[SIZE=3][FONT=Times New Roman]Please advice me![/FONT][/SIZE]
[SIZE=3][FONT=Times New Roman]Please advice me![/FONT][/SIZE]
Please execute this script in avz: ( remember disable antivirus and internet before launching an avz)
[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7}');
DelBHO('{A20854FD-DDB5-4931-8F76-D11EA2364D94}');
QuarantineFile('C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll','');
QuarantineFile('C:\Program Files\Datecs\FlexType 2K\FType2K.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\synsenddrv.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\yndcztryetwwpq.sys','');
QuarantineFile('C:\Program Files\Norton2009Reset.exe','');
TerminateProcessByName('c:\windows\system32\rundll.exe');
QuarantineFile('c:\windows\system32\rundll.exe','');
DeleteFile('c:\windows\system32\rundll.exe');
DeleteFile('C:\WINDOWS\system32\drivers\yndcztryetwwpq.sys');
DeleteFile('C:\WINDOWS\system32\drivers\synsenddrv.sys');
DeleteFile('C:\Program Files\Mario Forever Toolbar\v3.2.0.0\MarioForever_Toolbar.dll');
BC_DeleteSvc('synsend');
BC_DeleteSvc('srcedtbgg');
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(16);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.
[/code]System will reboot.
Please upload the quarantine according to appendix 3 of rules([URL]http://virusinfo.info/showthread.php?t=9184[/URL])
Make an another set of logs.
Update windows to SP3 and latest patches, do update adobe reader or uninstall and use an alternative.
Nowadays,to use fleshget it is dangerous too, on their official update site trojans distributed to all their costumers :)
[SIZE=3][FONT=Times New Roman]Could You give me confirmation that [FONT=Courier New]FType2K.exe have malicious code?[/FONT][/FONT][/SIZE]
[quote=ikostov;377615][SIZE=3][FONT=Times New Roman]Could You give me confirmation that [FONT=Courier New]FType2K.exe have malicious code?[/FONT][/FONT][/SIZE][/quote]
When we'll get an answer from lab, we shall inform you.
For now, i can say it needs newdll.dll to run.
And newdll.dll act like a keylogger, we would like to see it.Keylogger ability can be used in different friendly programs, but if you can live without such programs that using this kind of technology- it is much safer in my opinion.
Because, if this program become too popular, bad guys can use "friendly" keylogger and may create some little application in order to get information from friendly keylogger (that you are trust).
advantages to bad gues:
* no need writing and installing keylogger to victim ( it is already installed by user)
* better hiding ability from antivirus/hips(cause their application will not going to do any suspicious things like a keylogger itself )
Here script in order to copy:
[code]begin
clearquarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\newdll.dll','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.[/code]Upload by [URL]http://virusinfo.info/upload_virus_eng.php?tid=42427[/URL]
This is known issue.
[FONT="]Thank You for everything![/FONT]