the key thing is for us to get that driver and file off your machine at this stage. it is just reinfecting you as we go.
delete the version of AVZ you have on your machine - looks like it has been infected - and then from your CD copy AVZ across (it should be ok).
this time we will hit it hard.
the plan is to run DrWeb again, and then to run AVZ to clear of the file and driver, then Dr Web again to clear any further infections off, and then run AVZ to see where we stand.
1) In your post dated May 28 2010, 03:50 PM, the DrWeb download that you suggested was for a file named "launch.exe". That is the file I have. While in your post Posted Yesterday, 08:44 AM, in step 2 you mention to double click on "drweb-cureit.exe" file. Please let me know if both the launch.exe file and drweb-cureit.exe files you are referring to are the same or do I need to download anything more.
your assumption is correct - they are the same, you dont need to download anything more.
====STEP 1====- Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, chose the Complete Scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow
at the right, and the scan will start. - Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look and see if you can click the following icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
- This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer to allow files that were in use to be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE:
During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.As soon as Dr. Web has run look at the report and if you see any file with this after it
Win32.Sector.5 then run
Sality_off as described in
Step 4 before moving onto
Step 2====STEP 2====- Double click on AVZ.exe
- Click File > Custom scripts
- Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
StopService('asc3360pr');
DeleteService('asc3360pr');
SetServiceStart('asc3360pr', 4);
BC_DeleteFile('C:\WINDOWS\system32\drivers\emhtks.sys');
DeleteFile('C:\WINDOWS\system32\drivers\emhtks.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
- Note: When you run the script, your PC will be restarted
- Click Run
- Restart your PC if it doesn't do it automatically.
When restarted- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next postTo attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on
to insert the attachment into your post
====STEP 3====- Doubleclick the drweb-cureit.exe file, then on Start and allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, chose the Complete Scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look and see if you can click the following icon next to the files found:
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
- This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer to allow files that were in use to be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new OTL log.
NOTE:
During the scan, a pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.As soon as Dr. Web has run look at the report and if you see the following go to
Step 3 any file with this after it
Win32.Sector.5if you do not see that then post the logs so far
====STEP 4====Running Sality Off
Step a.
Unpack the file Sality_off.rar
Run the file Sality_off.exe with the key -m
To do this select run from the start menu.
Select browse and locate sality_off.exe click once.
The file will now appear in the run box.
Using the mouse double left click in the box and the cursor will then appear after the .exe part. now press the spacebar and type in -m then select OKStep b. Signs of a disinfected/ clean computer
when restarted, the utility sality_off.exe -m does not detect any signs of infection (the line "infected thread terminated" is missing)
====STEP 5====and we will do another AVZ scan do see where we stand
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with malware removal mode enabled" check box.
- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
- It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
- All applications will work properly after the system restart.
When restarted- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis" check box.
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next postTo attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
In your next reply could i see:1. the first DrWeb log
2. the AVZ attachment
3. the second Dr Web log
4. the Sality_off log if relevant
5. the AVZ logs from Step 4 <<<<< you may need to attach these logs in an additional reply.
The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information
over 2 or more posts.
andrewuk
Edited by andrewuk, 06 June 2010 - 08:36 AM.
This topic is locked
Sign In
Create Account
