Worm.Win32.Mabezat.b infection

[jeewan]

The Worm.Win32.Mabezat.b worm has infected all my hard drives and shows low disk space. It delays the opening of the programs.

Please provide suggestions regarding its proper cleaning.

[Rene-gad]

Hello,
could you tell us: what do you have on the disks D:\, E:\ and F:\? It looks to be the thousands of infected files?! Try to heal them with CureIt: http://www.freedrweb.com/cureit/?lng=en

Remove Download Accelerator Plus (DAP) - it contains spyware.

Close/disable all the applications excluded AVZ and Internet Explorer.

- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore

-Fix with Hijackthis

Код:

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-70D84274.EXE

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 DeleteService('MyWebSearchService');
 BC_DeleteSvc('MyWebSearchService');
 DelBHO('{00A6FAF6-072E-44cf-8957-5838F569A31D}');
 DelBHO('{07B18EA9-A523-4961-B6BB-170DE4475CCA}');
 DelBHO('{07B18EA1-A523-4961-B6BB-170DE4475CCA}');
 DelBHO('{00A6FAF1-072E-44cf-8957-5838F569A31D}');
 QuarantineFile('C:\Program Files\Perfect Optimizer\License.dll','');
 QuarantineFile('C:\zpharaoh.exe','');
 QuarantineFile('G:\zPharaoh.exe','');
 QuarantineFile('G:\autorun.inf','');
 QuarantineFile('F:\zPharaoh.exe','');
 QuarantineFile('F:\autorun.inf','');
 QuarantineFile('E:\zPharaoh.exe','');
 QuarantineFile('E:\autorun.inf','');
 QuarantineFile('D:\zPharaoh.exe','');
 QuarantineFile('D:\autorun.inf','');
 DeleteFile('C:\zpharaoh.exe');
 DeleteFile('G:\zPharaoh.exe');
 DeleteFile('G:\autorun.inf');
 DeleteFile('F:\zPharaoh.exe');
 DeleteFile('F:\autorun.inf');
 DeleteFile('E:\zPharaoh.exe');
 DeleteFile('E:\autorun.inf');
 DeleteFile('D:\zPharaoh.exe');
 DeleteFile('D:\autorun.inf');
 DeleteFileMask('C:\Program Files\MyWebSearch\','*.*',true);
 DeleteDirectory('C:\Program Files\MyWebSearch\');
end.
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

After reboot:

execute following script

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Make new logs and attach them to the new posting.