HEUR:Worm.Win32.Generic

Printable View

15.11.2009, 01:16
Terry Jennings

HEUR:Worm.Win32.Generic

I have followed your instructions on the 'things to do before posting a new thread' and attached are the log files requested from the suggested programmes. PLease advise how to remove the above virus as I have scanned my computer several times with Kaspersky several times and the version on my computer doesnt seem to remove it altho this version is still in its annual subscription until May 2010. PLease helP!!
15.11.2009, 11:24
Rene-gad

Hello,

- Update AVZ-Database (File/Database Update)
- If you hadn't install WildTangent yourself - remove it!
- Remove Ad-Aware - it's a useless program.

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
StopService('ddxgb');
QuarantineFile('ekbsqhimir.exe','');
QuarantineFile('D:\MiniNT\system32\RASMAN.DLL','');
QuarantineFile('D:\autorun.inf','');
QuarantineFile('C:\WINDOWS\system32\Drivers\ps6agqwb.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\pe3agqwb.sys','');
QuarantineFile('c:\windows\system\hpsysdrv.exe','');
QuarantineFile('C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ddxgb.sys','');
DeleteService('ddxgb');
DeleteFile('ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\system32\ekbsqhimir.exe');
DeleteFile('C:\WINDOWS\system32\Drivers\ps6agqwb.sys');
DeleteFile('C:\WINDOWS\system32\Drivers\pe3agqwb.sys');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe');
DeleteFile('C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\ddxgb.sys');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunServices','Windows Recylinder Check');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','MyWebSearch Email Plugin');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','My Web Search Bar Search Scope Monitor');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
BC_DeleteSvc('ddxgb');
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL]
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]

- Remove [URL="http://virusinfo.info/showthread.php?t=42263"]Bonjour[/URL]
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool [URL="http://support.microsoft.com/?scid=kb%3Ben-us%3B315246&x=17&y=6"]cleanmgr[/URL] or [URL="http://www.ccleaner.com/"]CCleaner[/URL] or [URL="http://www.clearprog.de/"]ClearProg[/URL]
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
- Make 3 logs (syscure, syscheck, hijackthis). AVPTool log isn't necessary in such case.
15.11.2009, 15:47
Terry Jennings

Complete

Many thanks for the help. I have followed your instructions and uploaded the quarantine.zip file.
Also I have run AVZ and Hijack thisa again and attached the log files as asked.
Is this all I need to do now.

If so many thanks and fingers crossed!!!

Terry
15.11.2009, 19:57
Rene-gad

Hello,
AVZ/File/Quarantine folder viewer.
Mark the files:
[CODE]ps6agqwb.sys
pe3agqwb.sys[/CODE]
and press Restore-Button.

Pls. download Mbam: [url]http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button[/url], install the application, update database (runs normally just after the installation), make FULL SCAN, DON'T DELETE ANYTHING, attach the log to your next post.
16.11.2009, 00:56
Terry Jennings

Follow up

I have looked in the AVZ quarantine folder and the files:

ps6agqwb.sys
pe3agqwb.sys

are not even there to select so have been unable to restore them. I have now installed the malwarebytes Anti-malware programme and done a full scan and the log is attached.

Terry
16.11.2009, 11:11
Rene-gad

All items from Malwarebytes log should be removed with MBAM :)
Pls. repeat MBAM log after removing them.

The files you can find in attachment (if you really need them copy them to the C:\windows\system32\drivers\).
17.11.2009, 10:52
Terry Jennings

Update

Deletion done and new log attached.
Ever since the original scan and deletion I now have a found new hardware screen come up every time I start the computer up and it doesnt say what it is or cannot find the drivers. Any advice od should I just click the 'dont prompt me again to install this software'?

Terry
17.11.2009, 11:19
Rene-gad

[QUOTE=Terry Jennings;510352] I now have a found new hardware screen come up every time I start the computer [/QUOTE]
Open Hardware manager and remove Unknown Hardware :)

Any problem more?
17.11.2009, 11:32
Terry Jennings

No option to delete but have disables. I now have an option to uninstall the unknown device, shal I do this or just leave it disabled?
17.11.2009, 12:02
Rene-gad

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]
begin
SetAVZPMStatus(false);
RebootWindows(true);
end.[/CODE]
20.11.2009, 00:51
Terry Jennings

Hi, I have followed your instructions to the letter but having done all that and then put my system restore back on a day ago. The computer was working really slow today so upon scanning again with Kaspersky AntiVirus the virus is still there!! HELP!!
20.11.2009, 11:24
Rene-gad

Disable system restore, repeat 3 logs according to the ruels.
21.11.2009, 00:33
Terry Jennings

Вложений: 1

System restore disabled now. But which logs do you need from me and which programme shall I use to create them from the 3 I have installed and run?

I have now updated with the new scan and updated logs which I think you need.

Just thought I would also mention that the computer seems to be running at 100% CPU usage most of the time!!
21.11.2009, 11:38
Rene-gad

You have got a full chaos @ your system!!!

In Hijackthis Log I can see Kaspersky Antivirus, in AVZ-Logs - I cann't.
If you prefer to use Symantec - use the [B]last[/B] version.

You had AGV7 too.
Remove the rests with the script.
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\Program Files\Grisoft\AVG Free\avglog.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\AVG7','EventMessageFile');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]
Remove the rests of KAV: [url]http://support.kaspersky.com/faq/?qid=208279463[/url]

If you'll have any problem further - repeat the virusinfo_syscheck & hijackthis - logs
30.11.2009, 22:40
Terry Jennings

I have done all this and it seems to have gone. But my cpu is now constantly running at 100% and causing my computer to run VERY slow. It looks like it is the agent.exe file and the ISUSPM files. I have just ended these process and the computer perfroms loads better but I cannot see any way of deleting them. Any advice. Thanks again
01.12.2009, 10:40
Rene-gad

You haven't remove anything. Please:
-start AVZ
-Menu Service/File Search
-Set a hook at system drive in the left panel
-on the right side in the field File Name or Template type the name of file to be searched.
- Press Start.
Found files attach attach to the quarantine and upload it (App. 3 of the rules).
04.12.2009, 11:17
Terry Jennings

Hello,
I have just done as requested and uploaded the 2 files that seem to be slowing my computer down and using 100% CPU usage. If I disable these 2 the computer runs fine and so do the games that werent.
04.12.2009, 14:59
Rene-gad

[QUOTE=Terry Jennings;525074]
I have just done as requested and uploaded the 2 files .[/QUOTE]
They are definitely not malicious.:)