The Worm.Win32.Mabezat.b worm has infected all my hard drives and shows low disk space. It delays the opening of the programs.
Please provide suggestions regarding its proper cleaning.
Printable View
The Worm.Win32.Mabezat.b worm has infected all my hard drives and shows low disk space. It delays the opening of the programs.
Please provide suggestions regarding its proper cleaning.
Hello,
could you tell us: what do you have on the disks D:\, E:\ and F:\? It looks to be the thousands of infected files?! Try to heal them with CureIt: [url]http://www.freedrweb.com/cureit/?lng=en[/url]
Remove Download Accelerator Plus (DAP) - it contains spyware.
Close/disable all the applications excluded AVZ and Internet Explorer.
- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore
-[URL="http://virusinfo.info/showthread.php?t=9206"]Fix[/URL] with Hijackthis
[CODE]R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\3.bin\MWSBAR.DLL
O4 - HKCU\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - Startup: ¡¡¡¡¡¡.lnk = C:\WINDOWS\system32\XP-70D84274.EXE
[/CODE]
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
DeleteService('MyWebSearchService');
BC_DeleteSvc('MyWebSearchService');
DelBHO('{00A6FAF6-072E-44cf-8957-5838F569A31D}');
DelBHO('{07B18EA9-A523-4961-B6BB-170DE4475CCA}');
DelBHO('{07B18EA1-A523-4961-B6BB-170DE4475CCA}');
DelBHO('{00A6FAF1-072E-44cf-8957-5838F569A31D}');
QuarantineFile('C:\Program Files\Perfect Optimizer\License.dll','');
QuarantineFile('C:\zpharaoh.exe','');
QuarantineFile('G:\zPharaoh.exe','');
QuarantineFile('G:\autorun.inf','');
QuarantineFile('F:\zPharaoh.exe','');
QuarantineFile('F:\autorun.inf','');
QuarantineFile('E:\zPharaoh.exe','');
QuarantineFile('E:\autorun.inf','');
QuarantineFile('D:\zPharaoh.exe','');
QuarantineFile('D:\autorun.inf','');
DeleteFile('C:\zpharaoh.exe');
DeleteFile('G:\zPharaoh.exe');
DeleteFile('G:\autorun.inf');
DeleteFile('F:\zPharaoh.exe');
DeleteFile('F:\autorun.inf');
DeleteFile('E:\zPharaoh.exe');
DeleteFile('E:\autorun.inf');
DeleteFile('D:\zPharaoh.exe');
DeleteFile('D:\autorun.inf');
DeleteFileMask('C:\Program Files\MyWebSearch\','*.*',true);
DeleteDirectory('C:\Program Files\MyWebSearch\');
end.
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]
[COLOR="Red"]If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager[/COLOR]
After reboot:
[URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL]
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
- Make new logs and attach them to the new posting.