Страница 1 из 2 12 Последняя
Показано с 1 по 20 из 22.

slow pc crashes and IE redirects with fake scans

  1. #1
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26

    slow pc crashes and IE redirects with fake scans

    hi, my pc keeps crashing (especially when trying to upload this message!)
    also i am getting fake scans and redirected IE pages.

    some antivirus software is also crashing before completion (including AVZ)

    GMER has ran and says that there are lots of GEYEK files in my registry but i cannot remove them using regedit or GMER.

    here are the log files (excluding syscure which crashes)
    Вложения Вложения

  2. #2
    VIP Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для Aleksandra
    Регистрация
    13.01.2007
    Сообщений
    7,662
    Вес репутации
    2817
    1. Please, disable System Restore and antivirus (if you have).
    2. Execute this script in avz or avptool:

    Код:
    begin
    RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}');
    RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BCC0FF27-31D9-4614-A68E-C18E1ADA4389}');
    RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{360E40AA-EE8B-4101-BA67-0CAD3F7A48DD}');
    RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{32FA9DC4-8CB0-4849-8A9A-D201F8B21EEE}');
    ExecuteRepair(13);
    RebootWindows(true);
    end.
    3. Fix in HijackThis:

    O20 - Winlogon Notify: bYoLFxyW - C:\WINDOWS\
    4. Attach a new logs to your new post.
    Наша служба, будто сердце, отдыха не знает никогда.

  3. #3
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    I thought that winlogon entry looked suspect.
    taken off now. and new logs posted.

    also my version of AVZ does not have a Healing / Quarantine option in standard scripts
    Вложения Вложения

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Цитата Сообщение от Richard1 Посмотреть сообщение
    also my version of AVZ does not have a Healing / Quarantine option in standard scripts
    It cannot be truth




    Uninstall Ad-Aware

    Close/disable all the applications excluded AVZ and Internet Explorer.

    - Disconnect your PC from network (internet/intranet)
    - Disable antivirus, firewall and other memory resident security tools
    - Disable System Restore


    - Execute following script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     StopService('MEMSWEEP2');
     QuarantineFile('C:\WINDOWS\system32\10D.tmp','');
     DeleteFile('C:\WINDOWS\system32\10D.tmp');
     DeleteFileMask('C:\WINDOWS\system32','*.tmp',false);
     DeleteService('MEMSWEEP2');
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    BC_DeleteSvc('MEMSWEEP2');
    SetAVZPMStatus(True);
    RebootWindows(true);
    end.
    If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

    After reboot:

    execute following script
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');
    end.
    - Remove Bonjour
    - AVZ/Service/Hosts file manager, remove all the strings after 127.0.0.1 localhost

    - Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
    - Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
    - Make new logs and attach them to the new posting.

    Think about upgrading of your antivirus solution, version from 2006 is obsolte just since 2 years.
    Последний раз редактировалось Rene-gad; 22.11.2009 в 12:09. Причина: Добавлено

  5. #5
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    Hi, my third option on standard scripts (AVZ) 9s Advanced system analysis with Malware removal enabled (which is probably the same thing)
    I still cannot complete a scan with this enabled though as it crashes when scanning the disks. an advanced scan works fine (log attached)

    Is there anyway to remove the host file manager strings in bulk as i have around 7000 entries and it is hurting my hand to manually remove all of them.

    also i was wondering what Anti-Virus program you would recommend? (the cheaper the better)

    also i cannot see the upload Quarantine files link? (all the top links are in Russian)
    Вложения Вложения

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Цитата Сообщение от Richard1 Посмотреть сообщение
    Advanced system analysis with Malware removal enabled (which is probably the same thing)
    Sorry, you're right, I didn't really know, that the name of the script was changed in the last version
    I still cannot complete a scan with this enabled though as it crashes when scanning the disks.
    Are your resident applications (antivirus, firewall etc. )disabled?

    Is there anyway to remove the host file manager strings in bulk as i have around 7000 entries and it is hurting my hand to manually remove all of them.
    http://virusinfo.info/showthread.php?t=61042

    also i was wondering what Anti-Virus program you would recommend? (the cheaper the better)
    www.av-comparatives.org, prices for the most good AVs are about 30,- EUR for 1 year, some vendors make good options for more PCs or more time, some vendors make a discount by license prolongation. To choose any one AV you have to test some of them and choose the best for your system.

    also i cannot see the upload Quarantine files link? (all the top links are in Russian)
    This is it: http://virusinfo.info/upload_virus_eng.php?tid=60810 Unfortunately I cannot give you further recommendations or scripts before we'll see the quarantined files.
    PS: Switch to English interface : http://virusinfo.info/index.php?page=homeeng&langid=1
    Последний раз редактировалось Rene-gad; 23.11.2009 в 20:54.

  7. #7
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    OK host files removed.

    Yes as far as i am aware my anti-virus is disabled, although My Norton displays an error on auto protect but i cannot turn it on (so i assume it is off)

    with removing all my automatic protection and removing the host files am i now more vulnerable as i have had several things on my machine today SDR64 and some other trojans, and they all seem to be installing via command prompt (cmd.exe)

    and how do you feel about AVG or ad-aware as a anti-virus solution?


    Quarantined zip is now uploaded.

  8. #8
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Цитата Сообщение от Richard1 Посмотреть сообщение
    OK host files removed
    removed? or cleaned?
    with removing all my automatic protection and removing the host files am i now more vulnerable as i have had several things on my machine today SDR64 and some other trojans, and they all seem to be installing via command prompt
    I suppose, this malware was on your PC just before you'd disable antivirus and clean hosts file. Try to remove antivirus and make 3 log files. This could be done offline. It were perfect, if you could disconnect your PC from internet/intranet and communicate with us over another PC or other OS (e.g. Linux)
    and how do you feel about AVG or ad-aware as a anti-virus solution?
    I'm not sure, esp. about Ad-Aware: it's absolutely useless thing.

  9. #9
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    host files removed.

    will try Norton removal and scan off-line shortly.

  10. #10
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Цитата Сообщение от Richard1 Посмотреть сообщение
    host files removed.
    Do you mean: IP- addresses? I'd like to look at your logs.

  11. #11
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    above you told me to remove all strings after 127.0.0.1 localhost
    this is what i did using hijackthis. (removed 12000 entries all seem to be potentially harmful web-addresses)


    I have now removed all Norton products (using norton removal tool) and the AVZ scan still crashes.

    It always crashes at the same point, C:\Documents and Settings\rich\Local Settings\Temporary Internet Files\Content.IE5

    and the last thing shown on the scanner is a direct scan of a .tmp file in the temp folder.

    as i cannot run this scan i cannot provide you with the log you require.

    (message sent from alternate pc)

  12. #12
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    OK, make the logs syscheck and hijackthis.
    Make a log of Malwarebytes Antimalware too, but don't remove anything!

  13. #13
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    Цитата Сообщение от Rene-gad Посмотреть сообщение
    OK, make the logs syscheck and hijackthis.
    Make a log of Malwarebytes Antimalware too, but don't remove anything!
    sorry but at the time of receiving your last response i had already ran a malwarebytes scan and a spybot S&D scan both found two trojans and six entries and they were removed. I have done a Malwarebytes scan again and include both logs. (plus hijackthis & AVZ)

    i will not remove anything from now on without your say so
    what do you feel about AVZguard and drweb cureitall?
    Вложения Вложения

  14. #14
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    MBAM found some not-critical things, registry have you just cleaned

    Try to make a check with it: http://www.freedrweb.com/livecd/?lng=en

    - Execute following script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
    ClearQuarantine;
     TerminateProcessByName('\Device\HarddiskVolume3\DOCUME~1\Richard\LOCALS~1\temp\dc01367163\25e9kxp.exe');
     QuarantineFile('\Device\HarddiskVolume3\DOCUME~1\Richard\LOCALS~1\temp\dc01367163\25e9kxp.exe','');
     DeleteFile('\Device\HarddiskVolume3\DOCUME~1\Richard\LOCALS~1\temp\dc01367163\25e9kxp.exe');
     DeleteFileMask('\Device\HarddiskVolume3\DOCUME~1\Richard\LOCALS~1\temp','*.*',true);
    BC_ImportAll;
    ExecuteSysClean;
    BC_Activate;
    RebootWindows(true);
    end.
    After reboot execute following script
    Код:
    begin
    CreateQurantineArchive('C:\quarantine.zip');
    end.
    - Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
    - Make and attach new logs to your new post..

  15. #15
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    ok, i have ran drwebb and it saved a CSV file it provided after scan (i did not remove items) but i cannot upload csv files so here is the text

    SopAdver.exe; C: \ Documents and Settings \ Richard \ Application Data \ SopCast \ adv; Adware.Sopcast;;
    SetupCasino.exe; C: \ Documents and Settings \ Richard \ Desktop \ Casi; Probably DLOADER.Trojan;;
    Process.exe; C: \ Documents and Settings \ Richard \ Desktop \ SDFix \ apps; Tool.Prockill;;
    Process.exe; C: \ Documents and Settings \ Richard \ Desktop \ SmitfraudFix; Tool.Prockill;;
    restart.exe; C: \ Documents and Settings \ Richard \ Desktop \ SmitfraudFix; Tool.ShutDown.14;;
    pv.exe; C: \ Program Files \ LittlewoodsCasino; Program.PrcView.3725;;bet365casino setup.exe;
    C: \ WINDOWS; Adware.Casino;;
    atapi.sys; C: \ WINDOWS \ SYSTEM32 \ DRIVERS; BackDoor.Tdss.1133; Cured.;
    atapi.sys; C: \ WINDOWS \ SYSTEM32 \ DRIVERS; BackDoor.Tdss.1133; Cured.;
    atapi.sys; C: \ WINDOWS \ SYSTEM32 \ DRIVERS; BackDoor.Tdss.1133; Cured.;
    atapi.sys; C: \ WINDOWS \ SYSTEM32 \ DRIVERS; BackDoor.Tdss.1133; Cured.;
    atapi.sys; C: \ WINDOWS \ SYSTEM32 \ DRIVERS; BackDoor.Tdss.1133; Cured.;
    vjocx.dll; C: \ WINDOWS \ SYSTEM32 \ nagasoft; Probably DLOADER.Trojan;;
    Вложения Вложения

  16. #16
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
    If Dr.Web cannot heal this file, you have to replace it over recovery console: http://support.microsoft.com/kb/314058
    If you'll use Windows CD you have to log in in recovery console.
    Put the commands as follow (Enter-Key after each string! Instead of X: set a letter for CD-ROM-Drive with Windows CD )
    Код:
    cd X:\i386
    dir atapi.*
    If the file has an extension SYS, you can copy it to C:\WINDOWS\SYSTEM32\DRIVERS\ directly:
    Код:
    copy X:\i386\atapi.sys C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
    If the file has an extension SY_, you have to extract it:
    Код:
    expand X:\i386\atapi.sy_ C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
    You could take this file from any clean system, which is similar to your's one (the same Service Pack is important!!!) one

    The other files which had been found you could ignore.

  17. #17
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    I copied atapi.sys from a clean system and then it (drwebb) found a problem with atapi.sys.tmp

    i have since run some scans in safe mode (including mbam; not removed, hijackthis and a command line scanner from AVG9)

    there are lots of problems on mbam and obvious spyware in hijackthis as well
    Вложения Вложения
    Последний раз редактировалось Rene-gad; 26.11.2009 в 18:46.

  18. #18
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Remove all items were found from MBAM (MBAM can remove them).
    Make all the temp-maps empty (CCleaner).
    Make all the log files according the rules in NORMAL MODE
    (drwebb) found a problem with atapi.sys.tmp
    This file can be removed.
    Последний раз редактировалось Rene-gad; 26.11.2009 в 18:48.

  19. #19
    Junior Member Репутация
    Регистрация
    18.11.2009
    Сообщений
    11
    Вес репутации
    26
    mbam finds nothing now.

    scan logs included.

    but geyek (rootkit) registry files still present in gmer.
    Вложения Вложения

  20. #20
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,108
    Вес репутации
    2997
    Execute commands in GMER:
    Код:
    gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\UACd.sys"
    gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\geyekruhylkjba"
    gmer.exe -del file "c:\windows\system32\geyekrwsp.dll"
    gmer.exe -del file "c:\windows\system32\drivers\geyekritbijhgt.sys"
    gmer.exe -del file "c:\windows\system32\geyekrkeamnksq.dll"
    gmer.exe -del file "c:\windows\system32\geyekrgakftpvx.dat"
    gmer.exe -del file "c:\windows\system32\geyekrogjdwwxm.dll"
    gmer.exe -del file "c:\windows\system32\geyekrhflbyggi.dat"
    gmer.exe -del file "C:\DOCUME~1\Richard\LOCALS~1\Temp\geyekrtixtbqftih.tmp"  
    gmer.exe -reboot
    After reboot repeat 3 the logs acc. to the rules + gmer.

Страница 1 из 2 12 Последняя

Похожие темы

  1. Search Engine Redirects (заявка №87275)
    От CyberHelper в разделе Отчеты сервиса лечения VirusInfo
    Ответов: 1
    Последнее сообщение: 23.07.2011, 06:00
  2. Slow system, slow internet
    От csuhaigyozo в разделе Malware Removal Service
    Ответов: 5
    Последнее сообщение: 24.08.2010, 20:07
  3. All Virus scans turn off, no access to CD drives
    От Brian Kenny в разделе Malware Removal Service
    Ответов: 4
    Последнее сообщение: 29.10.2009, 21:35
  4. Redirects whenever i click on a link
    От philh в разделе Malware Removal Service
    Ответов: 8
    Последнее сообщение: 29.10.2009, 00:04
  5. Slow computer, firefox crashes
    От deskjet в разделе Malware Removal Service
    Ответов: 3
    Последнее сообщение: 10.11.2008, 21:45

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01508 seconds with 21 queries