I am unable to delete a file that is infected with "rootkit.win32.pakes.zo removal".
I have attached the log files.
Please help
I am unable to delete a file that is infected with "rootkit.win32.pakes.zo removal".
I have attached the log files.
Please help
Последний раз редактировалось Laurencs; 31.05.2010 в 19:44.
Download the latest version of AVPTool: http://ftp.kaspersky.com/devbuilds/AVPTool/.
Close/unload all the programs excepted AVZ and Internet Explorer
Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore
- Execute following script in Manual Healing
After reboot:Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); StopService('Passthru'); StopService('MyWebSearchService'); StopService('cblyefry'); StopService('buoiajryeeyina'); RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','Startup'); RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','or4VRheh1aqLTOEeQEbGuXcOEf'); RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin'); RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','MSWUpdate'); RegKeyParamDel('HKEY_USERS','S-1-5-21-842925246-1844237615-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Corp'); RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','jasuru'); RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','jasuru'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','WinSVC'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','svchost32'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','SuIaOfBkW1FndOp'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','My Web Search Bar Search Scope Monitor'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MSWUpdate'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Windows Network'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Microsoft Corp'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jykuzif'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','jasuru'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','Microsoft Corp'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg','DLLName'); QuarantineFile('Explorer.exe C:\Documents and Settings\David1\Application Data\lsass.exe',''); QuarantineFile('C:\WINDOWS\WinSVC.exe',''); QuarantineFile('C:\WINDOWS\system32\wono.exe',''); QuarantineFile('C:\WINDOWS\system32\vydoha.exe',''); QuarantineFile('C:\WINDOWS\system32\rupywer.exe',''); QuarantineFile('C:\WINDOWS\system32\DRIVERS\ndisvvan.sys',''); QuarantineFile('C:\WINDOWS\System32\Drivers\cblyefry.sys',''); QuarantineFile('C:\WINDOWS\system32\Drivers\cblyefry.sys',''); QuarantineFile('C:\WINDOWS\raidhost.exe',''); QuarantineFile('C:\WINDOWS\Egezib.exe',''); QuarantineFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe',''); QuarantineFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe',''); QuarantineFile('C:\Documents and Settings\LocalService\Application Data\Microsoft\wono.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\svchosts.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\svchost32.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\Microsoft\svchost.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\lsass.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\IvDUA.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\Driver.exe',''); QuarantineFile('C:\Documents and Settings\David1\Application Data\bywsf.exe',''); QuarantineFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll',''); DeleteService('Passthru'); DeleteService('MyWebSearchService'); DeleteService('cblyefry'); DeleteService('buoiajryeeyina'); DeleteFile('Explorer.exe C:\Documents and Settings\David1\Application Data\lsass.exe'); DeleteFile('C:\WINDOWS\WinSVC.exe'); DeleteFile('C:\windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job'); DeleteFile('C:\WINDOWS\system32\wono.exe'); DeleteFile('C:\WINDOWS\system32\vydoha.exe'); DeleteFile('C:\WINDOWS\system32\rupywer.exe'); DeleteFile('C:\WINDOWS\system32\DRIVERS\ndisvvan.sys'); DeleteFile('C:\WINDOWS\system32\Drivers\cblyefry.sys'); DeleteFile('C:\WINDOWS\System32\Drivers\cblyefry.sys'); DeleteFile('C:\WINDOWS\raidhost.exe'); DeleteFile('C:\WINDOWS\Egezib.exe'); DeleteFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe'); DeleteFile('C:\Program Files\MyWebSearch\bar\1.bin\MWSSRCAS.DLL'); DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe'); DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe'); DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe'); DeleteFile('C:\Documents and Settings\LocalService\Application Data\Microsoft\wono.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\svchosts.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\svchost32.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\Microsoft\svchost.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\lsass.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\IvDUA.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\Driver.exe'); DeleteFile('C:\Documents and Settings\David1\Application Data\bywsf.exe'); DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll'); DelBHO('{00A6FAF6-072E-44cf-8957-5838F569A31D}'); BC_DeleteSvc('Passthru'); BC_DeleteSvc('MyWebSearchService'); BC_DeleteSvc('cblyefry'); BC_DeleteSvc('buoiajryeeyina'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end.
- Execute following script in Manual Healing
- Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=79825Код:begin CreateQurantineArchive('C:\quarantine.zip'); end.
- Make a new log file.
- Attach a new log to your new post..
The link to http://ftp.kaspersky.com/devbuilds/AVPTool/ does not appear to be working at the moment. I will try again later. In the meantime I did a scan with the current verion of the AVP tool that I have and I have attached the log file
This link is OK: http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
It hasn't any sense to try to heal a system with a such obsolete tool.
- Execute following script in Manual Healing
After reboot:Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); StopService('fej8221'); StopService('cgld4b3'); StopService('cblyefry'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Drivers'); RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg','DLLName'); RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}'); RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}'); DeleteService('fej8221'); DeleteService('cgld4b3'); DeleteService('cblyefry'); DeleteFile('Drivers.exe'); DeleteFile('cblyefry.sys'); DeleteFile('C:\WINDOWS\System32\drivers\fej8221.sys'); DeleteFile('C:\WINDOWS\System32\drivers\cgld4b3.sys'); DeleteFile('C:\SYSTEMFILES\x-f-324553-12314-3344-1\ise32.exe'); DeleteFileMask('C:\Program Files\MyWebSearch\','*.*',true); DeleteDirectory('C:\Program Files\MyWebSearch\'); DeleteFile('C:\Documents and Settings\David1\Application Data\bywsf.exe'); DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\cbss.dll'); DelCLSID('{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612} '); BC_DeleteSvc('fej8221'); BC_DeleteSvc('cgld4b3'); BC_DeleteSvc('cblyefry'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); end.
- Make a new log file.
- Attach a new log to your new post..
Последний раз редактировалось Rene-gad; 01.06.2010 в 15:31. Причина: Добавлено
Статистика проведенного лечения:
- Получено карантинов: 1
- Обработано файлов: 55
- В ходе лечения обнаружены вредоносные программы:
- c:\documents and settings\all users\documents\settings\cbss.dll - Trojan-Downloader.Win32.Piker.cju ( DrWEB: Trojan.Packed.20343, BitDefender: Backdoor.Generic.369467, AVAST4: Win32:Rootkit-gen [Rtk] )
- c:\documents and settings\david1\application data\bywsf.exe - Trojan.Win32.Gibi.ay ( DrWEB: Win32.HLLW.Lime.18, BitDefender: Backdoor.Generic.349144, AVAST4: Win32:Malware-gen )
- c:\documents and settings\david1\application data\driver.exe - HEUR:Trojan.Win32.Generic ( DrWEB: Trojan.Packed.20353 )
- c:\documents and settings\david1\application data\microsoft\svchost.exe - Worm.Win32.VBNA.b ( BitDefender: Gen:Variant.Palevo.2 )
- c:\documents and settings\david1\application data\svchosts.exe - Trojan.Win32.Scar.cfxl ( AVAST4: Win32:VB-OXI [Drp] )
- c:\documents and settings\david1\application data\svchost32.exe - Worm.Win32.VBNA.b ( BitDefender: Worm.Generic.239541, AVAST4: Win32:Trojan-gen )
- c:\documents and settings\localservice\application data\microsoft\wono.exe - Trojan-Dropper.Win32.Vidro.aoz ( DrWEB: Trojan.WinSpy.711, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )
- c:\systemfiles\x-f-324553-12314-3344-1\ise32.exe - Worm.Win32.VBNA.b ( BitDefender: Worm.Generic.239541, AVAST4: Win32:Trojan-gen )
- c:\windows\egezib.exe - Trojan-Downloader.Win32.FraudLoad.gsb ( DrWEB: Trojan.DownLoad1.55745, BitDefender: Trojan.FakeAlert.CBH, AVAST4: Win32:MalOb-AP [Cryp] )
- c:\windows\system32\vydoha.exe - Trojan-Dropper.Win32.Vidro.aoy ( DrWEB: Trojan.WinSpy.818, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )
- c:\windows\system32\wono.exe - Trojan-Dropper.Win32.Vidro.aoy ( DrWEB: Trojan.WinSpy.818, BitDefender: Gen:Variant.Zbot.7, AVAST4: Win32:Bamital-T [Drp] )
- c:\windows\winsvc.exe - Worm.Win32.VBNA.b ( DrWEB: Trojan.Packed.20346 )
Ваши права в разделе
