Virus in my laptop. Please help.

**tom800** · 29.11.2009, 07:22

Here's the last report.

I used the Kaspersky manual disinfection removal tool.

**Aleksandra** · 29.11.2009, 10:43

1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in avz or avptool:

Код:

begin
SetAVZGuardStatus(True);
 RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
 DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
 QuarantineFile('kiduruka.dll','');
 QuarantineFile('c:\windows\system32\motatuwo.dll','');
 QuarantineFile('C:\WINDOWS\system32\__c006037A.dat','');
 QuarantineFile('C:\WINDOWS\system32\6to4v32.dll','');
 DeleteFile('C:\WINDOWS\system32\6to4v32.dll');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\6to4\Parameters','ServiceDll');
 DeleteFile('C:\WINDOWS\system32\__c006037A.dat');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006037A','DLLName');
 DeleteFile('c:\windows\system32\motatuwo.dll');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','kavigelej');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{422bba35-686d-4711-aaf3-5737e5329157}');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','zameselol');
 DeleteFileMask('%tmp% ','*.* ',true );
 DeleteFile('kiduruka.dll');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 3, 3, true);
BC_Activate;
CreateQurantineArchive('C:\quarantine.zip');
RebootWindows(true);
end.

After restart upload file C:\quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=61661

3. Attach a new log to your new post.

**tom800** · 29.11.2009, 21:39

Ok. I ran the script on Avz Toolkit.

I uploaded the quarantine.zip to the link you provided me.

Here's attached a new log with Kaspersky virus removal tool.

Should I use a different application to make a new log?

**Rene-gad** · 30.11.2009, 00:51

Сообщение от tom800

Should I use a different application to make a new log?

Yes, please. Make a log of Hijackthis (p.3 of Analysis in the rules) and a gmer one: http://virusinfo.info/showpost.php?p=447345&postcount=1

**tom800** · 30.11.2009, 07:09

Here's what you asked me.

**Rene-gad** · 30.11.2009, 11:40

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

-Fix with Hijackthis

Код:

O20 - AppInit_DLLs: bojigenu.dll c:\windows\system32\motatuwo.dll
O20 - Winlogon Notify: __c006037A - C:\WINDOWS\

- Execute following script in Manual Cure

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\WINDOWS\system32\drivers\atapi.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\str.sys','');
QuarantineFile('c:\windows\system32\motatuwo.dll','');
QuarantineFile('bojigenu.dll','');
DeleteFile('C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys');
DeleteFile('C:\WINDOWS\system32\drivers\str.sys');
DeleteFile('c:\windows\system32\motatuwo.dll');
DeleteFile('c:\windows\system32\bojigenu.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(7);
ExecuteRepair(14);
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot:

Execute commands in GMER:

Код:

br70egr5.exe -del service vwjqbtzqo
br70egr5.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\vwjqbtzqo"
br70egr5.exe -del file "C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys"
br70egr5.exe -del file "C:\WINDOWS\system32\drivers\str.sys"
br70egr5.exe -reboot

Error messages could be ignored.

After reboot:

- Replace C:\WINDOWS\system32\drivers\atapi.sys with a clean file from any similar system or from Windows CD using recovery console or Live CD (use our FAQ and Google to find additional information)

execute following script in Manual Cure

Код:

begin
CreateQurantineArchive('C:\virus.zip');
end.

- Remove Bonjour
- Upload the C:\virus.zip over the link Upload quarantined files on the top of this page.
- Make and attach the logs:
AVPSyscheck
GMER
Hijackthis

**tom800** · 01.12.2009, 06:40

I'm trying to replace that file but I really can't find it!

Can you help me on this too?

I'm really sorry about that and I want to thank all of you guys in advance for all the efforts you put in this forum.

**Rene-gad** · 01.12.2009, 10:46

Сообщение от tom800

I'm trying to replace that file but I really can't find it!

WHERE & HOW had you searched it?

Take my file from attachment.

**tom800** · 03.12.2009, 01:49

Here's the logs !

Thank You!

**tom800** · 03.12.2009, 02:09

I have a new malware called Desktop Defender 2010 in my computer. It just showed up and did everything by itself.

**Никита Соловьев** · 03.12.2009, 03:08

Execute script in AVPTool:

Код:

begin
 SearchRootkit(true, true);
 SetAVZGuardStatus(true);
 TerminateProcessByName('c:\windows\temp\.ttc.tmp');
 QuarantineFile('c:\windows\system321lkdoiuekrewr.bin','');
 QuarantineFile('C:\WINDOWS\system32\lu1f7t1qutwke.exe','');
 QuarantineFile('C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe','');
 QuarantineFile('C:\WINDOWS\system32\tdidis32.sys','');
 QuarantineFile('c:\windows\temp\.ttc.tmp','');
 DeleteFile('c:\windows\temp\.ttc.tmp');
 DeleteFile('C:\WINDOWS\system32\tdidis32.sys');
 DeleteFile('C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe');
 DeleteFile('C:\WINDOWS\system32\lu1f7t1qutwke.exe');
 DeleteFile('c:\windows\system321lkdoiuekrewr.bin');
 DeleteFileMask('C:\Program Files\Desktop Defender 2010','*.*',true);
 DeleteDirectory('C:\Program Files\Desktop Defender 2010');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Desktop Defender 2010');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lu1f7t1qutwke');
 BC_ImportALL;
 ExecuteSysClean;
 BC_Activate;
 RebootWindows(true);
end.

After reboot:

Execute script in AVPTool:

Код:

begin
 CreateQurantineArchive('C:\quarantine.zip');
end.

Upload the C:\quarantine.zip over the link "Upload quarantined files"

Make a new logs

**tom800** · 03.12.2009, 05:13

Right now I have just the logs made with Hijack this and AVPsyscheck. Gmer takes forever so I'll give you these two. In 20 minutes I think I'll get Gmer's log too. By the way I've already uploaded the quarantined files.

Here's the GMER log.

**Rene-gad** · 03.12.2009, 10:16

I cannot find nothing suspicious. Did you replace atapi.sys? Pls. do it.

**tom800** · 03.12.2009, 17:49

Yes I did and I still see ads when I surf on the web. I will replace Atapi anyways and the new logs.

**tom800** · 03.12.2009, 18:00

Here's the logs after replacing atapi.

**Никита Соловьев** · 03.12.2009, 20:32

Сообщение от tom800

Here's the logs after replacing atapi.

Make a new GMER log

**tom800** · 04.12.2009, 05:59

I attached the Gmer's log.

**Rene-gad** · 04.12.2009, 10:21

Сообщение от tom800

I attached the Gmer's log.

Pls. make the log with Malwarebytes Antimalware. Pls. remove nothing, only make and attach log.

**tom800** · 05.12.2009, 09:53

Hopefully this will be helpful. : )

**Rene-gad** · 05.12.2009, 10:54

Сообщение от tom800

Hopefully this will be helpful. : )

Yes, it was

Start MBAM again, make full scan again, but now remove all found items. Reboot the system and repeat full scan with MBAM. Attach the new log of MBAM.

Virus in my laptop. Please help.

Опции темы

Похожие темы

suspicious virus on my laptop

help me please..my laptop is infected

Toshiba Laptop

BV:AutoRun-S [laptop]

Spywares in my laptop

Ваши права в разделе