PDA

Просмотр полной версии : I've got some new nasties...



james001
11.05.2008, 08:33
take a look see..

kps
11.05.2008, 12:22
Please turn off the system restore (how to do it - you can see in the rules).

Then AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe','');
DelBHO('{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}');
QuarantineFile('sockins32.dll','');
DelBHO('{796D0543-75A7-444B-BED9-236FBBA5FA72}');
QuarantineFile('C:\WINDOWS\system32\ssqOEWNE.dll', '');
QuarantineFile('C:\WINDOWS\system32\ulplqxjw.dll', '');
QuarantineFile('C:\WINDOWS\system32\sockins32.dll' ,'');
QuarantineFile('C:\WINDOWS\system32\qcntokdn.exe', '');
QuarantineFile('C:\WINDOWS\system32\jnwnw64o.exe', '');
QuarantineFile('C:\WINDOWS\SMINST\RECGUARD.EXE','' );
QuarantineFile('C:\WINDOWS\system32\wodUpdSv.exe', '');
QuarantineFile('C:\WINDOWS\b2new.exe','');
QuarantineFile('c:\windows\system32\wodupdsv.exe', '');
DeleteFile('C:\WINDOWS\b2new.exe');
DeleteFile('C:\WINDOWS\system32\jnwnw64o.exe');
DeleteFile('C:\WINDOWS\system32\qcntokdn.exe');
DeleteFile('C:\WINDOWS\system32\sockins32.dll');
DeleteFile('C:\WINDOWS\system32\ulplqxjw.dll');
DeleteFile('C:\WINDOWS\system32\ssqOEWNE.dll');
DeleteFile('sockins32.dll');
DeleteFile('C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe');
DelCLSID('66186F05-BBBB-4a39-864F-72D84615C679');
BC_ImportALL;
ExecuteSysClean;
BC_DeleteSvc('MsSecurity1.209.4');
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.
Upload the quarantined files according to the Appendix 3 of the rules (http://virusinfo.info/showthread.php?t=9184). (upload here: http://virusinfo.info/upload_virus_eng.php?tid=22694 )

Clear your temp folders and the internet cache.
Make new logs.

james001
12.05.2008, 04:39
as requested...

drongo
12.05.2008, 11:00
Much better, but not enough ;)

Fix these lines in hijackthis:


O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: http://www.fighthype.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)

Please make sure to disable your antivirus, firewall ( i mean your AVG ) and internet!
Execute the following script @ avz

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
DelBHO('{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}');
DelBHO('{c900b400-cdfe-11d3-976a-00e02913a9e0}');
QuarantineFile('C:\WINDOWS\system32\wodUpdSv.exe', '');
QuarantineFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\eqdssnp.exe','');
QuarantineFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\syswcc32.exe','');
QuarantineFile('C:\Program Files\webHancer\programs\whiehlpr.dll','');
DeleteFile('C:\Program Files\webHancer\programs\whiehlpr.dll');
DeleteFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\eqdssnp.exe');
DeleteFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\syswcc32.exe');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(11);
ExecuteRepair(17);
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot.
Upload the quarantined files according to the Appendix 3 of the rules. (upload here: http://virusinfo.info/upload_virus_eng.php?tid=22694 )

Clear your temp folders and the internet cache.
Make a new logs.



P.s. in previus quarantine we did get from you just a copy of the :
C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe not-a-virus:AdWare.Win32.WebHancer.423 (kaspersky )
C:\WINDOWS\b2new.exe- Trojan-Downloader.Win32.Agent.otg ( kaspersky)
C:\WINDOWS\system32\sockins32.dll- not-a-virus:AdWare.Win32.BHO.awz( kaspersky)
Did you forget to disable an avg before executing our script?

james001
12.05.2008, 17:32
ok done.. no firewall was active and I was disconnected from the net...

drongo
12.05.2008, 20:37
Ok, i see you have also some web hancer infection. Very nice instructions in
http://www.2-spyware.com/remove-webhancer.html

Did you install by yourself the C:\Program Files\SKR\BrowserSniffer.dll - it is keylogger, did you know about it?

james001
12.05.2008, 23:30
No I did not install that or know about it... I do not want a key logger...

drongo
13.05.2008, 12:00
http://www.smartkeystrokerecorder.com/faq.htm#q7
Q. How do I remove Smart Keystroke Recorder from my system?

A. Simply uninstall it by 1) Clicking on Control Panel 2) Click on Add/Remove Programs 3) Choose Smart Keystroke Recorder.

After cleaning, you can make another logs ;)
By the way, why you still using an administrator account? About 90 percent malware can't even install in limited user account. Read more: http://www.microsoft.com/protect/computer/advanced/useraccount.mspx