS\S-1-5-18\..\Run: [DriverLoad]  (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DriverCheck]  (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [SystemDriverLoad]  (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [SystemDriver]  (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [FDriver]  (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [ADriver]  (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DriverLoad]  (User 'Default user')
    O4 - Startup: is-SFV6F.lnk = C:\Documents and Settings\Owner\Desktop\Virus Removal Tool\is-SFV6F\startup.exe
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    Don't restart computer.In next script - "restart" is inside

    Execute this script in special version of avz:
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     QuarantineFile('\systemroot\system32\drivers\UACrputewysieliqpc.sys','');
     QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe','');
     QuarantineFile('C:\Documents and Settings\Owner\XP Deluxe Protector\xpdeluxe.exe','');
     QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\db.EXE','');
     QuarantineFile('\\?\globalroot\systemroot\system32\UAClknjrbqmblltbnt.dll','');
      QuarantineFile('C:\WINDOWS\system32\UACxiyrwxymrmfvkpu.dll','');
     TerminateProcessByName('c:\docume~1\owner\locals~1\temp\csrss.exe');
     QuarantineFile('c:\docume~1\owner\locals~1\temp\csrss.exe','');
     DeleteFile('c:\docume~1\owner\locals~1\temp\csrss.exe');
     DeleteFile('\\?\globalroot\systemroot\system32\UAClknjrbqmblltbnt.dll');
     DeleteFile('C:\WINDOWS\system32\UACxiyrwxymrmfvkpu.dll');
     DeleteFile('C:\Documents and Settings\Owner\XP Deluxe Protector\xpdeluxe.exe');
     DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\csrss.exe');
     DeleteFile('\systemroot\system32\drivers\UACrputewysieliqpc.sys');
     DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\db.EXE');
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    CreateQurantineArchive('C:\quarantine.zip');
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    ExecuteRepair(11);
    ExecuteRepair(17);
    SetAVZPMStatus(true);
    RebootWindows(true);
    end.
    Please do upload a new quarantine.

    After restart, please do with this special avz version-> virusinfo_syscure.zip .It is enough for now
    Последний раз редактировалось drongo; 12.07.2009 в 01:07.

  8. #8
    Junior Member Репутация
    Регистрация
    07.07.2009
    Сообщений
    5
    Вес репутации
    28

    Thanks for your help

    Looks like we got rid of all of the bad stuff. Thanks for the advice. Requested logfile is attached. Please let me know if I need to take any further action.
    Вложения Вложения

  9. #9
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    967
    Now it looks clean. Some files are not "green" inside avz log, please execute this script:
    Код:
    begin
    ClearQuarantine; 
     QuarantineFile('C:\WINDOWS\system32\psxss.exe','');
     QuarantineFile('C:\WINDOWS\system32\stisvc.exe','');
     QuarantineFile('C:\WINDOWS\system32\asr_pfu.exe','');
     QuarantineFile('C:\WINDOWS\system32\mscoree.dll','');
     QuarantineFile('C:\WINDOWS\System32\polagent.dll','');
     QuarantineFile('C:\WINDOWS\System32\ospf.dll','');
     QuarantineFile('C:\WINDOWS\System32\appmgmts.dll','');
     QuarantineFile('C:\WINDOWS\System32\fdeploy.dll','');
    BC_ImportAll;
    BC_Activate;
    CreateQurantineArchive('C:\quarantine.zip');
    SetAVZPMStatus(false);
    RebootWindows(true);
    end.
    Upload the new quarantine by red link.
    In order to have better protection, consider to use computer under limited user account by default and not as an administrator. In this case curing will be more simple or even not necessary in 90 % of cases.
    Последний раз редактировалось drongo; 13.07.2009 в 19:09.

Похожие темы

  1. Unable to delete virus (заявка №30155)
    От CyberHelper в разделе Отчеты сервиса лечения VirusInfo
    Ответов: 4
    Последнее сообщение: 27.01.2011, 12:01
  2. unable to start KIS 2009 after installation - virus and/or malware
    От problem on the beach в разделе Malware Removal Service
    Ответов: 4
    Последнее сообщение: 02.10.2009, 05:28
  3. unable to delete blood hound exploit virus
    От Erol в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 30.09.2009, 01:02
  4. Ответов: 0
    Последнее сообщение: 23.03.2009, 12:47
  5. Unable to rid of malware infections
    От logasumi в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 04.10.2008, 22:03

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00064 seconds with 21 queries