Alureon Trojan / Log Files now present!

**drongo** · 24.07.2009, 12:37

Yep,there is a problem, because he can see that ESQULserv tracks are still in your system.
Lets try in this way:
Please download special avz archive from my signature. Unpack files to new folder.Disconnect from internet , disable your kaspersky and then launch special avz by clicking on Run.cmd file, execute this script in special avz:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Program Files\SIFXINST\SIFXINST.EXE','');
 QuarantineFile('C:\WINDOWS\system32\drivers\symlcbrd.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\ESQULserv.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\wdmaud.sys','');
  DeleteFile('C:\WINDOWS\system32\drivers\symlcbrd.sys');
  DeleteFile('C:\WINDOWS\system32\drivers\ESQULserv.sys');
BC_ImportAll;
ExecuteSysClean;
 BC_DeleteSvc('ESQULserv');
 BC_DeleteSvc('symlcbrd');
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

Upload quarantine according to rules(see
Appendix 3. How to send us requested files.)
Please make after reboot a new virusinfo_syscure.zip using this special avz, also i would like to see a log from the gmer.
http://www.gmer.net/ Do attach both to your next post.

**shadedsoul** · 24.07.2009, 17:17

I'm not seeing them still there. Am I missing them somewhere and just can't see them? I'll run the processes as soon as I get back in about an hour.

**shadedsoul** · 24.07.2009, 19:03

I may have inadvertently attached old files previously. I have performed the script requested just in case and have uploaded the new logs. Will post results of GMER scan when it completes.

GMER log attached.

**Rene-gad** · 24.07.2009, 20:50

Copy follow code into a new file

Код:

gmer.exe -del service ESQULserv
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv"
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet001\Services\ESQULserv"
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet002\Services\ESQULserv"
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet003\Services\ESQULserv"
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet004\Services\ESQULserv"
gmer.exe -del reg " HKLM\SYSTEM\CurrentControlSet005\Services\ESQULserv"
gmer.exe -del file "%systemroot%\system32\drivers\ESQULnjcwmkqlvuquwfkutvqhpmnnabrxuscc.sys"
gmer.exe -del file "%systemroot%\system32\ESQULrdajbvevobhxhyavykbgcrqenhhhifwi.dll"
gmer.exe -del file "%systemroot%\system32\ESQULxyiocviqvabanebapxrdngduogdangsm.dll"
gmer.exe -reboot

and save it in the same directory with gmer.exe with the name 123.bat
Start this file with double-click.
After reboot repeat gmer- logfile.

**shadedsoul** · 24.07.2009, 20:54

Am I copying this into AVZ?

**Rene-gad** · 24.07.2009, 21:02

Сообщение от Rene-gad

Copy follow code into a new file

**shadedsoul** · 24.07.2009, 21:14

New log attached.

**Rene-gad** · 25.07.2009, 11:12

Nothing suspicious. How does your PC doing?
Make the standard logs, pls.

**shadedsoul** · 25.07.2009, 17:13

Everything seems to be running great. Thanks!

New logs uploaded.

**Rene-gad** · 25.07.2009, 19:56

Do it once more:
- Start/Run..., copy & paste follow string:

Код:

edit %systemroot%\system32\drivers\etc\hosts

press Enter, remove in the file all strings after 127.0.0.1 localhost.

File/Close/Safe changings ...

DON'T CLOSE THE WINDOW WITH A RED CROSS!!!

Don't use NOTHING excepted Antivirus and if you want - Firewall.
Update your version of Kaspersky.

**shadedsoul** · 26.07.2009, 00:06

Done and thanks again.

Alureon Trojan / Log Files now present!

Опции темы

Похожие темы

virus still present (заявка №67447)

Virus still present after formatting hd

Files infected with Trojan Horse & Downloader

to detect if virus is present

Attention, [ имя пользователя]! Some dangerous viruses detected in your system. Microsoft Windows XP files corrupted. This may lead to the destruction of important files in D:\WINDOWS. Download protection software now!

Метки для этой темы

Ваши права в разделе