Printable View
I have listed a few trojans/malware to a laptop. Unfortunately, the System restore cd only scans the bootsector, as the hard drive is encrypted. When I try to run the Virus Removal tool, it hangs when I try to delete the file in question. Is there anyway to get around this? I have uploaded the manual disinfection script here
One of the items I cant remove is Rootkit.win32.agent.bert
Close/unload all the programs excepted AVZ and Internet Explorer
Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\WINDOWS\Hdafub.exe','');
DelBHO('{A2BA40A0-74F1-52BD-F411-00B15A2C8953}');
QuarantineFile('C:\WINDOWS\system32\wmcjqxkw.dll','');
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\geurge.exe','');
StopService('diskchk');
DeleteService('diskchk');
BC_DeleteSvc('diskchk');
QuarantineFile('C:\WINDOWS\system32\diskchk.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\zkxahym.sys','');
QuarantineFile('C:\WINDOWS\system32\oix5t.dll','');
DeleteFile('C:\WINDOWS\system32\oix5t.dll');
DeleteFile('C:\WINDOWS\system32\Drivers\zkxahym.sys');
DeleteFile('C:\WINDOWS\system32\diskchk.sys');
DeleteFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\geurge.exe');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','ewrgetuj');
RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{A2BA40A0-74F1-52BD-F411-00B15A2C8953}');
DeleteFile('C:\WINDOWS\system32\wmcjqxkw.dll');
RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','ezLife');
DeleteFile('C:\WINDOWS\Hdafub.exe');
DeleteFile('c.\windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=77111[/url]
- Repeat a log file.
- Attach a new log to your new post..
The quarantine file has been uploaded. Here is the new log file. Is there anything else I need to do?
Thank you,
Dan
I noticed that one of the threats was not used in the above script. newupdate1142c.exe.
thanks,
dan
You must execute the script once more and then repeat the log once but ONLY IN NORMAL MODE!
I will be doing the script again. Does Normal Mode mean not in Windows Safe Mode? Also, do we do the quarantine script again? or just the log
Thanks,
Dan
[QUOTE=dmonighetti;628801]Does Normal Mode mean not in Windows Safe Mode?[/QUOTE]Yes
[QUOTE]Also, do we do the quarantine script again?[/QUOTE] No.
[QUOTE]just the log[/QUOTE]Yes.
Ran the two scrips again and uploaded the quarantine zip and the log.
Thanks
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\debug.exe','');
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\taskmgr.exe','');
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\win32.exe','');
QuarantineFile('c:\docume~1\locala~1\locals~1\temp\win32.exe','');
QuarantineFile('c:\docume~1\locala~1\locals~1\temp\taskmgr.exe','');
QuarantineFile('c:\docume~1\locala~1\locals~1\temp\svchost.exe','');
QuarantineFile('c:\docume~1\locala~1\locals~1\temp\dirxlx.exe','');
QuarantineFile('c:\docume~1\locala~1\locals~1\temp\debug.exe','');
TerminateProcessByName('c:\docume~1\locala~1\locals~1\temp\win32.exe');
TerminateProcessByName('c:\docume~1\locala~1\locals~1\temp\taskmgr.exe');
TerminateProcessByName('c:\docume~1\locala~1\locals~1\temp\svchost.exe');
TerminateProcessByName('c:\docume~1\locala~1\locals~1\temp\dirxlx.exe');
TerminateProcessByName('c:\docume~1\locala~1\locals~1\temp\debug.exe');
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\dirxlx.exe','');
QuarantineFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\svchost.exe','');
QuarantineFile('C:\Documents and Settings\localadmin\Application Data\B0FEFFC0FA9A58E52BE90F10867915CA\newupdate1142C.exe','');
QuarantineFile('zkxahym.sys','');
DeleteFile('zkxahym.sys');
DeleteFile('c:\windows\system32\drivers\zkxahym.sys');
RegKeyParamDel('HKEY_USERS','S-1-5-21-790525478-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','hsf87sdhfush87fsufhuie3fddf');
RegKeyParamDel('HKEY_USERS','S-1-5-21-790525478-602609370-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Run','hsf87efjhdsf87f3jfsdi7fhsujfd');
DeleteFile('C:\Documents and Settings\localadmin\Application Data\B0FEFFC0FA9A58E52BE90F10867915CA\newupdate1142C.exe');
DeleteFileMask('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\svchost.exe');
DeleteFile('C:\DOCUME~1\LOCALA~1\LOCALS~1\Temp\','*.*',true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
[/CODE]
After reboot:
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Healing
[CODE]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/CODE]
- Upload the C:\quarantine.zip here: [url]http://virusinfo.info/upload_virus_eng.php?tid=77111[/url]
- Repeat a log file.
- Attach a new log to your new post..
Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]2[/B][*]Обработано файлов: [B]28[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\windows\hdafub.exe - [B]Packed.Win32.Katusha.m[/B] ( DrWEB: Trojan.DownLoad1.55745, BitDefender: Gen:Variant.Renos.6, AVAST4: Win32:Fraudo [Trj] )[*] c:\windows\system32\oix5t.dll - [B]Packed.Win32.Katusha.j[/B] ( AVAST4: Win32:Ertfor [Trj] )[*] c:\windows\system32\wmcjqxkw.dll - [B]not-a-virus:AdWare.Win32.BHO.luq[/B][/LIST][/LIST]