PDA

Просмотр полной версии : Downloader.bf and onlinegames



yotta
12.04.2008, 13:01
Hello
i am getting a big trouble with a virus called DOWNLOADER, it change the date of my PC to 2002 and disable my kaspersky antivirus and create some files in my hard disk ,here is the description of the virus http://www.threatexpert.com/report.aspx?uid=3b7e4f3f-2c66-46cc-af95-ecb0b5baff08
i tried many tools to remove this virus but with no success,i even tried the Kaspersky Lab remover tools, and with no success too .
i attached the 03 files of the analyzes of my system and hope to get an answer very soon.
thank you

Bratez
12.04.2008, 13:39
Fix the following line in HijackThis:

F2 - REG:system.ini: Shell=Explorer.exe taskmger.com
Execute the following script in AVZ:

begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\explorer.exe','');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('C:\WINDOWS\system32\wuauc1t.exe',' ');
QuarantineFile('C:\WINDOWS\system32\wbsys.dll','') ;
QuarantineFile('C:\WINDOWS\system32\H@tKeysH@@k.DL L','');
QuarantineFile('taskmger.com','');
QuarantineFile('C:\WINDOWS\system32\drivers\svchas t.exe','');
QuarantineFile('C:\WINDOWS\system32\iexplorer.exe' ,'');
DeleteFile('C:\WINDOWS\system32\iexplorer.exe');
DeleteFile('C:\WINDOWS\system32\drivers\svchast.ex e');
DeleteFile('C:\WINDOWS\system32\H@tKeysH@@k.DLL');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\explorer.exe');
DeleteFile('D:\autorun.inf');
DeleteFile('D:\explorer.exe');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Upload all quarantined files according to Appendix #3 of Rules using the red link above.

Rene-gad
12.04.2008, 13:46
Pls. fix.

O4 - HKLM\..\Run: [IEXPLORER] C:\WINDOWS\system32\iexplorer.exe
O4 - HKCU\..\Run: [svcshare] C:\WINDOWS\system32\drivers\svchast.exe
Run a script

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('D:\explorer.exe','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('C:\explorer.exe','');
QuarantineFile('C:\WINDOWS\system32\wuauc1t.exe',' ');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('C:\Documents and Settings\sgc\Bureau\AGLIALFATRON\TRAVAIL\annulatio n 2007\DBASE.COM','');
QuarantineFile('Explorer.exe taskmger.com','');
QuarantineFile('C:\WINDOWS\system32\drivers\svchas t.exe','');
QuarantineFile('C:\WINDOWS\system32\iexplorer.exe' ,'');
TerminateProcessByName('c:\windows\system32\iexplo rer.exe');
QuarantineFile('c:\windows\system32\iexplorer.exe' ,'');
DeleteFile('c:\windows\system32\iexplorer.exe');
DeleteFile('C:\WINDOWS\system32\iexplorer.exe');
DeleteFile('C:\WINDOWS\system32\drivers\svchast.ex e');
DeleteFile('Explorer.exe taskmger.com');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\WINDOWS\system32\wuauc1t.exe');
DeleteFile('C:\explorer.exe');
DeleteFile('D:\autorun.inf');
DeleteFile('D:\explorer.exe');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Upload the quarantine and make the new logs.
EDIT: My script ist larger ;)

yotta
12.04.2008, 13:55
please can you tell me how to fix those lines ?
thank you

Rene-gad
12.04.2008, 14:02
please can you tell me how to fix those lines ?
http://virusinfo.info/showthread.php?t=9206

yotta
12.04.2008, 14:07
O4 - HKLM\..\Run: [IEXPLORER] C:\WINDOWS\system32\iexplorer.exe
O4 - HKCU\..\Run: [svcshare] C:\WINDOWS\system32\drivers\svchast.exe

04 is for which service ?

Rene-gad
12.04.2008, 14:21
04 is for which service ?Do it, pls. You have a full box of malware. Here is each second important. All the questions we could reply later.

yotta
12.04.2008, 15:12
hope that will help.
thank you

yotta
12.04.2008, 15:14
when i executed your script all application stopped working,is that normal ?

Bratez
12.04.2008, 15:27
Try to run AVZ by right-click and selecting "Run As...".
If it works, execute the following script:

begin
ExecuteRepair(1);
ExecuteRepair(6);
ExecuteRepair(9);
RebootWindows(true);
end.

yotta
12.04.2008, 16:46
probleme solved ...
thank you very much

Bratez
12.04.2008, 16:54
The job is not completed.
Please, upload your quarantine and make new set of logfiles.