My computer is been running really slow and I have been getting a pop-up everytime I open internet explorer. I have attached the three logs.
My computer is been running really slow and I have been getting a pop-up everytime I open internet explorer. I have attached the three logs.
Hello,
Download the last version of AVZ 4.32 over the link in the rules.
Update the database (File/Database Update).
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
-Fix with Hijackthis
- Execute following scriptКод:O4 - HKLM\..\Run: [gemularole] Rundll32.exe "C:\WINDOWS\system32\gosofuwu.dll",s O4 - HKLM\..\Run: [14e9854a] rundll32.exe "C:\WINDOWS\system32\lehevusa.dll",b O4 - HKLM\..\Run: [CPM17dab6d6] Rundll32.exe "c:\windows\system32\pujiyiho.dll",a O4 - HKCU\..\Run: [CPM17dab6d6] Rundll32.exe "c:\windows\system32\pujiyiho.dll",a O4 - HKUS\S-1-5-19\..\Run: [gemularole] Rundll32.exe "C:\WINDOWS\system32\gosofuwu.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [gemularole] Rundll32.exe "C:\WINDOWS\system32\gosofuwu.dll",s (User 'NETWORK SERVICE') O20 - AppInit_DLLs: tazzri.dll C:\WINDOWS\system32\gukejibu.dll avgrsstx.dll c:\windows\system32\pujiyiho.dll O20 - Winlogon Notify: fccCVpNF - fccCVpNF.dll (file missing) O20 - Winlogon Notify: mlJYqNgD - mlJYqNgD.dll (file missing) O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pujiyiho.dll (file missing) O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pujiyiho.dll (file missing)
After reboot execute following scriptКод:begin SearchRootkit(true, true); SetAVZGuardStatus(True); QuarantineFile('C:\WINDOWS\system32\gosofuwu.dll',''); QuarantineFile('C:\WINDOWS\system32\gukejibu.dll',''); QuarantineFile('C:\WINDOWS\system32\lehevusa.dll',''); QuarantineFile('c:\windows\system32\pujiyiho.dll',''); QuarantineFile('fccCVpNF.dll',''); QuarantineFile('mlJYqNgD.dll',''); QuarantineFile('tazzri.dll',''); QuarantineFile('C:\Program Files\PremiereAdvertisingPlatform\PremiereAdvertisingPlatform.dll',''); QuarantineFile('C:\WINDOWS\system32\mlJYqNgD.dll',''); QuarantineFile('C:\WINDOWS\system32\hgGxUlii.dll',''); QuarantineFile('C:\WINDOWS\system32\pegojehe.dll',''); DeleteFile('C:\WINDOWS\system32\pegojehe.dll'); DeleteFile('C:\WINDOWS\system32\hgGxUlii.dll'); DeleteFile('C:\WINDOWS\system32\mlJYqNgD.dll'); DeleteFile('C:\Program Files\PremiereAdvertisingPlatform\PremiereAdvertisingPlatform.dll'); DeleteFile('tazzri.dll'); DeleteFile('mlJYqNgD.dll'); DeleteFile('fccCVpNF.dll'); DeleteFile('c:\windows\system32\tazzri.dll'); DeleteFile('c:\windows\system32\mlJYqNgD.dll'); DeleteFile('c:\windows\system32\fccCVpNF.dll'); DeleteFile('c:\windows\system32\pujiyiho.dll'); DeleteFile('C:\WINDOWS\system32\lehevusa.dll'); DeleteFile('C:\WINDOWS\system32\gukejibu.dll'); DeleteFile('C:\WINDOWS\system32\gosofuwu.dll'); DelBHO('{5600363C-B1A7-464C-9D48-B57A901A74FA}'); DelBHO('{547395D9-934A-CED6-B851-F238C86079E5}'); DelBHO('{215A62BC-56A8-49A7-871D-5166C1C95D7C}'); DelBHO('{14a48a29-9c61-431a-8bce-3b3dbadc1857}'); BC_ImportAll; ExecuteSysClean; BC_Activate; RebootWindows(true); ExecuteRepair(7); SetAVZPMStatus(True); end.
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProgКод:begin CreateQurantineArchive('C:\quarantine.zip'); end.
- Close all the programs and start only Internet Explorer!!!
- Repeat 3 logs file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Attach 3 logs to your new post..
I have done everything you said and I have attached the three newest logs. I have uploaded the quarantine.zip too.
It looks much better now
Copy code in a new text file
Save it as e.g. 123.reg and start with double click.Код:Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\ 00 "Bounds"=hex:00,30,00,00,00,20,00,00 "Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\ 00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\ 6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\ 00 "LsaPid"=dword:00000328 "SecureBoot"=dword:00000001 "auditbaseobjects"=dword:00000000 "crashonauditfail"=dword:00000000 "disabledomaincreds"=dword:00000000 "everyoneincludesanonymous"=dword:00000000 "fipsalgorithmpolicy"=dword:00000000 "forceguest"=dword:00000001 "fullprivilegeauditing"=hex:00 "limitblankpassworduse"=dword:00000001 "lmcompatibilitylevel"=dword:00000000 "nodefaultadminowner"=dword:00000001 "nolmhash"=dword:00000000 "restrictanonymous"=dword:00000000 "restrictanonymoussam"=dword:00000001 "Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00 "ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders] "ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\ 54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\ 00,69,00,64,00,65,00,72,00,00,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider] "ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data] "Pattern"=hex:2d,5d,1e,b5,8d,0a,ea,78,d0,b5,27,f4,98,3a,3a,a4,35,63,63,37,36,\ 37,64,32,00,68,07,00,01,00,00,00,dc,00,00,00,e0,00,00,00,48,fa,06,00,97,55,\ 52,74,04,00,00,00,a0,fd,06,00,b8,fd,06,00,61,ea,b6,62 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG] "GrafBlumGroup"=hex:0a,7c,bb,22,03,b1,cd,2f,32 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD] "Lookup"=hex:bd,dc,51,b7,29,24 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\msv1_0] "ntlmminclientsec"=dword:00000000 "ntlmminserversec"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1] "SkewMatrix"=hex:19,ff,2e,fa,8f,10,ae,d1,a0,5c,34,a5,ff,a9,be,7a [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4] "SSOURL"="http://www.passport.com" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache] "Time"=hex:2e,71,69,ee,6a,b0,c8,01 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll] "Name"="Digest" "Comment"="Digest SSPI Authentication Package" "Capabilities"=dword:00004050 "RpcId"=dword:0000ffff "Version"=dword:00000001 "TokenSize"=dword:0000ffff "Time"=hex:00,e1,e2,ad,f3,9d,c8,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll] "Name"="DPA" "Comment"="DPA Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000011 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,95,a7,b2,f3,9d,c8,01 "Type"=dword:00000031 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll] "Name"="MSN" "Comment"="MSN Security Package" "Capabilities"=dword:00000037 "RpcId"=dword:00000012 "Version"=dword:00000001 "TokenSize"=dword:00000300 "Time"=hex:00,95,a7,b2,f3,9d,c8,01 "Type"=dword:00000031
After that reboot your system and make only virusinfo_syscheck - log.
How do you make a new text file ?
I made the txt file and opened it but nothing happened. What do I have to do for it to work.
You did forget about a little thing...
on reg file you should click in order to insert data to registry...Save it as 123.reg
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D
Ok inserted the file into the registry and rebooted the system. I have attached the new log.
AXPDefender - some rogue anti-spyware program. Did you install it by yourself? Unistall it.
bonjour service should be uninstalled too.(how-to: http://virusinfo.info/showthread.php?t=42263 )
*Нажми и выполни, если хочешь чтобы помощь улучшилась и ускорилась
*MyFirefox Portable
special avz @ rapidshare.com
md5: 2091925798B7909E010E3F7E328C5F0D