# HEUR:Worm.Win32.Generic

1. ## HEUR:Worm.Win32.Generic

I have followed your instructions on the 'things to do before posting a new thread' and attached are the log files requested from the suggested programmes. PLease advise how to remove the above virus as I have scanned my computer several times with Kaspersky several times and the version on my computer doesnt seem to remove it altho this version is still in its annual subscription until May 2010. PLease helP!!

2. Hello,

- Update AVZ-Database (File/Database Update)
- If you hadn't install WildTangent yourself - remove it!
- Remove Ad-Aware - it's a useless program.

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script
Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
StopService('ddxgb');
QuarantineFile('ekbsqhimir.exe','');
QuarantineFile('D:\MiniNT\system32\RASMAN.DLL','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('C:\WINDOWS\system32\Drivers\ps6agqwb.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\pe3agqwb.sys','');
QuarantineFile('c:\windows\system\hpsysdrv.exe','');
QuarantineFile('C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ddxgb.sys','');
DeleteService('ddxgb');
DeleteFile('ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\system32\ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\system32\Drivers\ps6agqwb.sys');
DeleteFile('C:\WINDOWS\system32\Drivers\pe3agqwb.sys');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe');
DeleteFile('C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ddxgb.sys');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunServices','Windows Recylinder Check');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','My Web Search Bar Search Scope Monitor');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
BC_DeleteSvc('ddxgb');
SetAVZPMStatus(True);
RebootWindows(true);
end.
After reboot execute following script
Êîä:
begin
CreateQurantineArchive('C:\quarantine.zip');
end.
- Remove Bonjour
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Make 3 logs (syscure, syscheck, hijackthis). AVPTool log isn't necessary in such case.

3. ## Complete

Many thanks for the help. I have followed your instructions and uploaded the quarantine.zip file.
Also I have run AVZ and Hijack thisa again and attached the log files as asked.
Is this all I need to do now.

If so many thanks and fingers crossed!!!

Terry

4. Hello,
AVZ/File/Quarantine folder viewer.
Mark the files:
Êîä:
ps6agqwb.sys
pe3agqwb.sys
and press Restore-Button.

Pls. download Mbam: http://download.cnet.com/Malwarebyte...=dl&tag=button, install the application, update database (runs normally just after the installation), make FULL SCAN, DON'T DELETE ANYTHING, attach the log to your next post.

I have looked in the AVZ quarantine folder and the files:

ps6agqwb.sys
pe3agqwb.sys

are not even there to select so have been unable to restore them. I have now installed the malwarebytes Anti-malware programme and done a full scan and the log is attached.

Terry

6. All items from Malwarebytes log should be removed with MBAM
Pls. repeat MBAM log after removing them.

The files you can find in attachment (if you really need them copy them to the C:\windows\system32\drivers\).

7. ## Update

Deletion done and new log attached.
Ever since the original scan and deletion I now have a found new hardware screen come up every time I start the computer up and it doesnt say what it is or cannot find the drivers. Any advice od should I just click the 'dont prompt me again to install this software'?

Terry

8. Ñîîáùåíèå îò Terry Jennings
I now have a found new hardware screen come up every time I start the computer
Open Hardware manager and remove Unknown Hardware

Any problem more?

9. No option to delete but have disables. I now have an option to uninstall the unknown device, shal I do this or just leave it disabled?

10. - Execute following script
Êîä:
begin
SetAVZPMStatus(false);
RebootWindows(true);
end.

11. Hi, I have followed your instructions to the letter but having done all that and then put my system restore back on a day ago. The computer was working really slow today so upon scanning again with Kaspersky AntiVirus the virus is still there!! HELP!!

12. Disable system restore, repeat 3 logs according to the ruels.

13. System restore disabled now. But which logs do you need from me and which programme shall I use to create them from the 3 I have installed and run?

I have now updated with the new scan and updated logs which I think you need.

Just thought I would also mention that the computer seems to be running at 100% CPU usage most of the time!!

14. You have got a full chaos @ your system!!!

In Hijackthis Log I can see Kaspersky Antivirus, in AVZ-Logs - I cann't.
If you prefer to use Symantec - use the last version.

Remove the rests with the script.
Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\Program Files\Grisoft\AVG Free\avglog.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\AVG7','EventMessageFile');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Remove the rests of KAV: http://support.kaspersky.com/faq/?qid=208279463

If you'll have any problem further - repeat the virusinfo_syscheck & hijackthis - logs

15. I have done all this and it seems to have gone. But my cpu is now constantly running at 100% and causing my computer to run VERY slow. It looks like it is the agent.exe file and the ISUSPM files. I have just ended these process and the computer perfroms loads better but I cannot see any way of deleting them. Any advice. Thanks again

16. You haven't remove anything. Please:
-start AVZ
-Set a hook at system drive in the left panel
-on the right side in the field File Name or Template type the name of file to be searched.
- Press Start.
Found files attach attach to the quarantine and upload it (App. 3 of the rules).

17. Hello,
I have just done as requested and uploaded the 2 files that seem to be slowing my computer down and using 100% CPU usage. If I disable these 2 the computer runs fine and so do the games that werent.

18. Ñîîáùåíèå îò Terry Jennings
I have just done as requested and uploaded the 2 files .
They are definitely not malicious.

#### Âàøè ïðàâà â ðàçäåëå

• Âû íå ìîæåòå ñîçäàâàòü íîâûå òåìû
• Âû íå ìîæåòå îòâå÷àòü â òåìàõ
• Âû íå ìîæåòå ïðèêðåïëÿòü âëîæåíèÿ
• Âû íå ìîæåòå ðåäàêòèðîâàòü ñâîè ñîîáùåíèÿ
•
Page generated in 0.00616 seconds with 20 queries