SH$#%T! Just got a virus thanks to this forum!!

[SlowJedi]

Говорила мне мама, не ходи на всякие незнакомые ЮРЭлы, особенно если они на публичных бордах, а я зашел на какой-то дурацкий сайт с одного из постов Витты (спасибо Витта, большое!) на этом борде: http://forum.russianamerica.com/f/showthread.php?t=2177, и теперь уже второй день борюсь с какими-то вирусами, называются W32.Desktophijak и Download.Trojan. Кто-нибудь знает как их вывести? У меня стоит Нортон, но эти штуки не хотят выводиться, видимо придется стирать весь диск и перезагружать целиком.

Спасибо за помощь.

[марик - камарик]

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



**(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders. This is where it will save the backup files needed if there's a problem.)**

Press Ctrl/Alt/Del and "End Task" or "End Process" on each of the following: (They may or may not be there)

bbnt.exe

Turn off System Restore WinXP WinME. (Turn it back on after this is repaired and you've rebooted.) Close all other open Windows and have HiJackThis Fix:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll

O15 - Trusted Zone: *.westpark.org << DID YOU PUT THIS IN THE TRUSTED ZONE??

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com...ll/xscan60.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = westpark.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = westpark.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = westpark.org <<< DO YOU KNOW THIS SITE?? IF NOT HAVE HJT REMOVE THESE 017 ENTRIES

O23 - Service: Big Brother SNM Client 1.08b (BigBrotherClient) - Unknown owner - C:\BB\BBNT\1.08b\bin\bbnt.exe



Go to Control Panel / Add/Remove Programs and remove the
following if they are there:

BigBrotherClient

Now delete these Folders or Files that are Highlighted: (You may need enable "Show all Files" and disable "Hide System Files" in Windows Explorer / Tools / Folder Options / View Tab) (You may have to boot to "http://www.jayloden.com/SafeMode.htm " in order to delete some Files/Folders)

C:\WINNT\system32\boln.dll
C:\BB\BBNT\1.08b\bin\bbnt.exe

Now, empty all your TEMP Folders (WinXp has up to 4 of them) / Temporary Internet Files Folder and then empty your "Recycle Bin" and Reboot.


In Xp, here are some locations of Temp files
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
C:\Documents and Settings\Username\Local Settings\Temporary Internet Files
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files

Turn on System Restore

Before opening your browser goto START>CONTROL PANEL>INTERNET OPTIONS and make sure your Homepage is correct,if not ,type the URL you would like in the HomePage box.


Now re-run HJT and post a new logfile back here.

[марик - камарик]

предыдущее это инструкции по удалению первого вируса. Вот для второго
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


1.Disable System Restore (Windows Me/XP).
2.Update the virus definitions.
3.Restart the computer in Safe mode (Windows 95/98/Me/2000/XP) or VGA 4.mode (Windows NT).
5.Run a full system scan and delete all the files detected as Download.Trojan.
Clear Internet Explorer History and files, if needed.
можешь почитать здесь: http://securityresponse.symantec.com...ad.trojan.html

[Olezhik]

Я надеюсь что инструкция была распечятана.