Here's the last report.
I used the Kaspersky manual disinfection removal tool.
Here's the last report.
I used the Kaspersky manual disinfection removal tool.
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in avz or avptool:
After restart upload file C:\quarantine.zip, by link http://virusinfo.info/upload_virus.php?tid=61661Код:begin SetAVZGuardStatus(True); RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221); DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}'); QuarantineFile('kiduruka.dll',''); QuarantineFile('c:\windows\system32\motatuwo.dll',''); QuarantineFile('C:\WINDOWS\system32\__c006037A.dat',''); QuarantineFile('C:\WINDOWS\system32\6to4v32.dll',''); DeleteFile('C:\WINDOWS\system32\6to4v32.dll'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\6to4\Parameters','ServiceDll'); DeleteFile('C:\WINDOWS\system32\__c006037A.dat'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c006037A','DLLName'); DeleteFile('c:\windows\system32\motatuwo.dll'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','kavigelej'); RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{422bba35-686d-4711-aaf3-5737e5329157}'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','zameselol'); DeleteFileMask('%tmp% ','*.* ',true ); DeleteFile('kiduruka.dll'); BC_ImportDeletedList; ExecuteSysClean; ExecuteWizard('TSW', 3, 3, true); ExecuteWizard('SCU', 3, 3, true); BC_Activate; CreateQurantineArchive('C:\quarantine.zip'); RebootWindows(true); end.
3. Attach a new log to your new post.
Сердце решает кого любить... Судьба решает с кем быть...
Ok. I ran the script on Avz Toolkit.
I uploaded the quarantine.zip to the link you provided me.
Here's attached a new log with Kaspersky virus removal tool.
Should I use a different application to make a new log?
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
Yes, please. Make a log of Hijackthis (p.3 of Analysis in the rules) and a gmer one: http://virusinfo.info/showpost.php?p=447345&postcount=1
Here's what you asked me.
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
-Fix with Hijackthis
- Execute following script in Manual CureКод:O20 - AppInit_DLLs: bojigenu.dll c:\windows\system32\motatuwo.dll O20 - Winlogon Notify: __c006037A - C:\WINDOWS\
After reboot:Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); ClearQuarantine; QuarantineFile('C:\WINDOWS\system32\drivers\atapi.sys',''); QuarantineFile('C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys',''); QuarantineFile('C:\WINDOWS\system32\drivers\str.sys',''); QuarantineFile('c:\windows\system32\motatuwo.dll',''); QuarantineFile('bojigenu.dll',''); DeleteFile('C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys'); DeleteFile('C:\WINDOWS\system32\drivers\str.sys'); DeleteFile('c:\windows\system32\motatuwo.dll'); DeleteFile('c:\windows\system32\bojigenu.dll'); BC_ImportAll; ExecuteSysClean; BC_Activate; ExecuteRepair(7); ExecuteRepair(14); SetAVZPMStatus(True); RebootWindows(true); end.
Execute commands in GMER:
Error messages could be ignored.Код:br70egr5.exe -del service vwjqbtzqo br70egr5.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\vwjqbtzqo" br70egr5.exe -del file "C:\WINDOWS\system32\drivers\wozevcoqmgmgtoc.sys" br70egr5.exe -del file "C:\WINDOWS\system32\drivers\str.sys" br70egr5.exe -reboot
After reboot:
- Replace C:\WINDOWS\system32\drivers\atapi.sys with a clean file from any similar system or from Windows CD using recovery console or Live CD (use our FAQ and Google to find additional information)
execute following script in Manual Cure
- Remove BonjourКод:begin CreateQurantineArchive('C:\virus.zip'); end.
- Upload the C:\virus.zip over the link Upload quarantined files on the top of this page.
- Make and attach the logs:
AVPSyscheck
GMER
Hijackthis
I'm trying to replace that file but I really can't find it!
Can you help me on this too?
I'm really sorry about that and I want to thank all of you guys in advance for all the efforts you put in this forum.
Here's the logs !
Thank You!
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
I have a new malware called Desktop Defender 2010 in my computer. It just showed up and did everything by itself.
Execute script in AVPTool:
After reboot:Код:begin SearchRootkit(true, true); SetAVZGuardStatus(true); TerminateProcessByName('c:\windows\temp\.ttc.tmp'); QuarantineFile('c:\windows\system321lkdoiuekrewr.bin',''); QuarantineFile('C:\WINDOWS\system32\lu1f7t1qutwke.exe',''); QuarantineFile('C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe',''); QuarantineFile('C:\WINDOWS\system32\tdidis32.sys',''); QuarantineFile('c:\windows\temp\.ttc.tmp',''); DeleteFile('c:\windows\temp\.ttc.tmp'); DeleteFile('C:\WINDOWS\system32\tdidis32.sys'); DeleteFile('C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe'); DeleteFile('C:\WINDOWS\system32\lu1f7t1qutwke.exe'); DeleteFile('c:\windows\system321lkdoiuekrewr.bin'); DeleteFileMask('C:\Program Files\Desktop Defender 2010','*.*',true); DeleteDirectory('C:\Program Files\Desktop Defender 2010'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Desktop Defender 2010'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lu1f7t1qutwke'); BC_ImportALL; ExecuteSysClean; BC_Activate; RebootWindows(true); end.
Execute script in AVPTool:
Upload the C:\quarantine.zip over the link "Upload quarantined files"Код:begin CreateQurantineArchive('C:\quarantine.zip'); end.
Make a new logs
Right now I have just the logs made with Hijack this and AVPsyscheck. Gmer takes forever so I'll give you these two. In 20 minutes I think I'll get Gmer's log too. By the way I've already uploaded the quarantined files.
Here's the GMER log.
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
I cannot find nothing suspicious. Did you replace atapi.sys? Pls. do it.
Yes I did and I still see ads when I surf on the web. I will replace Atapi anyways and the new logs.
Here's the logs after replacing atapi.
Последний раз редактировалось tom800; 04.12.2009 в 05:55.
I attached the Gmer's log.
Hopefully this will be helpful. : )