Hello,
Kapersky and other antiviruses found this trojan - hjgruityvtsoaw.dll - in memory, but none was able to remove it.
Can you help ?
Many thanks.
Babouin
Hello,
Kapersky and other antiviruses found this trojan - hjgruityvtsoaw.dll - in memory, but none was able to remove it.
Can you help ?
Many thanks.
Babouin
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
- Execute following script in Manual Cure
After reboot execute following script in Manual CureКод:begin SearchRootkit(true, true); SetAVZGuardStatus(True); StopService('eqgudxweblioarw'); QuarantineFile('C:\WINDOWS\system32\drivers\qeupa.sys',''); QuarantineFile('%systemroot%\system32\hjgruityvtsoaw.dll',''); QuarantineFile('O:\autorun.inf',''); QuarantineFile('N:\autorun.inf',''); QuarantineFile('M:\autorun.inf',''); QuarantineFile('H:\autorun.inf',''); DeleteFile('O:\autorun.inf'); DeleteFile('N:\autorun.inf'); DeleteFile('M:\autorun.inf'); DeleteFile('H:\autorun.inf'); DeleteFile('%systemroot%\system32\hjgruityvtsoaw.dll'); DeleteFile('C:\WINDOWS\system32\drivers\qeupa.sys'); DeleteService('eqgudxweblioarw'); BC_ImportAll; ExecuteSysClean; BC_DeleteSvc('eqgudxweblioarw'); BC_Activate; SetAVZPMStatus(True); RebootWindows(true); end.
- Remove BonjourКод:begin CreateQurantineArchive('C:\quarantine.zip'); end.
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach a log to your new post..
Hello,
I have performed your instructions step by step.
I have uploaded the quarantine file and the new log is attached to this message.
After scanning, I still get the message :
not found: Trojan program Trojan.Win32.Agent.crez File: globalroot\systemroot\system32\hjgruityvtsoaw.dll
Thanks for your help.
Babouin
Последний раз редактировалось Rene-gad; 29.07.2009 в 20:10. Причина: It's a wrong log
It's a wrong log. You have to make the same actions as by your 1st post - the result should be a new avptool_syscheck.zip.
Additionally make a GMER log file--- www.gmer.net: download->run the tool -> press SCAN->wait (possibly 2-3 hours) ->press SAVE - >saved logfile attach here.
I have done it all again.
- quarantine uploaded
- log file attached
GMER currently running. Log file will be posted within 2 hours.
Please note that I cannot disable system restore. The checkbox is unchecked and greyed (although logged as admin...).
Последний раз редактировалось bab; 29.07.2009 в 23:17.
And now GMER's log file.
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
- Execute following script in Manual Cure
After reboot execute following script in Manual CureКод:begin SearchRootkit(true, true); SetAVZGuardStatus(True); ClearQuarantine; StopService('hjgruipqmlxyid'); QuarantineFile('c:\windows\system32\drivers\hjgruiegkenxfd.sys',''); QuarantineFile('c:\windows\system32\hjgruityvtsoaw.dll',''); QuarantineFile('c:\windows\system32\nmsaccessu.exe',''); QuarantineFile('C:\WINDOWS\system32\hjgruippcaoebc.dll',''); QuarantineFile('C:\WINDOWS\system32\hjgruintyhfgvi.dat',''); QuarantineFile('C:\WINDOWS\system32\hjgruiysltoxul.dat',''); RegKeyParamDel('HKLM','SYSTEM\CurrentControlSet\Services','hjgruipqmlxyid'); RegKeyParamDel('HKLM','SYSTEM\ControlSet005\Services','hjgruipqmlxyid'); DeleteFileMask('C:\WINDOWS\system32','hjgrui*.*',false); DeleteFileMask('C:\WINDOWS\system32\drivers','hjgrui*.*',false); DeleteService('hjgruipqmlxyid'); BC_ImportAll; ExecuteSysClean; BC_DeleteSvc('hjgruipqmlxyid'); BC_Activate; SetAVZPMStatus(True); RebootWindows(true); end.
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProgКод:begin CreateQurantineArchive('C:\quarantine.zip'); end.
- Close all the programs and start only Internet Explorer!!!
- Make the new log files avptool_syscheck.zip + gmer.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach the logs to your new post..
Quarantine posted. Avptool_syscheck.zip attached.
GMER coming soon...
No effect when clicking on the attachment icon...
Добавлено через 1 минуту
Same when I click on "Manage attachments" !
Sorry. Here it is.
Последний раз редактировалось Rene-gad; 30.07.2009 в 09:49.
Everything looks clean, now.
Thanks a lot for your help, Rene, I'm very grateful. Your latest script was the good one.
Have a nice day.
Babouin