take a look see..
take a look see..
jamesboucher.blogspot.com
Please turn off the system restore (how to do it - you can see in the rules).
Then AVZ - File - Custom scripts
Execute the following script (copy it, paste it in the script window of AVZ and execute):
Your computer will reboot.Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile('C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe',''); DelBHO('{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}'); QuarantineFile('sockins32.dll',''); DelBHO('{796D0543-75A7-444B-BED9-236FBBA5FA72}'); QuarantineFile('C:\WINDOWS\system32\ssqOEWNE.dll',''); QuarantineFile('C:\WINDOWS\system32\ulplqxjw.dll',''); QuarantineFile('C:\WINDOWS\system32\sockins32.dll',''); QuarantineFile('C:\WINDOWS\system32\qcntokdn.exe',''); QuarantineFile('C:\WINDOWS\system32\jnwnw64o.exe',''); QuarantineFile('C:\WINDOWS\SMINST\RECGUARD.EXE',''); QuarantineFile('C:\WINDOWS\system32\wodUpdSv.exe',''); QuarantineFile('C:\WINDOWS\b2new.exe',''); QuarantineFile('c:\windows\system32\wodupdsv.exe',''); DeleteFile('C:\WINDOWS\b2new.exe'); DeleteFile('C:\WINDOWS\system32\jnwnw64o.exe'); DeleteFile('C:\WINDOWS\system32\qcntokdn.exe'); DeleteFile('C:\WINDOWS\system32\sockins32.dll'); DeleteFile('C:\WINDOWS\system32\ulplqxjw.dll'); DeleteFile('C:\WINDOWS\system32\ssqOEWNE.dll'); DeleteFile('sockins32.dll'); DeleteFile('C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe'); DelCLSID('66186F05-BBBB-4a39-864F-72D84615C679'); BC_ImportALL; ExecuteSysClean; BC_DeleteSvc('MsSecurity1.209.4'); BC_Activate; RebootWindows(true); end.
Upload the quarantined files according to the Appendix 3 of the rules. (upload here: http://virusinfo.info/upload_virus_eng.php?tid=22694 )
Clear your temp folders and the internet cache.
Make new logs.
Месть - мечта слабых, прощение - удел сильных.
Поддержать проект можно здесь
as requested...
jamesboucher.blogspot.com
Much better, but not enough
Fix these lines in hijackthis:
Please make sure to disable your antivirus, firewall ( i mean your AVG ) and internet!Код:O15 - Trusted Zone: *.amaena.com O15 - Trusted Zone: *.avsystemcare.com O15 - Trusted Zone: http://www.fighthype.com O15 - Trusted Zone: *.gomyhit.com O15 - Trusted Zone: *.imageservr.com O15 - Trusted Zone: *.imagesrvr.com O15 - Trusted Zone: *.onerateld.com O15 - Trusted Zone: *.safetydownload.com O15 - Trusted Zone: *.storageguardsoft.com O15 - Trusted Zone: *.trustedantivirus.com O15 - Trusted Zone: *.virusschlacht.com O15 - Trusted Zone: *.amaena.com (HKLM) O15 - Trusted Zone: *.avsystemcare.com (HKLM) O15 - Trusted Zone: *.gomyhit.com (HKLM) O15 - Trusted Zone: *.imageservr.com (HKLM) O15 - Trusted Zone: *.imagesrvr.com (HKLM) O15 - Trusted Zone: *.onerateld.com (HKLM) O15 - Trusted Zone: *.safetydownload.com (HKLM) O15 - Trusted Zone: *.storageguardsoft.com (HKLM) O15 - Trusted Zone: *.trustedantivirus.com (HKLM) O15 - Trusted Zone: *.virusschlacht.com (HKLM) O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
Execute the following script @ avz
Your computer will reboot.Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); ClearQuarantine; DelBHO('{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}'); DelBHO('{c900b400-cdfe-11d3-976a-00e02913a9e0}'); QuarantineFile('C:\WINDOWS\system32\wodUpdSv.exe',''); QuarantineFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\eqdssnp.exe',''); QuarantineFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\syswcc32.exe',''); QuarantineFile('C:\Program Files\webHancer\programs\whiehlpr.dll',''); DeleteFile('C:\Program Files\webHancer\programs\whiehlpr.dll'); DeleteFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\eqdssnp.exe'); DeleteFile('C:\Documents and Settings\Administrator.CHOMPER\Local Settings\Temp\syswcc32.exe'); BC_ImportAll; ExecuteSysClean; ExecuteRepair(6); ExecuteRepair(8); ExecuteRepair(11); ExecuteRepair(17); BC_Activate; RebootWindows(true); end.
Upload the quarantined files according to the Appendix 3 of the rules. (upload here: http://virusinfo.info/upload_virus_eng.php?tid=22694 )
Clear your temp folders and the internet cache.
Make a new logs.
P.s. in previus quarantine we did get from you just a copy of the :
C:\Documents and Settings\HP_Owner\Local Settings\Temp\syswcc32.exe not-a-virus:AdWare.Win32.WebHancer.423 (kaspersky )
C:\WINDOWS\b2new.exe- Trojan-Downloader.Win32.Agent.otg ( kaspersky)
C:\WINDOWS\system32\sockins32.dll- not-a-virus:AdWare.Win32.BHO.awz( kaspersky)
Did you forget to disable an avg before executing our script?
Последний раз редактировалось drongo; 12.05.2008 в 11:30. Причина: Добавлено
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
ok done.. no firewall was active and I was disconnected from the net...
jamesboucher.blogspot.com
Ok, i see you have also some web hancer infection. Very nice instructions in
http://www.2-spyware.com/remove-webhancer.html
Did you install by yourself the C:\Program Files\SKR\BrowserSniffer.dll - it is keylogger, did you know about it?
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
No I did not install that or know about it... I do not want a key logger...
jamesboucher.blogspot.com
http://www.smartkeystrokerecorder.com/faq.htm#q7
Q. How do I remove Smart Keystroke Recorder from my system?
A. Simply uninstall it by 1) Clicking on Control Panel 2) Click on Add/Remove Programs 3) Choose Smart Keystroke Recorder.
After cleaning, you can make another logs
By the way, why you still using an administrator account? About 90 percent malware can't even install in limited user account. Read more: http://www.microsoft.com/protect/com...eraccount.mspx
Последний раз редактировалось drongo; 13.05.2008 в 12:15.
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D