# cannot do anything in reg mode

1. ## cannot do anything in reg mode

only can work in safe mode. here is my log

I hope I did this right.

2. ## here is my hijack log

.

3. Hello.
Execute the script:
Êîä:
begin
QuarantineFile('C:\WINDOWS\system32\nubipana.dll','');
QuarantineFile('c:\windows\system32\wefojuho.dll','');
QuarantineFile('C:\WINDOWS\system32\olhcwe80w.dll','');
QuarantineFile('C:\WINDOWS\\SystemRoot\\SystemRoot\system32\DRIVERS\sr.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys','');
QuarantineFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys','');
QuarantineFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll','');
QuarantineFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll','');
DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll');
BC_DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll');
DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
BC_DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys');
BC_DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys');
DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys');
BC_DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys');
DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll');
BC_DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll');
DeleteFile('c:\windows\system32\wefojuho.dll');
BC_DeleteFile('c:\windows\system32\wefojuho.dll');
DeleteFile('C:\WINDOWS\system32\nubipana.dll');
BC_DeleteFile('C:\WINDOWS\system32\nubipana.dll');
DeleteService('jswmidin');
DeleteService('lfzekafgucza');
BC_DeleteSvc('jswmidin');
BC_DeleteSvc('lfzekafgucza');
DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}');
BC_ImportquarantineList;
BC_Activate;
ExecuteSysClean;
end.
After restart, try to start in the normal mode. If the system starts, upload quarantine via the link http://virusinfo.info/upload_virus_eng.php?tid=55823 , as it's described in app.3 of the rules, and make new logs (you'd better make 3 logs as it's described in the rules). If the system doesn't start, make the same logs in the safe mode.

4. ## ok I am working on it and I can work in normal mode now

I am not sure what files you want sent by upload quarantine...can you help? thanks

5. Ñîîáùåíèå îò liwesas
I am not sure what files you want sent by upload quarantine...can you help? thanks
After the first script just execute the second:
Êîä:
begin
createqurantinearchive('c:\quarantine.zip');
end.

6. ## ok sent the file

now I am trying to attach the files for the logs. I cannot find this

I have been able to do the other two scans...

7. Hello again.
I'm sorry, but logs you've attached are not quite the same logs i've expected to see. Hijackthis' log is ok, but you've missed the AVZ's logs. Look into the "Log" sub-folder in AVZ's folder. There should be two archives there: virusinfo_syscure.zip and virusinfo_syscheck.zip . They are the same logs I've expected to see - just attach them to your post here.

8. ## k here is one of them

the other I cannot do because there is no link for

Healing/Quarantine and Advanced System Analysis in the AVZ

anyway I think I have the right one now.

9. Attention !!! Database was last updated 8/21/2009 it is necessary to update the database (via File - Database update)
1. You should update avz bases (File/Database Update).
2. Execute the script in AVZ:

Êîä:
begin
ExecuteRepair(13);
SetAVZPMStatus(True);
RebootWindows(true);
end.
3. Attach a new virusinfo_syscheck.zip.

10. ## here is an updated attachment

I think I did the last one wrong.

11. ## thanks so much for helping!

12. 1. Please, disable System Restore and antivirus (if you have).
2. Execute the script in AVZ:

Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
DeleteFile('\systemroot\system32\drivers\gasfkymrmneltp.sys');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(13);
BC_Activate;
RebootWindows(true);
end.
3. Fix with HijackThis:

O2 - BHO: (no name) - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - (no file)
O2 - BHO: C:\WINDOWS\system32\olhcwe80w.dll - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\olhcwe80w.dll (file missing)
O20 - AppInit_DLLs: nubipana.dll
O21 - SSODL: putefezad - {92837540-9f4f-4132-932d-ff7214f5b733} - (no file)
4. Attach a new virusinfo_syscheck.zip.

13. ## I do not have a link for system restore

in the properties area of my computer. If i try and go into System restore it tells me that it cannot protect my computer and to reboot and open it again. I have rebooted and it is not helping. Any ideas?

14. Skip this item.

15. ## ok

I tried to disable my AVG virus but could only disable the resident shield otherwise I think I would have had to uninstall the whole thing.

16. ## here it is

I hope I did it right
thanks again
Lisa

17. 1. Close all open documents as this will reboot your PC.

2. Double click on gmer.exe to launch GMER. If it warns you about rootkit activity and asks if you want to run scan, click No/cancel.

3. Click on the >>> tab. This will open up the rest of the tabs for you.

4. Click on the CMD tab. Make sure CMD.EXE is selected.

5. Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c.

Êîä:
gmer.exe -killall
gmer.exe -del service gasfkyuknoxflj
gmer.exe -del file "c:\windows\system32\drivers\gasfkymrmneltp.sys"
gmer.exe -del file "c:\windows\system32\gasfkyhwvxkegq.dll"
gmer.exe -del file "c:\windows\system32\gasfkyitmpnyoa.dat"
gmer.exe -del file "c:\windows\system32\gasfkypipmkorx.dll"
gmer.exe -del file "c:\windows\system32\gasfkytdbsdqlr.dat"
gmer.exe -del file "c:\windows\system32\gasfkywqgkvdkx.dll"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gasfkyuknoxflj"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\gasfkyuknoxflj"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuknoxflj"
gmer.exe -reboot
6. Paste the contents into the top black box in GMER by using ctrl+v.

7. Click Run, the script will run and then your PC will be rebooted.

8. After rebooted, rerun GMER and attach the new log-file.

9. Execute the script in AVZ:

Êîä:
begin
ClearHostsFile;
DeleteFile('D:\autorun.inf');
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
RebootWindows(true);
end.
10. Attach a new virusinfo_syscheck.zip.

18. ## recieved error message

after running the GMER

19. 1. Edit the hosts file and save it.

C:\windows\system32\drivers\etc\hosts
This is the original hosts file.

Êîä:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
Attention: this file has not any extension!

2. Execute the script in AVZ:

Êîä:
begin
DeleteFile('D:\autorun.inf');
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
RebootWindows(true);
end.
3. Attach a new virusinfo_syscheck.zip.

Ñòðàíèöà 1 èç 2 12 Ïîñëåäíÿÿ

#### Âàøè ïðàâà â ðàçäåëå

• Âû íå ìîæåòå ñîçäàâàòü íîâûå òåìû
• Âû íå ìîæåòå îòâå÷àòü â òåìàõ
• Âû íå ìîæåòå ïðèêðåïëÿòü âëîæåíèÿ
• Âû íå ìîæåòå ðåäàêòèðîâàòü ñâîè ñîîáùåíèÿ
•
Page generated in 0.01466 seconds with 18 queries