IE Antivirus,Worm NetBooster,AntiMalWareGuard,Doctor

Printable View

27.09.2008, 14:09
Vagon

IE Antivirus,Worm NetBooster,AntiMalWareGuard,Doctor

Drug poimal virusi.Avira mol4it...O4en zatrudnaut rabotu i o4en meshaut.V tree VIRUS ALERT.
Explorer avtomatom otkrivaet levie saiti...
Control Panel zablokirovana.
27.09.2008, 14:19
Гриша

[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]

[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
TerminateProcessByName('c:\program files\virusremover2008\vrm2008.exe');
TerminateProcessByName('c:\program files\common files\system doctor\dcmon.exe');
QuarantineFile('C:\WINDOWS\exwf.exe','');
QuarantineFile('C:\Program Files\VirusRemover2008\VRM2008.exe','');
QuarantineFile('C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W56Z85M7\installdrivecleanerstart[1].exe','');
QuarantineFile('C:\Documents and Settings\user\Local Settings\Temp\installdrivecleanerstart.exe','');
QuarantineFile('c:\windows\onfwbsak.dll','');
QuarantineFile('c:\program files\virusremover2008\vrm2008.exe','');
DelBHO('{BAB8F6DC-41B1-440F-A066-AAC224906880}');
DelBHO('{AC971803-E51C-44B1-9AF2-1B6B363BAF6D}');
QuarantineFile('C:\WINDOWS\system32\hgGwTnml.dll','');
DelBHO('{33AC7D18-DC35-4D1A-940E-AFD5FC5C3327}');
DelBHO('{129D532E-E2EC-4527-B4BA-4626830EFE18}');
QuarantineFile('C:\WINDOWS\system32\uxagp.exe','');
QuarantineFile('C:\WINDOWS\system32\dw.exe','');
QuarantineFile('C:\WINDOWS\system32\qfvrdecs.dll','');
QuarantineFile('C:\WINDOWS\system32\lphcv9mj0e3bc.exe','');
QuarantineFile('C:\WINDOWS\system32\awtuuTli.dll','');
QuarantineFile('C:\WINDOWS\rwlfsdmk.dll','');
QuarantineFile('C:\WINDOWS\peltodgx.dll','');
QuarantineFile('C:\WINDOWS\onfwbsak.dll','');
QuarantineFile('C:\WINDOWS\dfmlxbpkbkl.dll','');
QuarantineFile('C:\Program Files\IEAntiVirus\ANTIVIRUS.exe','');
QuarantineFile('c:\program files\common files\drivecleaner freeware\dcsm.exe','');
QuarantineFile('c:\program files\common files\system doctor\dcmon.exe','');
QuarantineFile('c:\program files\antimalwareguard\amg.exe','');
TerminateProcessByName('c:\program files\antimalwareguard\amg.exe');
QuarantineFile('c:\program files\ieantivirus\antivirus.exe','');
TerminateProcessByName('c:\program files\ieantivirus\antivirus.exe');
DeleteFile('c:\program files\ieantivirus\antivirus.exe');
DeleteFile('c:\program files\antimalwareguard\amg.exe');
DeleteFile('C:\Program Files\IEAntiVirus\ANTIVIRUS.exe');
DeleteFile('C:\WINDOWS\dfmlxbpkbkl.dll');
DeleteFile('C:\WINDOWS\onfwbsak.dll');
DeleteFile('C:\WINDOWS\peltodgx.dll');
DeleteFile('C:\WINDOWS\rwlfsdmk.dll');
DeleteFile('C:\WINDOWS\system32\awtuuTli.dll');
DeleteFile('C:\WINDOWS\system32\lphcv9mj0e3bc.exe');
DeleteFile('C:\WINDOWS\system32\qfvrdecs.dll');
DeleteFile('C:\WINDOWS\system32\blphcv9mj0e3bc.scr');
DeleteFile('C:\WINDOWS\system32\dw.exe');
DeleteFile('C:\WINDOWS\system32\uxagp.exe');
DeleteFile('awtuuTli.dll');
DeleteFile('C:\WINDOWS\system32\hgGwTnml.dll');
DeleteFile('c:\program files\virusremover2008\vrm2008.exe');
DeleteFile('c:\windows\onfwbsak.dll');
DeleteFile('C:\Documents and Settings\user\Local Settings\Temp\installdrivecleanerstart.exe');
DeleteFile('C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\W56Z85M7\installdrivecleanerstart[1].exe');
DeleteFile('C:\Program Files\VirusRemover2008\VRM2008.exe');
DeleteFile('C:\WINDOWS\exwf.exe');
DeleteFile('c:\program files\common files\drivecleaner freeware\dcsm.exe');
DeleteFile('c:\program files\common files\system doctor\dcmon.exe');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(5 );
ExecuteRepair(6 );
ExecuteRepair(11 );
ExecuteRepair(17 );
RebootWindows(true);
end.[/CODE]

AVZ => Файл => Мастер поиска и устранения проблем. Категория проблемы - поставьте "Системные проблемы", степень опасности - "Все проблемы". Нажмите "Пуск". Всё найденное следует пометить и пофиксить. Данную операцию повторить для категории "Настройки и твики браузера".

Пришлите карантин по правилам и повторите логи...
27.09.2008, 14:27
Vagon

pri vipolnenii skripta skazalo Error...
Disk C: tak i ne poyavilsa,no Hijack govorit,4to on est.
A poka ya vipolnu ostalnie vashi rekomendacii
27.09.2008, 14:29
Гриша

Что за ошибка? скрипт правильный...
27.09.2008, 14:31
Vagon

Файл сохранён как 080927_052949_quarantine_48de0b1d5db76.zip
Размер файла 855101
MD5 fc7edf2237500543cdf11bd6daf38ca4

Disk C: est,Control Panel - otsutstvuet
27.09.2008, 14:35
Гриша

Логи повторите...
27.09.2008, 14:37
Vagon

AVZ => Файл => Мастер поиска и устранения проблем. Категория проблемы - поставьте "Системные проблемы", степень опасности - "Все проблемы". Нажмите "Пуск". Всё найденное следует пометить и пофиксить. Данную операцию повторить для категории "Настройки и твики браузера".
A kak na angliiskom budet???
Ne uspel pro4itat 4to imenno,no pisalos,4to script errors,no vipolnilo.
V tree do six por VIRUS ALERT!C desktopa iz4ezla zastavka reklami-musora
27.09.2008, 14:44
Гриша

Запустите AVZ так:

avz.exe /lang=ru

Должна стать на русском...
27.09.2008, 15:02
Vagon

Antivirus XP 2008,Error Cleaner,Spyware&Malware Protection i VIRUS ALERT! v tree toje udalite;)
Tut vinda ne podderjivaet russkii.
4to s karantinom???
Doctor kakoi-to pri zagruzke vindi dostal,udalite ego toje.
27.09.2008, 15:37
Гриша

Восстановление отключить!

[URL="http://virusinfo.info/showthread.php?t=4491"]Пофиксить[/URL]

[CODE]R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O2 - BHO: (no name) - {33AC7D18-DC35-4D1A-940E-AFD5FC5C3327} - C:\WINDOWS\system32\awtuuTli.dll (file missing)
O2 - BHO: (no name) - {E4AC8494-547C-4B22-B09C-028B3AEA2E57} - C:\WINDOWS\system32\hgGwTnml.dll (file missing)
O4 - HKLM\..\Run: [SalesMonitor] "C:\Program Files\Common Files\Antimalwareguard\smamg.exe" dm=http://antimalwareguard.com;http://antimalwareguardpro.com;http://antimalwaremasterpro.com;http://malwarecrash.com;http://malwarecrashpro.com ad=http://antimalwareguard.com;http://antimalwareguardpro.com;http://antimalwaremasterpro.com;http://malwarecrash.com;http://malwarecrashpro.com sd=http://instlog.antimalwareguard.com/
O4 - HKLM\..\Run: [System Doctor Free] C:\Program Files\System Doctor Free\systemdoc.exe -scan
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [DriveCleaner Freeware] "C:\Program Files\DriveCleaner Freeware\UDC.exe" /min
O4 - HKLM\..\Run: [UDC6_cw] "C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe" -c
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
O20 - Winlogon Notify: awtuuTli - C:\WINDOWS\
O21 - SSODL: onfwbsak - {0F43C54B-A23D-421C-94E4-3B41A6E0591A} - (no file)[/CODE]

[URL="http://virusinfo.info/showthread.php?t=7239"]AVZ, меню "Файл - Выполнить скрипт" -- Скопировать ниже написанный скрипт-- Нажать кнопку "Запустить".[/URL]

[CODE]begin
ClearQuarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\vsnp325.exe','');
QuarantineFile('C:\WINDOWS\tsnp325.exe','');
TerminateProcessByName('c:\program files\drivecleaner freeware\udc.exe');
TerminateProcessByName('c:\program files\system doctor free\systemdoc.exe');
DeleteFile('c:\program files\system doctor free\systemdoc.exe');
DeleteFile('c:\program files\drivecleaner freeware\udc.exe');
DeleteFile('C:\Program Files\DriveCleaner Freeware\UDC.exe');
DeleteFile('C:\Program Files\DriveCleaner Freeware\UDC6_cw.exe');
DeleteFile('C:\Program Files\System Doctor Free\systemdoc.exe');
DeleteFile('C:\WINDOWS\Downloaded Program Files\popcaploader.dll');
DeleteFile('C:\System Volume Information\_restore{68ED8B4C-DC05-4D25-81D0-EF3DA91712F4}\RP3\A0001042.exe');
DeleteFile('C:\System Volume Information\_restore{68ED8B4C-DC05-4D25-81D0-EF3DA91712F4}\RP3\A0001041.exe');
DeleteFile('C:\System Volume Information\_restore{68ED8B4C-DC05-4D25-81D0-EF3DA91712F4}\RP3\A0001034.dll');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]

Карантин прислать, логи повторить...
27.09.2008, 15:55
Vagon

System vosstanovlenie virubil i sdelal logi po novoi kak sleduet;)
27.09.2008, 16:00
Гриша

Выполните проверку CureIT и повторите логи...
27.09.2008, 16:34
Vagon

CureIT nashel i udalil Trojan.FakeAlert.623,no problemi ostalis
27.09.2008, 17:29
Vagon

logi
27.09.2008, 17:45
V_Bond

пофиксите
[code]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R3 - URLSearchHook: SrchHook Class - {F4F10C1D-87C7-404A-B4B3-000000000000} - C:\PROGRA~1\DAP\SBSearch.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.26\ShoppingReport.dll (file missing)
[/code]
выполните скрипт
[code]
begin
RegKeyStrParamWrite('HKCU','Control Panel\International','sTimeFormat','H:mm:ss');
RebootWindows(true);
end.
[/code]