Показано с 1 по 7 из 7.

I got some problem with spyware and adware

  1. #1
    Junior Member Репутация
    Регистрация
    13.05.2008
    Сообщений
    4
    Вес репутации
    58

    Exclamation I got some problem with spyware and adware

    Errm , hi, thanks for your time reading this.

    I scanned my PC and found some suspicious thing, so I think i should get some advice from you expert. Well, actually it doesnt have any syndromes of having some virus or problems, except there is some unwanted stuff in my start up list ~ ... I can't find a name coz everytime I delete it, it creates another one with another *random* name, for example *crbnnlgne* or like that. Don't know what is it, and don't know how to kill it, just, I dont want to see it anymore. It appears on procexp as "rundll32.exe"

    Check my log and tell me what's wrong please, thanks in advance.

    I do appreciate this.
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Pls. Fix with Hijackthis
    Код:
    O2 - BHO: (no name) - {40086575-99AF-4361-B0DD-D42127DF0298} - C:\WINDOWS\system32\urstq.dll (file missing)
    O2 - BHO: (no name) - {70AB0A8B-8A8A-496F-A339-4CD2F3352991} - C:\WINDOWS\system32\rqrqnkh.dll (file missing)
    O20 - Winlogon Notify: rqrqnkh - rqrqnkh.dll (file missing)
    Run the script
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     StopService('Fms30');
     DeleteService('Fms30'); 
     QuarantineFile('C:\WINDOWS\System32\Drivers\Fms30.sys','');
     QuarantineFile('C:\WINDOWS\userinit.exe','');
     QuarantineFile('rqrqnkh.dll',''); 
     QuarantineFile('C:\WINDOWS\system32\urstq.dll','');
     QuarantineFile('C:\WINDOWS\system32\rqrqnkh.dll','');
     DelBHO('{70AB0A8B-8A8A-496F-A339-4CD2F3352991}');
     DelBHO('{40086575-99AF-4361-B0DD-D42127DF0298}');
     DeleteFile('C:\WINDOWS\system32\rqrqnkh.dll');
     DeleteFile('C:\WINDOWS\system32\urstq.dll');
     DeleteFile('rqrqnkh.dll');
     DeleteFile('C:\WINDOWS\System32\Drivers\Fms30.sys');
    BC_ImportDeletedList;
    ExecuteSysClean;
    ExecuteRepair(13);
    BC_Activate;
    RebootWindows(true);
    end.
    After rebooting upload the quarantine and make the new logs.

  3. #3
    Junior Member Репутация
    Регистрация
    13.05.2008
    Сообщений
    4
    Вес репутации
    58
    Best regard.

    Well, I tried to do as you guide, but Hijackthis work fine when avz doesn't really catch up anything in quarantine folder , is it normal? This is the log as running the script. I ran it once and restart, but doesnt catch up anything, so I delete the "restart" line and take the log, please take a look.

    >>>> Probable masking of executable file's name 1164 yahoom~1.exe, real name - YahooMessenger.exe
    1.1 Searching for user-mode API hooks
    Analysis: kernel32.dll, export table found in section .text
    Analysis: ntdll.dll, export table found in section .text
    Analysis: user32.dll, export table found in section .text
    Analysis: advapi32.dll, export table found in section .text
    Analysis: ws2_32.dll, export table found in section .text
    Analysis: wininet.dll, export table found in section .text
    Analysis: rasapi32.dll, export table found in section .text
    Analysis: urlmon.dll, export table found in section .text
    Analysis: netapi32.dll, export table found in section .text
    1.2 Searching for kernel-mode API hooks
    Driver loaded successfully
    SDT found (RVA=0846E0)
    Kernel ntkrnlpa.exe found in memory at address 804D7000
    SDT = 8055B6E0
    KiST = 80503734 (284)
    Function NtCreateKey (29) intercepted (80622048->F729D0D0), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtEnumerateKey (47) intercepted (80622888->F72A2FB2), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtEnumerateValueKey (49) intercepted (80622AF2->F72A3340), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtOpenKey (77) intercepted (806233DE->F729D0B0), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtQueryKey (A0) intercepted (80623702->F72A3418), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtQueryValueKey (B1) intercepted (80620102->F72A3298), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Function NtSetValueKey (F7) intercepted (80620708->F72A34AA), hook C:\WINDOWS\system32\Drivers\sptd.sys
    >>> Function restored successfully !
    >>> Hook code blocked
    Functions checked: 284, intercepted: 7, restored: 7
    1.3 Checking IDT and SYSENTER
    Analysis for CPU 1
    Analysis for CPU 2
    Checking IDT and SYSENTER - complete
    1.4 Searching for masking processes and drivers
    Checking not performed: extended monitoring driver (AVZPM) is not installed
    Driver loaded successfully
    1.5 Checking of IRP handlers
    \FileSystem\ntfs[IRP_MJ_CREATE] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_CLOSE] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_WRITE] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_QUERY_INFORMATION] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_SET_INFORMATION] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_QUERY_EA] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_SET_EA] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_QUERY_VOLUME_INFORMATION] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_SET_VOLUME_INFORMATION] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_DIRECTORY_CONTROL] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_FILE_SYSTEM_CONTROL] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_DEVICE_CONTROL] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_LOCK_CONTROL] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_QUERY_SECURITY] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_SET_SECURITY] = 86FD51E8 -> hook not defined
    \FileSystem\ntfs[IRP_MJ_PNP] = 86FD51E8 -> hook not defined
    Checking - complete
    Deleting service/driver: Fms30
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\Drivers\Fms30.sys)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\System32\Drivers\Fms30.sys)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\userinit.exe)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\userinit.exe)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (rqrqnkh.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (rqrqnkh.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\urstq.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\urstq.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\rqrqnkh.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\rqrqnkh.dll)
    Quarantine file (direct disk reading) "%S" - failed (error)
    Delete file:C:\WINDOWS\system32\rqrqnkh.dll
    >>>To delete the file C:\WINDOWS\system32\rqrqnkh.dll reboot is required
    Delete file:C:\WINDOWS\system32\urstq.dll
    >>>To delete the file C:\WINDOWS\system32\urstq.dll reboot is required
    Delete file:rqrqnkh.dll
    >>>To delete the file rqrqnkh.dll reboot is required
    Delete file:C:\WINDOWS\System32\Drivers\Fms30.sys
    >>>To delete the file C:\WINDOWS\System32\Drivers\Fms30.sys reboot is required
    Removing traces of deleted files...
    Последний раз редактировалось iluvyoukai; 14.05.2008 в 06:16.

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для AndreyKa
    Регистрация
    08.01.2005
    Адрес
    Россия
    Сообщений
    13,632
    Вес репутации
    1315
    Run the script in AVZ:
    Код:
    begin
    SetAVZGuardStatus(True);
     QuarantineFile('C:\WINDOWS\system32\kgctsevd.dll','');
     DeleteFile('C:\WINDOWS\system32\kgctsevd.dll');
     BC_DeleteFile('C:\WINDOWS\system32\kgctsevd.dll');
    BC_Activate;
    ExecuteSysClean;
    RebootWindows(false);
    end.
    After rebooting upload the AVZ quarantine by the link:
    http://virusinfo.info/upload_virus_eng.php?tid=22787
    Make the new HijackThis log.

  5. #5
    Junior Member Репутация
    Регистрация
    13.05.2008
    Сообщений
    4
    Вес репутации
    58
    Thanks a lot Andrey, I've uploaded it ~

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для AndreyKa
    Регистрация
    08.01.2005
    Адрес
    Россия
    Сообщений
    13,632
    Вес репутации
    1315
    C:\WINDOWS\system32\kgctsevd.dll = not-a-virus:AdWare.Win32.Virtumonde.msm
    If you have any problem make the new log files and attach to the topic.

  7. #7
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    03.04.2006
    Сообщений
    21,100
    Вес репутации
    3023
    Цитата Сообщение от iluvyoukai Посмотреть сообщение
    Well, I tried to do as you guide, but Hijackthis work fine when avz doesn't really catch up anything in quarantine folder , is it normal?
    If we had written the script on monday and you run it on friday, than it's OK - after the next reboot all malware files change their names.

Похожие темы

  1. spyware adware.virtumonde & pryvaceremover.M64
    От razario в разделе Помогите!
    Ответов: 5
    Последнее сообщение: 22.02.2009, 07:50
  2. WM незагружаеться из за AdWare, SpyWare
    От STILLMAN в разделе Помогите!
    Ответов: 3
    Последнее сообщение: 21.10.2008, 18:55
  3. a problem with spyware window
    От micro в разделе Malware Removal Service
    Ответов: 1
    Последнее сообщение: 06.10.2008, 18:08
  4. не лечится Spyware и AdWare
    От Bravevk77 в разделе Помогите!
    Ответов: 1
    Последнее сообщение: 12.09.2008, 14:36
  5. a problem: spyware doctor found some threats...
    От Orange в разделе Malware Removal Service
    Ответов: 6
    Последнее сообщение: 16.06.2007, 17:38

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00651 seconds with 18 queries