# Forum in English  > Malware Removal Service  >  malware?

## gaianorm

Hi! Since 2 days i have some prolem with strange IE windows popup... I've tried with SpyBot S&D without  success (SB found virtumonde and something else , but can't succefully remove them!)
I tried also wiht other tools, finally with Karspersky Virus removal Tool...so here is my LOGCHECK.
Tanks in advance
G.

----------


## Rene-gad

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore

- Execute following script


```
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\hohazoye.dll','');
 QuarantineFile('c:\windows\system32\yoguyutu.dll','');
 QuarantineFile('C:\WINDOWS\system32\yojapuye.dll','');
 DelBHO('{955ce192-9e04-44cc-b186-e670b12b24b0}');
 QuarantineFile('C:\WINDOWS\system32\fitozeba.dll','');
 QuarantineFile('C:\WINDOWS\system32\refeyeka.dll','');
 QuarantineFile('c:\windows\system32\watekoda.dll','');
 DeleteFile('c:\windows\system32\watekoda.dll');
 DeleteFile('C:\WINDOWS\system32\refeyeka.dll');
 Deleteservice('bonjour service');
 DeleteFile('c:\programmi\bonjour\mdnsresponder.exe');
 DeleteFile('C:\WINDOWS\system32\fitozeba.dll');
 DeleteFile('C:\WINDOWS\system32\yojapuye.dll');
 DeleteFile('c:\windows\system32\yoguyutu.dll');
 DeleteFile('C:\WINDOWS\system32\hohazoye.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
```

After reboot:
- Clean Temp-Maps, Cache of Browsers, Recycler.  Use Windows service tool cleanmgr  or CCleaner or ClearProg
- Close all the programs and start only Internet Explorer!!!
- Repeat 3 log files in accordance with the rules. 
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the quarantine over the link *Upload quarantined files* on the top of this page.
- Attach 3 logs to your new post..

----------


## gaianorm

Hi! I did what you said....http://virusinfo.info/showthread.php?t=35953
so here is my new 3 logs.
Quarantine files already uploaded!

Thank you so much
G.

----------


## Rene-gad

-Fix


```
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
```

 Reboot the system, update the database of AVZ and repeat the log virusinfo_syscheck.zip and hijackthis.log

----------


## gaianorm

So here are my new log files (sorry...friday i forgot to update avz4 database)


Thank you 
G.

----------


## Rene-gad

Your logs are without signs of malware now. You'd like to let only one Antivirus Solution - either ESET or Comodo- and update Java RE (the last version is 1.6_11).

----------


## gaianorm

But i use Comodo only like Firewall and Nod32 for Antivirus...is not correct? Do you think is better to use only one solution??
Bye
G.

*Добавлено через 51 минуту*

Ehm...maybe is nothing but Nod32 has locked and erased the follow file:
\system32\yojapuye.dll_old	Win32/Agent.OOY trojan horse.
solved during an attempt to access files  C:\Programmi\Mozilla Thunderbird\thunderbird.exe.
Uh?
Bye 
G.

edit:
Nod 32 full scan has also  fixed the follow malware problem:

C:\WINDOWS\system32\kizosewa.dll - Win32/Agent.OOY trojan horse - 
C:\WINDOWS\system32\sovetayu.dll_old - una variante di Win32/Adware.Virtumonde.NDM

----------


## Rene-gad

> But i use Comodo only like Firewall and Nod32 for Antivirus...is not correct?


I cannot see your settings for Comodo, but it's a Suite and includes as well as AV and FW-solutions.

yojapuye.dll - is a trojan horse, but yojapuye.dll_old is a renamed file, which not dangerous itself, but includes a malware signature. TIW ist's OK that it was been removed.

----------

