Avast WEBforum
Other => Viruses and worms => Topic started by: oldman on January 03, 2008, 06:17:50 AM
-
This is gipsyking's new thread from http://forum.avast.com/index.php?topic=32338.msg270640#msg270640
gipsyking start with this
Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop.
1.- Click on Avenger.zip to open the file
- Extract avenger.exe to your desktop
Drivers to unload:
sqxoeibo
Files to delete:
C:\windows\system32\drivers\yfdaedfq.dat
C:\WINDOWS\system32\drmv2cltl.dll
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Copy/Paste all the text in the above quote box into this window by
- MAKE SURE THE TEXT MATCHES EXACTLY
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh DSS log
-
ok
-
Se this pls...
-
Well that didn't go so well.
open HJT again and click Open the Misc Tools Section. Near the top of the next window you'll see a button labled Generate Startuplist log. Place a check mark in the two options next to this button ('List also minor Section' and "List Empty Sections"), then click the Generate Startuplist log button. OK the warning dialogue and either post or attach the information that opens in notepad.
Also please post a HJT log.
-
OK... I do this already..
-
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.
-
and the other is??
-
I thought you already had this since you have DSS. Itmay be a bit before I can get back.
Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File::
C:\WINDOWS\system32\drmv2cltl.dll
C:\WINDOWS\system32\drivers\yfdaedfq.dat
Folder::
C:\Documents and Settings\All Users\Application Data\SalesMon
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.
-
I thought you already had this since you have DSS. Itmay be a bit before I can get back.
Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:00:15, on 05-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe
C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57952B9E-687A-415E-9D75-5A79317DFD23} - C:\WINDOWS\system32\drmv2cltl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Programas\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programas\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Programas\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198416317375
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E6E729-D71B-45DD-A0DD-27DD7208D5F4}: NameServer = 192.168.2.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programas\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7715 bytes
-
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File::
C:\WINDOWS\system32\drmv2cltl.dll
C:\WINDOWS\system32\drivers\yfdaedfq.dat
Folder::
C:\Documents and Settings\All Users\Application Data\SalesMon
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.
OK... What is my problem??
-
Hi gipsyking
This was one of your problems, C:\WINDOWS\system32\drmv2cltl.dll, it's gone now.
But there is a bit more.
Please do this in the following order, then post the logs
1. run the combofix fix
2. run hijackthis
3. copy and paste the contents of C:\WINDOWS\wininit.ini
right click on the above file, it will open with notepad. copy and paste the contents into a new notepad and attach to your next reply.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
Folder::
C:\Documents and Settings\JP\Application Data\systemerrorfixer
C:\Programas\SystemErrorFixer
C:\Programas\Ficheiros comuns\SystemErrorFixer
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a newHJTlog.
-
Hi gipsyking
This was one of your problems, C:\WINDOWS\system32\drmv2cltl.dll, it's gone now.
But there is a bit more.
Please do this in the following order, then post the logs
1. run the combofix fix
2. run hijackthis
3. copy and paste the contents of C:\WINDOWS\wininit.ini
right click on the above file, it will open with notepad. copy and paste the contents into a new notepad and attach to your next reply.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
Folder::
C:\Documents and Settings\JP\Application Data\systemerrorfixer
C:\Programas\SystemErrorFixer
C:\Programas\Ficheiros comuns\SystemErrorFixer
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a newHJTlog.
In C:\WINDOWS\wininit.ini
[rename]
c:\tempjunk647.tmp=C:\WINDOWS\system32\rpcc.exe
nul=c:\tempjunk647.tmp
And other posts...
-
There's one line in the combo fix log that I don't like. I'd like to have a look in a different way.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.
[/quote]
Set it up as in the image here, except set it to 60 days
http://forum.avast.com/index.php?topic=31261.msg260811#msg260811
-
And this go delete my problem??
-
Sure hope so. :)
Tell me all the problems you are experiencing now.
-
There's one line in the combo fix log that I don't like. I'd like to have a look in a different way.
Download WinPFind3u.exe (http://download.bleepingcomputer.com/oldtimer/winpfind3u.exe) to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
- Under Additional Scans click the checkboxes in front of the following items to select them:
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
This log will be quite long. You can either use multiple post or attach the log file if its easier. In either case make sure the last line is < End of Report >.
Set it up as in the image here, except set it to 60 days
http://forum.avast.com/index.php?topic=31261.msg260811#msg260811
[/quote]
AND NOW??
-
Sure hope so. :)
Tell me all the problems you are experiencing now.
This is my problem... virus C:\WINDOWS\system32\drmv2cltl.dll
Only... :X
-
Hi gipsyking
The problem file you mentioned is gone. But we are having difficulty in removing a different one. You had more than one problem.
We'll use avenger again.
Drivers to unload:
sqxoeibo
Files to delete:
C:\windows\system32\drivers\yfdaedfq.dat
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Copy/Paste all the text in the above quote box into this window by
- MAKE SURE THE TEXT MATCHES EXACTLY
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh combofix log
-
Hi gipsyking
The problem file you mentioned is gone. But we are having difficulty in removing a different one. You had more than one problem.
We'll use avenger again.
Drivers to unload:
sqxoeibo
Files to delete:
C:\windows\system32\drivers\yfdaedfq.dat
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.- Under "Script file to execute" choose "Input Script Manually".
- Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
- Copy/Paste all the text in the above quote box into this window by
- MAKE SURE THE TEXT MATCHES EXACTLY
- Click Done
- Now click on the Green Light to begin execution of the script
- Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:- It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
- On reboot, it will briefly open a black command window on your desktop, this is normal.
- After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
4. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh combofix log
sory for the time, because i didn´t have much time.. tonight i post... : X
thanks
-
Ok, I'll check tonight. 8) :D
-
Ok, I'll check tonight. 8) :D
OK.. lefts much more to delet this virus?? :X
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\oipnarsy
*******************
Script file located at: \??\C:\WINDOWS\ltcchies.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Driver sqxoeibo unloaded successfully.
File C:\windows\system32\drivers\yfdaedfq.dat not found!
Deletion of file C:\windows\system32\drivers\yfdaedfq.dat failed!
Could not process line:
C:\windows\system32\drivers\yfdaedfq.dat
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
-
OK.. lefts much more to delet this virus??
Just post the combofix log I asked for and we'll know! 8)
-
OK.. lefts much more to delet this virus??
Just post the combofix log I asked for and we'll know! 8)
SOrry,,,,
-
Well gipsy, it seems you are king again. ;)
1. Click start button, click run, copy and paste the following line in the box, click ok
combofix /u
2. Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Double-click OTMoveIt.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
3. Create a new restore point
You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create
Remove old restore points
4.Disk Cleanup
- Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
5. Download and run this clean up utility from the link below. You can use it regularly. When it's first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.
http://www.stevengould.org/downloads/cleanup/
6. It looks like you are using windows firewall. It doesn't provide outbound protection. A third party firewall will.
A discussion on free firewalls can be found here.
http://forum.avast.com/index.php?topic=30808.0
You can also delete any logs,notepads,etc that you may have left that were created during this.
Take care and keep safe. 8)
-
1. Click start button, click run, copy and paste the following line in the box, click ok
combofix /u ?????
sorry don't understand :X
-
copy and paste like in this picture ;)
http://forum.avast.com/index.php?topic=32519.msg271939#msg271939
-
The virus desapears... desapareceu.
delet.. XD
Sorry for sme thing, but i am portuguese.. :X
-
You do far better with English than I would with Portuguese, :)
Yes the bugs are gone. If you are still having problems let me know.
-
okok, thanks...
but what programs reomend for the virus and worms ...
I have Avast, and spybot and microsoft defender...
???
-
You may want to try superantispyware. The free version is on demand, so you would have to manully scan with it.
I'll give you a link and my suggested settings.
Download superantispyware (http://www.superantispyware.com/)
First update SAS Then
Under Configuration and Preferences, click the Preferences button.
Then click the Scanning Control tab.
Under Scanner Options make sure the following are checked
- CHECK ALL BOXES
Return to the main page by clicking close on that screen. On the main screen, under Scan for Harmful Software click Scan your computer. On the left check C:\Fixed Drive.(and other fixed drives)
Under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan.
When the scan is done, quarentine everything found . Reboot if asked
Sorry about not letting you know that that was the tools cleanup routine that is done when we got finished.
-
But the others programs that i have i can delet?? (microsoft defense and spybot)
??
-
But the others programs that i have i can delet?? (microsoft defense and spybot)
??
No keep them. They're all compatible among them.
-
okok... thanks... and other questions!! :X , HOW I ACTIVE MY MICROSOFT OFFICE 2007?
if you know, thanks....
you know some thing of Visual basic??
thnks again
-
okok... thanks... and other questions!! :X , HOW I ACTIVE MY MICROSOFT OFFICE 2007?
Open a MS Office program (Word, Excel...), type F1 and search for activation. You'll got it.
-
yes i know, but doesnt do....
-
yes i know, but doesnt do....
What is the error message?
I won't ask you to ask for MS help... MS has one of the worst help support at all...