Viruses, maybe a trojan?

[lovesauce]

I can not locate and delete the viruses my computer is infected with, can you help please?

[Rene-gad]

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script in Manual disinfection

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','nogofemad');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lilurikav');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Cnovanijudul');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{814d7190-6797-4a3f-badb-bff8ddbf6dea}');
 QuarantineFile('C:\WINDOWS\system32\zejidefu.dll','');
 QuarantineFile('C:\WINDOWS\system32\sedujaza.dll','');
 QuarantineFile('c:\windows\system32\puyubila.dll','');
 QuarantineFile('C:\WINDOWS\ehohoxajedec.dll','');
 QuarantineFile('C:\WINDOWS\apmdesv.dll','');
 DeleteFile('C:\WINDOWS\system32\zejidefu.dll');
 DeleteFile('C:\WINDOWS\system32\sedujaza.dll');
 DeleteFile('c:\windows\system32\puyubila.dll');
 DeleteFile('C:\WINDOWS\ehohoxajedec.dll');
 DelBHO('{512a9c57-8cc3-2c3c-d862-0e241cb50e31}');
 DeleteService('lddie');
 RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\lddie');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

After reboot execute following script in Manual disinfection

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

and upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

- Remove Bonjour
- Repeat a log file of AVPTool.
- Make a log file with Hijackthis ( Analysis, p.3 for further informations).
- Attach both logs to your new post..

[lovesauce]

Okay, I removed bonjour and ran both those scripts. Thank you, things are already running much smoother. The new AVP file is attached, and I have included the HijackThis log below. Also, quarintine.zip has been uploaded, file saved as: 100220_075143_quarantine_4b7f6a5fc6a00.zip

moderated::: log files have to been ATTACHED and not POSTED

[Rene-gad]

I removed bonjour

Not completely, system restore is not disabled.

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

-Fix with Hijackthis

Код:

O20 - AppInit_DLLs: c:\windows\system32\rujidovo.dll,sahomosa.dll
O21 - SSODL: borihiyiz - {80840d4f-8b58-4757-92e1-f2912119b94e} - c:\windows\system32\rujidovo.dll
O22 - SharedTaskScheduler: jugezatag - {80840d4f-8b58-4757-92e1-f2912119b94e} - c:\windows\system32\rujidovo.dll

- Execute following script in Manual disinfection

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 QuarantineFile('befuvanu.dll','');
 QuarantineFile('apmdesv.dll','');
 QuarantineFile('c:\windows\ehome\mcrdsvc.exe','');
 QuarantineFile('c:\windows\system32\rujidovo.dll','');
 DeleteFile('c:\windows\system32\rujidovo.dll');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lilurikav');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{80840d4f-8b58-4757-92e1-f2912119b94e}');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','borihiyiz');
 DeleteFile('apmdesv.dll');
 DeleteFile('befuvanu.dll');
 DeleteFile('C:\Program Files\Bonjour\mDNSResponder.exe');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service','EventMessageFile');
 DeleteFile('C:\Program Files\Bonjour\mdnsNSP.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot execute following script in Manual disinfection

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

and upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.

- Repeat a log file of AVPTool.
- Make a log file with Hijackthis
- Attach both logs to your new post..
************************************************** ******************************
If you should be bore, you could begin with patching of your very vulnerable system

Platform: Windows XP SP2 (WinNT 5.01.2600)

Install SP3 and all updates

MSIE: Internet Explorer v7.00 (7.00.6000.16981)

Install IE8

C:\Program Files\Java\jre1.6.0_02\

Update Java RE (www.java.com)

C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

Update Adobe Reader or remove it.

[CyberHelper]

Статистика проведенного лечения:

• Получено карантинов: 1
• Обработано файлов: 13
• В ходе лечения обнаружены вредоносные программы:
  
  1. c:\windows\apmdesv.dll - Trojan-Downloader.Win32.Mufanom.mli ( BitDefender: Gen:Packed.Hiloti.1 )
  2. c:\windows\ehohoxajedec.dll - Trojan-Downloader.Win32.Mufanom.mlj ( BitDefender: Gen:Packed.Hiloti.1, AVAST4: Win32:Malware-gen )
  3. c:\windows\system32\puyubila.dll - Trojan.Win32.Migotrup.nwb