I think it's a Win32 bamital-x in the winlogon.exe. Please help!
I think it's a Win32 bamital-x in the winlogon.exe. Please help!
from avz Log
and HJT
Upload result
File saved as 100823_184151_virusinfo_cure_4c7288afa8cc1.zip
File size 13139
MD5 1a594078d0d19b26b32e28fabc968871
File uploaded, thank you!
Последний раз редактировалось Rene-gad; 23.08.2010 в 18:42. Причина: wrong log and quarantine removed
Hello,
Close/disable all the applications excluded AVZ and Internet Explorer.
- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore
- Execute following script
If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware managerКод:begin SearchRootkit(true, true); SetAVZGuardStatus(True); ClearQuarantine; QuarantineFile('c:\windows\system32\winlogon.exe',''); QuarantineFile('c:\windows\system32\ec27ser.exe',''); QuarantineFile('c:\program files\common files\devicehelper\devicemanager.exe',''); QuarantineFile('C:\WINDOWS\V0470Mon.exe',''); ExecuteWizard('TSW', 3, 3, true); ExecuteWizard('SCU', 2, 2, true); BC_ImportAll; ExecuteSysClean; BC_Activate; SetAVZPMStatus(True); RebootWindows(true); end.
After reboot:
execute following script
- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.Код:begin CreateQurantineArchive('C:\quarantine.zip'); end.
Here is the quarantine.zip file. Thanks!
Upload result
File saved as 100823_195634_quarantine_4c729a323767f.zip
File size 398527
MD5 4bfc9f71351aa521525a954f2618812c
File uploaded, thank you!
Последний раз редактировалось Rene-gad; 23.08.2010 в 19:56. Причина: quarantine removed
Pls. be sure, that you have really understood the instruction
c:\windows\system32\winlogon.exe ===Trojan.Win32.Patched.kl
Pls. replace file
from original Windows CD using recovery console: http://support.microsoft.com/kb/314058Код:c:\windows\system32\winlogon.exe
Don't remove the infected file!!! Replace it
After that pls. check your PC for another viruses using Dr.Web Live CD: http://www.freedrweb.com/livecd/?lng=en
After that pls. make the new logs according to the rules: http://virusinfo.info/showthread.php?t=9184
Последний раз редактировалось Rene-gad; 23.08.2010 в 20:11. Причина: Добавлено
Статистика проведенного лечения:
- Получено карантинов: 2
- Обработано файлов: 13
- В ходе лечения обнаружены вредоносные программы:
- c:\\windows\\system32\\winlogon.exe - Trojan.Win32.Patched.kl ( DrWEB: Win32.Dat.3, BitDefender: Win32.Loader.O, NOD32: Win32/Bamital.DX trojan )