I got this virus, and i can't remove it :( please help :)
Printable View
I got this virus, and i can't remove it :( please help :)
1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVPTool:
[CODE]begin
ClearHostsFile;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
QuarantineFile('C:\vbobovdozjx.bat','');
DelBHO('{5067A26B-1337-4436-8AFE-EE169C2DA79F}');
QuarantineFile('C:\WINDOWS\system32\qdxrlzogypkbbhkwfi.exe','');
QuarantineFile('C:\WINDOWS\system32\htmfylzqhxrhglnyg.exe','');
QuarantineFile('C:\WINDOWS\system32\dtqnkbtojdbvyhncourhe.exe','');
QuarantineFile('C:\WINDOWS\system32\aldvnzmcshapnrsc.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\qdxrlzogypkbbhkwfi.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\odzvrhysmfcvxfkyjokz.exe .','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\dtqnkbtojdbvyhncourhe.exe .','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\bpkfapfyrjfxyfjwgkf.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\opxfnp.exe','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\jkzenlsw.dll','');
QuarantineFile('C:\DOCUME~1\User\LOCALS~1\Temp\aldvnzmcshapnrsc.exe','');
QuarantineFile('c:\docume~1\user\locals~1\temp\opxfnp.exe','');
TerminateProcessByName('c:\docume~1\user\locals~1\temp\opxfnp.exe');
QuarantineFile('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe','');
TerminateProcessByName('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe');
DeleteFile('c:\docume~1\user\locals~1\temp\aldvnzmcshapnrsc.exe');
DeleteFile('c:\docume~1\user\locals~1\temp\opxfnp.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\aldvnzmcshapnrsc.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\jkzenlsw.dll');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\opxfnp.exe');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\bpkfapfyrjfxyfjwgkf.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','sbrhxhsguhylhj');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','qtdnxbgo');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\dtqnkbtojdbvyhncourhe.exe .');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce','hlwhsxdmv');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\odzvrhysmfcvxfkyjokz.exe .');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','rzodsblylxnzu');
DeleteFile('C:\DOCUME~1\User\LOCALS~1\Temp\qdxrlzogypkbbhkwfi.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','bdmvehl');
DeleteFile('C:\WINDOWS\system32\aldvnzmcshapnrsc.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\RunOnce','hlwhsxdmv');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\RunOnce','sznbpxgsepep');
DeleteFile('C:\WINDOWS\system32\dtqnkbtojdbvyhncourhe.exe');
RegKeyParamDel('HKEY_USERS','S-1-5-21-1229272821-362288127-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','vbobovdozjx');
DeleteFile('C:\WINDOWS\system32\htmfylzqhxrhglnyg.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run','afrdpvcmwf');
DeleteFile('C:\WINDOWS\system32\qdxrlzogypkbbhkwfi.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','qtdnxbgo');
DeleteFile('C:\autorun.inf');
DeleteFile('C:\vbobovdozjx.bat');
DeleteFile('D:\autorun.inf');
DeleteFile('D:\vbobovdozjx.bat');
DeleteFileMask('%tmp% ','*.* ',true );
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 3, 3, true);
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]
3. After reboot execute this script in AVPTool:
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.[/CODE]
Upload file C:\quarantine.zip, by link [url]http://virusinfo.info/upload_virus.php?tid=62467[/url]
4. Execute this script in AVPTool:
[CODE]var j:integer; NumStr:string;
begin
for j:=0 to 999 do
begin
if j=0 then
NumStr:='CurrentControlSet' else
if j<10 then
NumStr:='ControlSet00'+IntToStr(j) else
if j<100 then
NumStr:='ControlSet0'+IntToStr(j) else
NumStr:='ControlSet'+IntToStr(j);
if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS') then
begin
RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS');
RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\BITS', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\BITS исправлено на оригинальное.');
end;
if RegKeyExistsEx('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv') then
begin
RegKeyResetSecurity('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv');
RegKeyStrParamWrite('HKLM', 'SYSTEM\'+NumStr+'\Services\wuauserv', 'ImagePath', '%SystemRoot%\System32\svchost.exe -k netsvcs');
AddToLog('Значение параметра ImagePath в разделе реестра HKLM\SYSTEM\'+NumStr+'\Services\wuauserv исправлено на оригинальное.');
end;
end;
SaveLog(GetAVZDirectory + 'fystemRoot.log');
end.[/CODE]
5. Attach a new log to your new post.
Sorry, which log do you require?.. can't find anything, but i add new one from tool.
In quarantine - [B]Trojan.Win32.Chydo.bv (KIS)[/B]
[QUOTE=Griautis;525911]can't find anything, but i add new one from tool.[/QUOTE]
You have done it right.
I can see nothing harmful in your logs. Do you have any problem more?
Thanks for help :) but i don't think it worked :( i just started scan and removal tol found the virus again ;( attaching a screenshot of it .. maybe it got something to do with the fact that i runed those comands in normal mode and not safemode?.. I can't access safemode, as soon as i start loading it, pc just restarts and gets into restarting loop unless i choose to load windows normally.
I cannot see, where and from whom was you advised to make any [B]scan[/B] with AVPTool? :rtfm:
Make the log with Malwarebytes Antimawlare, don't remove anything, attach the log to your new post.
you mean the log which comes up after scanning? If you mean it then here it is. If you mean something else, please explain where to get it.
[QUOTE=Griautis;526109]you mean the log which comes up after scanning?
[/QUOTE]Yes, it's correct log, but:
[QUOTE]*Please [B][SIZE="4"]attach the logfiles to the thread[/SIZE][/B], do not upload them anywhere else unless requested. [/QUOTE]
I've seen nothing malicious. What kind of problem do you have now?
Well virus removal tool does detect trojan.win32.generic, and malwarebyte couldn't detect it even before i came to this site for help. And at that time i had some clearly seen things happening to my pc. So i'm afraid that i will get some problems.
Make a LiveCD (Avira, Dr.Web or Kaspersky) and scan your system from it. AVZ is good against rootkits, but the file infectors have to be cleaned in another way.