tumazuba.dll pedepara.dll and AKM Antivirus ...

[hiepthong]

I'm from VietNam so i can't type English fluenly . Sorry
All process in my computer always load pedepara.dll and tumazuba.dll , When i installing Kaspersky Internet Security it automatic CANCEL . Virus auto download AKM Antivirus 2010 Pro in my computer but i think i was killed it .
This is my file of system analysis .

Please help me to kill tumazuba.dll...
Thanks.

[Rene-gad]

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore


- Execute following script in Manual Healing

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 TerminateProcessByName('c:\program files\svchost.exe');
 StopService('SysLib6');
 StopService('SysLib5');
 StopService('SysLib4');
 StopService('SysLib3');
 StopService('SysLib2');
 StopService('SysLib1');
 StopService('SysLib0');
 StopService('AdbUpd');
 RegKeyParamDel('HKEY_USERS','S-1-5-21-57989841-1035525444-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run-','M5T8QL3YW3');
 RegKeyParamDel('HKEY_USERS','S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run','kaluzehoto');
 RegKeyParamDel('HKEY_USERS','S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run','kaluzehoto');
 RegKeyParamDel('HKEY_USERS','S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run','syncman');
 RegKeyParamDel('HKEY_USERS','.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run','syncman');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\SSHNAS\Parameters','ServiceDll');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Eventlog\Application\WgaSetup','EventMessageFile');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad','gosoyohuf');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','pabihasaz');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run-','lsdefrag');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows\CurrentVersion\Run','kaluzehoto');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler','{cc627c8d-9928-47ae-b70c-b1bfa4e5ce67}');
 RegKeyParamDel('HKEY_LOCAL_MACHINE','Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxtcui','DLLName');
 QuarantineFile('pedabara.dll','');
 QuarantineFile('kupusalo.dll','');
 QuarantineFile('hijiwuba.dll','');
 QuarantineFile('D:\unikey32\UniKeyNT.exe','');
 QuarantineFile('C:\WINDOWS\Temp\wpv031274463716.exe','');
 QuarantineFile('c:\windows\system32\uaservice7.exe','');
 QuarantineFile('c:\windows\system32\tumazuba.dll','');
 QuarantineFile('c:\windows\system32\sshnas21.dll','');
 QuarantineFile('C:\WINDOWS\system32\pedabara.dll','');
 QuarantineFile('C:\WINDOWS\system32\dskquoui32.dll','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib6.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib5.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib4.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib3.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib2.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib1.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\SysLib0.sys','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\rt2870.sys','');
 QuarantineFile('C:\WINDOWS\Qvadaa.exe','');
 QuarantineFile('C:\WINDOWS\fonts\services.exe','');
 QuarantineFile('c:\program files\tenda\w311u\ui.exe','');
 QuarantineFile('c:\program files\svchost.exe','');
 QuarantineFile('C:\Program Files\Finale 2010\finale.exe','');
 QuarantineFile('c:\documents and settings\godcallme\wuaucldt.exe','');
 QuarantineFile('C:\documents and settings\all users\application data\godcallme\UpdateLogon.dll','');
 QuarantineFile('C:\DOCUME~1\GODCAL~1\LOCALS~1\Temp\Qdd.exe','');
 QuarantineFile('C:\DOCUME~1\GODCAL~1\LOCALS~1\Temp\oyaitlh','');
 QuarantineFile('C:\A&APress\index.html','');
 QuarantineFile('AdbUpd.sys','');
 DeleteService('SysLib6');
 DeleteService('SysLib5');
 DeleteService('SysLib4');
 DeleteService('SysLib3');
 DeleteService('SysLib2');
 DeleteService('SysLib1');
 DeleteService('SysLib0');
 DeleteService('AdbUpd');
 DeleteFile('pedabara.dll');
 DeleteFile('kupusalo.dll');
 DeleteFile('hijiwuba.dll');
 DeleteFile('C:\WINDOWS\Temp\wpv031274463716.exe');
 DeleteFile('c:\windows\system32\tumazuba.dll');
 DeleteFile('c:\windows\system32\sshnas21.dll');
 DeleteFile('C:\WINDOWS\system32\pedabara.dll');
 DeleteFile('C:\WINDOWS\system32\dskquoui32.dll');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib6.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib5.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib4.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib3.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib2.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib1.sys');
 DeleteFile('C:\WINDOWS\System32\Drivers\SysLib0.sys');
 DeleteFile('C:\WINDOWS\Qvadaa.exe');
 DeleteFile('C:\WINDOWS\fonts\services.exe');
 DeleteFile('c:\program files\svchost.exe');
 DeleteFile('C:\DOCUME~1\GODCAL~1\LOCALS~1\Temp\Qdd.exe');
 DeleteFile('AdbUpd.sys');
 DeleteFile('%windir%\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job');
 DeleteFile('%windir%\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job');
 DelBHO('{3b411606-960a-45a3-9a96-0bbb46a13ca3}');
 BC_DeleteSvc('SysLib6');
 BC_DeleteSvc('SysLib5');
 BC_DeleteSvc('SysLib4');
 BC_DeleteSvc('SysLib3');
 BC_DeleteSvc('SysLib2');
 BC_DeleteSvc('SysLib1');
 BC_DeleteSvc('SysLib0');
 BC_DeleteSvc('AdbUpd');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

After reboot:
- Execute following script in Manual Healing

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');    
end.

- Upload the C:\quarantine.zip here: http://virusinfo.info/upload_virus_eng.php?tid=79053
- Make a new log file.
- Make a Hijackthis-Log
- Attach a new log to your new post..

[hiepthong]

Thank you Rene-gad for your help . My computer is clean . but have a problem in " DeleteService('SysLib5'); " , if i don't delete it Windows will show "blue screen" .
Wish you have a good time.

[Rene-gad]

- Make a new log file.
- Make a Hijackthis-Log
- Attach a new log to your new post..