My Windows XP Pro machine was infected

Printable View

24.03.2010, 09:00
fedfireman

My Windows XP Pro machine was infected

I was infected with at least one and probably several viruses, I cleaned them all and I still can't use my browser to go to websites to update my AV software or even Microsoft.
24.03.2010, 13:00
Rene-gad

[COLOR="Red"][B]Attention !!! AVZ-Database was last updated 8/21/2009 it is necessary to update the database (via File - Database update)[/B][/COLOR]

Close/unload all the programs excepted AVZ and Internet Explorer

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\MsPMSNSv.dll','');
DeleteFileMask('C:\4a1766680e478fc61a408f\','*.*',true);
DeleteFileMask('c:\a0b380931f19f1f778\','*.*',true);
DeleteDirectory('C:\4a1766680e478fc61a408f\');
DeleteDirectory('c:\a0b380931f19f1f778\');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=74384[/url]
- Remove Bonjour: [url]http://virusinfo.info/showthread.php?t=42263[/url]
- Repeat all the log files and attach them to your next post..
24.03.2010, 16:22
fedfireman

Quarantine File

Quarantine File attached

I am unable to update the database on the infected computer because it won't connect to certain websites. Can I do a Manual update?

[COLOR="Red"]moderated:::

Upload result
File saved as 100324_175859_quarantine(2)_4baa28b327950.zip
File size 110020
MD5 4cda4c4aa06d3de388faf51b5f491e73
File uploaded, thank you![/COLOR]
24.03.2010, 18:02
Rene-gad

Pls. read our messages!
You had to add the logs, not a quarantine.

You can download [URL="http://z-oleg.com/secur/avz_up/avzbase.zip"]this file[/URL] on any other PC, copy it to any removable medium and extract the content to ..avz4\base on your PC.
24.03.2010, 18:04
fedfireman

Вложений: 2

Repeat Log Files

I have repost my log files after running the required scripts
24.03.2010, 18:12
Rene-gad

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
ClearQuarantine;
StopService('esihdrv');
DeleteService('esihdrv');
BC_DeleteSvc('esihdrv');
QuarantineFile('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys','');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup','EventMessageFile');
DeleteFileMask('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\','*.*',true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=74384[/url]

- Repeat only the log file virusinfo_syscheck.zip (p. 2 of the rules).
24.03.2010, 18:49
fedfireman

Вложений: 1

repost of virusinfo_syscheck

Did as requested
24.03.2010, 18:59
Rene-gad

- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
ClearQuarantine;
StopService('esihdrv');
DeleteService('esihdrv');
BC_DeleteSvc('esihdrv');
StopService('ql600oko');
DeleteService('ql600oko');
BC_DeleteSvc('ql600oko');
QuarantineFile('C:\WINDOWS\system32\drivers\mrxoko.sys','');
DeleteFile('C:\WINDOWS\system32\drivers\mrxoko.sys');
DeleteFile('C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\esihdrv.sys');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=74384[/url]

- Repeat all the logs.
- Make a log of Malwarebytes Antimalware, pls. remove nothing!
24.03.2010, 23:21
fedfireman

Things are loking better

Things are definitly improving, hopefully this is the last i need to post.
24.03.2010, 23:54
Rene-gad

Any problem more?
25.03.2010, 00:35
fedfireman

Everything seems to be okay

I can now use the internet and all my virus scans and and Malware scans are coimng back with no hits. So I am very happy. :)

Thank you for your assistance.
26.03.2010, 00:35
CyberHelper

Итог лечения

Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]3[/B][*]Обработано файлов: [B]8[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\windows\system32\drivers\mrxoko.sys - [B]Trojan.Win32.Agent.dpoc[/B] ( DrWEB: Trojan.NtRootKit.6664, AVAST4: Win32:Malware-gen )[/LIST][/LIST]