Viruses, maybe a trojan?

Printable View

19.02.2010, 14:37
lovesauce

Viruses, maybe a trojan?

I can not locate and delete the viruses my computer is infected with, can you help please?
19.02.2010, 15:09
Rene-gad

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','nogofemad');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lilurikav');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','Cnovanijudul');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{814d7190-6797-4a3f-badb-bff8ddbf6dea}');
QuarantineFile('C:\WINDOWS\system32\zejidefu.dll','');
QuarantineFile('C:\WINDOWS\system32\sedujaza.dll','');
QuarantineFile('c:\windows\system32\puyubila.dll','');
QuarantineFile('C:\WINDOWS\ehohoxajedec.dll','');
QuarantineFile('C:\WINDOWS\apmdesv.dll','');
DeleteFile('C:\WINDOWS\system32\zejidefu.dll');
DeleteFile('C:\WINDOWS\system32\sedujaza.dll');
DeleteFile('c:\windows\system32\puyubila.dll');
DeleteFile('C:\WINDOWS\ehohoxajedec.dll');
DelBHO('{512a9c57-8cc3-2c3c-d862-0e241cb50e31}');
DeleteService('lddie');
RegKeyResetSecurity('HKLM','SYSTEM\CurrentControlSet\Services\lddie');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]

After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual disinfection
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]and upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.

- Remove [URL="http://virusinfo.info/showthread.php?t=42263"]Bonjour[/URL]
- Repeat a log file of AVPTool.
- Make a log file with Hijackthis ([URL="http://virusinfo.info/showthread.php?t=9184"] Analysis, p.3 [/URL] for further informations).
- Attach both logs to your new post..
20.02.2010, 07:54
lovesauce

Okay, I removed bonjour and ran both those scripts. Thank you, things are already running much smoother. The new AVP file is attached, and I have included the HijackThis log below. Also, quarintine.zip has been uploaded, file saved as: 100220_075143_quarantine_4b7f6a5fc6a00.zip

[COLOR="Red"]moderated::: log files have to been ATTACHED and not POSTED[/COLOR]
20.02.2010, 10:39
Rene-gad

[QUOTE=lovesauce;589758]I removed bonjour [/QUOTE]Not completely, system restore is not disabled.

Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore

-[URL="http://virusinfo.info/showthread.php?t=9206"]Fix[/URL] with Hijackthis
[CODE]O20 - AppInit_DLLs: c:\windows\system32\rujidovo.dll,sahomosa.dll
O21 - SSODL: borihiyiz - {80840d4f-8b58-4757-92e1-f2912119b94e} - c:\windows\system32\rujidovo.dll
O22 - SharedTaskScheduler: jugezatag - {80840d4f-8b58-4757-92e1-f2912119b94e} - c:\windows\system32\rujidovo.dll
[/CODE]

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual disinfection
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('befuvanu.dll','');
QuarantineFile('apmdesv.dll','');
QuarantineFile('c:\windows\ehome\mcrdsvc.exe','');
QuarantineFile('c:\windows\system32\rujidovo.dll','');
DeleteFile('c:\windows\system32\rujidovo.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','lilurikav');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{80840d4f-8b58-4757-92e1-f2912119b94e}');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','borihiyiz');
DeleteFile('apmdesv.dll');
DeleteFile('befuvanu.dll');
DeleteFile('C:\Program Files\Bonjour\mDNSResponder.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\Bonjour Service','EventMessageFile');
DeleteFile('C:\Program Files\Bonjour\mdnsNSP.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/CODE]

After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual disinfection
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]and upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.

- Repeat a log file of AVPTool.
- Make a log file with Hijackthis
- Attach both logs to your new post..
********************************************************************************
If you should be bore, you could begin with patching of your very vulnerable system
[QUOTE]Platform: Windows XP SP2 (WinNT 5.01.2600)[/QUOTE]
Install SP3 and all updates
[QUOTE]MSIE: Internet Explorer v7.00 (7.00.6000.16981)[/QUOTE]
Install IE8
[QUOTE]C:\Program Files\Java\jre1.6.0_02\[/QUOTE]
Update Java RE ([url]www.java.com[/url])
[QUOTE]C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll[/QUOTE]
Update Adobe Reader or remove it.
21.02.2010, 10:39
CyberHelper

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]1[/B][*]Обработано файлов: [B]13[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\windows\apmdesv.dll - [B]Trojan-Downloader.Win32.Mufanom.mli[/B] ( BitDefender: Gen:Packed.Hiloti.1 )[*] c:\windows\ehohoxajedec.dll - [B]Trojan-Downloader.Win32.Mufanom.mlj[/B] ( BitDefender: Gen:Packed.Hiloti.1, AVAST4: Win32:Malware-gen )[*] c:\windows\system32\puyubila.dll - [B]Trojan.Win32.Migotrup.nwb[/B][/LIST][/LIST]