Unknown virus

[issathi]

Hi after opening a file (which i can provide) the svchost.exe begun eating up my ram anti viruses report no infection but Rootkit Detective (mcafee) detects something please help if possible thank you

[Rene-gad]

Close/disable all the applications excluded AVZ and Internet Explorer.

- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore

-Fix with Hijackthis

Код:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
 QuarantineFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\Zf1.exe','');
 QuarantineFile('C:\WINDOWS\Zwokua.exe','');
 QuarantineFile('C:\WINDOWS\system32\sshnas21.dll','');
 DeleteFile('C:\WINDOWS\system32\sshnas21.dll');
 DeleteFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\Zf1.exe');
 DeleteFile('C:\WINDOWS\Zwokua.exe');
 DeleteFile('C:\WINDOWS\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job');
 DeleteFile('C:\WINDOWS\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job');
ExecuteWizard('TSW', 2, 2, true);
ExecuteWizard('SCU', 2, 2, true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

After reboot:

execute following script

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Make new logs and attach them to the new posting.

[issathi]

Thanks for reply, i can't upload quarantine.zip the Upload quarantined files tool is giveing this error - "Upload error. This file already was uploaded before"

[Rene-gad]

Let it run: http://support.kaspersky.com/faq/?qid=208280684

Close/disable all the applications excluded AVZ and Internet Explorer.

- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore

-Fix with Hijackthis

Код:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

- Execute following script

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
  QuarantineFile('C:\WINDOWS\system32\f3b2.sys','');
 QuarantineFile('C:\WINDOWS\system32\e938.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\vdi3ndu1.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\fdd94.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\e5a9.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\6418.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\3bd9.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\1fa95.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\08e8.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\02693.SYS','');
 QuarantineFile('C:\WINDOWS\system32\drivers\0267.SYS','');
 QuarantineFile('C:\WINDOWS\system32\b024.sys','');
 QuarantineFile('C:\WINDOWS\system32\8ea4.sys','');
 QuarantineFile('C:\WINDOWS\system32\6342.sys','');
 QuarantineFile('C:\WINDOWS\system32\3cd3.sys','');
 QuarantineFile('C:\WINDOWS\system32\3609.sys','');
 QuarantineFile('C:\WINDOWS\system32\1b53.sys','');
 QuarantineFile('C:\WINDOWS\system32\02a7.sys','');
 QuarantineFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\sfareca00001.dll','');
 QuarantineFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\sfamcc00001.dll','');
 DeleteService('f3b2');
 DeleteService('e938');
 DeleteService('e5a9');
 DeleteService('b024');
 DeleteService('8ea4');
 DeleteService('6418');
 DeleteService('6342');
 DeleteService('3cd3');
 DeleteService('3bd9');
 DeleteService('3609');
 DeleteService('1fa95');
 DeleteService('1b53');
 DeleteService('08e8');
 DeleteService('02a7');
 DeleteService('02693');
 DeleteService('0267');
 DeleteFile('C:\WINDOWS\system32\f3b2.sys');
 DeleteFile('C:\WINDOWS\system32\e938.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\vdi3ndu1.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\fdd94.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\e5a9.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\6418.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\3bd9.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\1fa95.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\08e8.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\02693.SYS');
 DeleteFile('C:\WINDOWS\system32\drivers\0267.SYS');
 DeleteFile('C:\WINDOWS\system32\b024.sys');
 DeleteFile('C:\WINDOWS\system32\8ea4.sys');
 DeleteFile('C:\WINDOWS\system32\6342.sys');
 DeleteFile('C:\WINDOWS\system32\3cd3.sys');
 DeleteFile('C:\WINDOWS\system32\3609.sys');
 DeleteFile('C:\WINDOWS\system32\1b53.sys');
 DeleteFile('C:\WINDOWS\system32\02a7.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\vdi3ndu1.sys');
 DeleteFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\sfareca00001.dll');
 DeleteFile('C:\DOCUME~1\issathi\LOCALS~1\Temp\sfamcc00001.dll');
 BC_DeleteSvc('f3b2');
 BC_DeleteSvc('e938');
 BC_DeleteSvc('e5a9');
 BC_DeleteSvc('b024');
 BC_DeleteSvc('8ea4');
 BC_DeleteSvc('6418');
 BC_DeleteSvc('6342');
 BC_DeleteSvc('3cd3');
 BC_DeleteSvc('3bd9');
 BC_DeleteSvc('3609');
 BC_DeleteSvc('1fa95');
 BC_DeleteSvc('1b53');
 BC_DeleteSvc('08e8');
 BC_DeleteSvc('02a7');
 BC_DeleteSvc('02693');
 BC_DeleteSvc('0267');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.

If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager

After reboot:

execute following script

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
- Make new logs and attach them to the new posting.


PS: You have a russian system. Why did you open your thread in English forum?

[issathi]

did everything

PS. Oo sorry but my system is in english ))

[Rene-gad]

Logs are clean.

PS. Oo sorry but my system is in english ))

AVZ detects the system language and generate all comments in Russian - if the system language is Russian, or in English for all another languages. Such comments:

Версия Windows: 5.1.2600, Service Pack 3 ; AVZ работает с правами администратора
Восстановление системы: Отключено

are only in the 1st case possible.

[issathi]

thank you very much !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

and honestly my system is in english ))

[CyberHelper]

Статистика проведенного лечения:

• Получено карантинов: 1
• Обработано файлов: 42
• В ходе лечения вредоносные программы в карантинах не обнаружены