Hi my computer hasthe task manaer blocked and my backround is your sysyem is infected that i cant take off. I cant open more than 1 internet explorer window. I have attached the three logs.
Printable View
Hi my computer hasthe task manaer blocked and my backround is your sysyem is infected that i cant take off. I cant open more than 1 internet explorer window. I have attached the three logs.
1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVZ:
[CODE]begin
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory+'Quarantine', '*.*', true);
DelBHO('{971F630E-AD68-4d6e-B0C3-1C627AAC80F1}');
DelBHO('{023A0DEE-5013-4210-90DB-B52A60225937}');
DelBHO('{014CB555-9401-4E2A-A0F8-C3BD404A0C52}');
DelBHO('{011D06F7-5013-4210-90DB-B52A60225937}');
QuarantineFile('C:\WINDOWS\system32\winhelper86.dll','');
QuarantineFile('C:\WINDOWS\System32\d3dx10_3432.dll','');
QuarantineFile('C:\WINDOWS\System32\d3dim32.dll','');
QuarantineFile('C:\WINDOWS\system32\AD.tmp','');
QuarantineFile('c:\windows\system32\winupdate86.exe','');
TerminateProcessByName('c:\windows\system32\winupdate86.exe');
QuarantineFile('c:\program files\internetsecurity2010\is2010.exe','');
DeleteFile('c:\windows\system32\winupdate86.exe');
DeleteFile('C:\WINDOWS\system32\AD.tmp');
DeleteFile('C:\WINDOWS\System32\d3dim32.dll');
DeleteFile('C:\WINDOWS\System32\d3dx10_3432.dll');
DeleteFile('C:\WINDOWS\system32\winhelper86.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\14e985e5716','DLLName');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','winupdate86.exe');
DeleteFileMask('%tmp% ','*.* ',true );
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(11);
ExecuteRepair(14);
BC_Activate;
RebootWindows(true);
end.[/CODE]
3. After reboot execute this script in AVZ:
[CODE]begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.[/CODE]
Upload file quarantine.zip, by link [url]http://virusinfo.info/upload_virus.php?tid=65014[/url]
4. Make new logs.
I have uploaed the quarantine file and have attached the new three logs.
1. Please, disable System Restore and antivirus (if you have).
2. Execute this script in AVZ:
[CODE]begin
SetAVZGuardStatus(True);
DeleteFileMask(GetAVZDirectory+'Quarantine', '*.*', true);
RegKeyIntParamWrite('HKLM','SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer','NoDriveTypeAutoRun', 221);
DeleteService('Zumie Search Service');
QuarantineFile('C:\WINDOWS\system32\winlogon86.exe','');
QuarantineFile('C:\WINDOWS\system32\5705.exe','');
QuarantineFile('C:\WINDOWS\system32\28145.exe','');
QuarantineFile('C:\WINDOWS\system32\26962.exe','');
QuarantineFile('C:\WINDOWS\system32\24464.exe','');
QuarantineFile('C:\WINDOWS\system32\23281.exe','');
QuarantineFile('C:\WINDOWS\system32\1869.exe','');
QuarantineFile('C:\Documents and Settings\HelpAssistant\Local Settings\Temp\wYxg.exe','');
DelBHO('{92780B25-18CC-41C8-B9BE-3C9C571A8263}');
DelBHO('{2670000A-7350-4f3c-8081-5663EE0C6C49}');
DelBHO('{011A3484-FD93-4FEB-9438-95898E8EA38a}');
QuarantineFile('C:\WINDOWS\System32\d3dx10_3432.dll','');
QuarantineFile('C:\WINDOWS\system32\Drivers\atapi.sys','');
QuarantineFile('C:\WINDOWS\system32\ts.dll','');
QuarantineFile('c:\program files\internetsecurity2010\is2010.exe','');
TerminateProcessByName('c:\program files\internetsecurity2010\is2010.exe');
DeleteFile('c:\program files\internetsecurity2010\is2010.exe');
RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','Internet Security 2010');
DeleteFile('C:\WINDOWS\System32\d3dx10_3432.dll');
DeleteFile('C:\Documents and Settings\HelpAssistant\Local Settings\Temp\*.*');
DeleteFile('C:\WINDOWS\system32\1869.exe');
DeleteFile('C:\WINDOWS\system32\23281.exe');
DeleteFile('C:\WINDOWS\system32\24464.exe');
DeleteFile('C:\WINDOWS\system32\26962.exe');
DeleteFile('C:\WINDOWS\system32\28145.exe');
DeleteFile('C:\WINDOWS\system32\5705.exe');
DeleteFile('C:\WINDOWS\system32\winlogon86.exe');
DeleteFileMask('%tmp% ','*.* ',true );
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 3, 3, true);
BC_Activate;
RebootWindows(true);
end.[/CODE]
3. After reboot execute this script in AVZ:
[CODE]begin
CreateQurantineArchive(GetAVZDirectory+'quarantine.zip');
end.[/CODE]
Upload file quarantine.zip, by link [url]http://virusinfo.info/upload_virus.php?tid=65014[/url]
4. [URL="http://virusinfo.info/showthread.php?t=9206"]Fix in HijackThis:[/URL]
[QUOTE]O2 - BHO: (no name) - {011A3484-FD93-4FEB-9438-95898E8EA38a} - C:\WINDOWS\System32\d3dx10_3432.dll (file missing)
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O20 - Winlogon Notify: 14e985e5716 - C:\WINDOWS\[/QUOTE]
5. Make new logs.
I have uploaded the quarantine.zip and attached the three new logs. I have fixed the files using hijack this.
Use Vba32 Rescue. Links to download:
[url]ftp://anti-virus.by/pub/vbarescue-beta.iso[/url]
[url]ftp://vba.ok.by/vba/vbarescue-beta.iso[/url]
After attach a log C:\VbaRescue\vba32.rpt
[url]http://esagelab.com/resources.php?s=tdss_remover[/url] please use it to remove tdss.
the links [url]ftp://anti-virus.by/pub/vbarescue-beta.iso[/url]
[url]ftp://vba.ok.by/vba/vbarescue-beta.iso[/url] didnt work and my cant get rid of active desktop recovery backround. what can i do to get rid of it?
[QUOTE=mediumt_3;549886]what can i do to get rid of it?[/QUOTE]
Excuse, new links:
[url]ftp://anti-virus.by/pub/vbarescue.iso[/url]
[url]ftp://vba.ok.by/vba/vbarescue.iso[/url]
Make 3 logfiles (syscure, syscheck, hijackthis) and attach vba32.rpt.