IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> Cannot Remove virus HEUR:trojan win32 generic
scrapyard
post 5.12.2008 00:51
Post #1


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2008




Help how do i get rid of this ,opens ads for virus software and other ads.thanks
Go to the top of the page
 
+Quote Post
richbuff
post 5.12.2008 05:04
Post #2


Are You Kidding?
*****************

Group: Moderators
Posts: 1000217
Joined: 14.06.2007




Welcome. Please attach the zipped avz sysinfo.zip, instructions, see: http://forum.kaspersky.com/index.php?showtopic=69276


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
scrapyard
post 8.12.2008 03:07
Post #3


Newbie
*

Group: Members
Posts: 2
Joined: 4.12.2008




help please stop these popups thanks, sys file sent
Attached File(s)
Attached File  sysinfo.zip ( 123,1K ) Number of downloads: 130
 
Go to the top of the page
 
+Quote Post
richbuff
post 8.12.2008 03:23
Post #4


Are You Kidding?
*****************

Group: Moderators
Posts: 1000217
Joined: 14.06.2007




Run this script, instructions posted in thread linked in my previous post, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\kmdpxkhs.dll','');
QuarantineFile('C:\WINDOWS\system32\rqRKCuTK.dll','');
QuarantineFile('digeste.dll','');
QuarantineFile('C:\WINDOWS\system32\vtUopQJy.dll','');
DelBHO('{B80B3E82-DC9C-43AE-8DC2-F381030FDF5B}');
QuarantineFile('C:\WINDOWS\system32\M8fJ0Px5.exe','');
QuarantineFile('C:\WINDOWS\system32\3Su64bkG.exe','');
QuarantineFile('C:\WINDOWS\system32\g824MtKR.exe','');
DeleteFile('C:\WINDOWS\system32\g824MtKR.exe');
DeleteFile('C:\WINDOWS\system32\3Su64bkG.exe');
DeleteFile('C:\WINDOWS\system32\M8fJ0Px5.exe');
DeleteFile('C:\WINDOWS\system32\vtUopQJy.dll');
DeleteFile('digeste.dll');
DeleteFile('C:\WINDOWS\system32\rqRKCuTK.dll');
DeleteFile('C:\WINDOWS\system32\kmdpxkhs.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


After run script, Post a Combofix log in this thread. Please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Wincent
post 14.12.2008 06:10
Post #5


Newbie
*

Group: Members
Posts: 3
Joined: 14.12.2008




I've got exactly the same problem: I can not get rid of the HEUR: trojan win32.Generic virus
Here is my sysinfo.zip file - please help

This post has been edited by Wincent: 14.12.2008 06:11
Attached File(s)
Attached File  sysinfo.zip ( 19,31K ) Number of downloads: 32
 
Go to the top of the page
 
+Quote Post
richbuff
post 14.12.2008 06:39
Post #6


Are You Kidding?
*****************

Group: Moderators
Posts: 1000217
Joined: 14.06.2007




Welcome. Uninstall WildTangent from Windows Control Panel, add/remove programs. Then run this script, instructions linked in pinned topics at tip of this forum page:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\iifcYrss.dll','');
QuarantineFile('C:\WINDOWS\system32\iifdcaxw.dll','');
DelBHO('{B3F78D6F-F843-49A3-AFD4-30BFBCE11613}');
DelBHO('{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}');
QuarantineFile('C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll','');
DeleteFile('C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll');
DeleteFile('C:\WINDOWS\system32\iifdcaxw.dll');
DeleteFile('C:\WINDOWS\system32\iifcYrss.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


After run script, post a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.

This post has been edited by richbuff: 14.12.2008 08:06


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Wincent
post 14.12.2008 07:45
Post #7


Newbie
*

Group: Members
Posts: 3
Joined: 14.12.2008




QUOTE(richbuff @ 14.12.2008 05:39) *
Welcome. Uninstall WildTangent from Windows Control Panel, add/remove programs. Then run this script, instructions linked in pinned topics at tip of this forum page:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\iifcYrss.dll','');
QuarantineFile('C:\WINDOWS\system32\iifdcaxw.dll','');
DelBHO('{B3F78D6F-F843-49A3-AFD4-30BFBCE11613}');
DelBHO('{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}');
QuarantineFile('C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll','');
DeleteFile('C:\Program Files\WildTangent\Apps\CDA\CDALogger0402.dll');
DeleteFile('C:\WINDOWS\system32\iifdcaxw.dll');
DeleteFile('C:\WINDOWS\system32\iifcYrss.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end


After run script, post a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (Choose the option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post. Also, please don't forget to resume the Kaspersky that you paused.


When I clicked Execute it said: "Wizard completed with error: Incorrect kernel handle"
I tried couple times more - the same result
Go to the top of the page
 
+Quote Post
Wincent
post 14.12.2008 07:50
Post #8


Newbie
*

Group: Members
Posts: 3
Joined: 14.12.2008




Here is the latest sysinfo file
I took it after I uninstalled WildTangent and tried executthe script


Attached File(s)
Attached File  sysinfo.zip ( 21,63K ) Number of downloads: 14
 
Go to the top of the page
 
+Quote Post
richbuff
post 14.12.2008 09:19
Post #9


Are You Kidding?
*****************

Group: Moderators
Posts: 1000217
Joined: 14.06.2007




I received your PM that you were able to run the script, and your Combofix log. Run this script, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('c:\windows\system32\iifcYrss.bak','');
QuarantineFile('c:\windows\system32\iifdcaxw.dll','');
QuarantineFile('c:\windows\system32\pmnkhFwV.dll','');
DeleteFile('c:\windows\system32\pmnkhFwV.dll');
DeleteFile('c:\windows\system32\iifdcaxw.dll');
DeleteFile('c:\windows\system32\iifcYrss.bak');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Then, run this one:
CODE
begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as
http://rapidshare.com/ Then, Private Message me the link to the uploaded file. Click my user name and select Send message. Lastly, uninstall Combofix by: pause
Kaspersky > Start > run > type combofix /u > ok. Or Start > run > type 543123 /u > ok. Restart Kaspersky.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
richbuff
post 15.12.2008 09:33
Post #10


Are You Kidding?
*****************

Group: Moderators
Posts: 1000217
Joined: 14.06.2007




Thank you for the links, I also received your new AVZ log. Run this script, instructions same, PC will reboot:
CODE
begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\mlJYqNEW.dll','');
QuarantineFile('C:\WINDOWS\system32\iifdcaxw.dll','');
DelBHO('{6F411BBB-2D52-4E02-A244-77562C425B1C}');
DelBHO('{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}');
DeleteFile('C:\WINDOWS\system32\iifdcaxw.dll');
DeleteFile('C:\WINDOWS\system32\mlJYqNEW.dll');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.


After run script, post a new Combofix log, instructions same as before.


--------------------
Please see the Important topics, located at the top of this section, and at the top of other sections of this forum.
Go to the top of the page
 
+Quote Post
Lucian Bara
post 20.12.2008 16:27
Post #11


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




two posts were split into new topics:
http://forum.kaspersky.com/index.php?showtopic=96507
http://forum.kaspersky.com/index.php?showtopic=96508
Go to the top of the page
 
+Quote Post
Lucian Bara
post 21.12.2008 17:35
Post #12


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




another split: http://forum.kaspersky.com/index.php?showtopic=96635
please start your own topic and don't post in someone else's
Go to the top of the page
 
+Quote Post
Lucian Bara
post 27.12.2008 16:10
Post #13


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




another split http://forum.kaspersky.com/index.php?showtopic=97410
and topic closed due to lack of actvity, if the original poster returns he can PM a moderator and the topic will be reopened

This post has been edited by Lucian Bara: 27.12.2008 16:10
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 23.09.2014 18:23