Hi,

I think my pc has a virus that kaspersky virus removal tool can't find
since it keeps rebooting and works only in safe mode

thank you,

Execute the following script in AVPtool
(how: http://avptool.virusinfo.info/en/AVPTool_helpdesk_curescript.htm)


begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('kus552.dat','');
QuarantineFile('C:\Program Files\Helper\superdirectsearch.dll','');
QuarantineFile('C:\WINDOWS\mmall.exe','');
QuarantineFile('C:\WINDOWS\System32\uauk.dll','');
QuarantineFile('C:\WINDOWS\System32\bolenjx.exe',' ');
QuarantineFile('C:\WINDOWS\System32\J8dj3jg.dll',' ');
QuarantineFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe','');
QuarantineFile('C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\lvvban pf.dat','');
QuarantineFile('C:\WINDOWS\System32\Drivers\Beep.S YS','');
QuarantineFile('C:\WINDOWS\System32\msftp.dll','') ;
QuarantineFile('C:\WINDOWS\system32\drivers\spool. exe','');
QuarantineFile('C:\Documents and Settings\All Users\Documents\Settings\partnership.dll','');
DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\partnership.dll');
DeleteFile('C:\WINDOWS\system32\drivers\spool.exe' );
DeleteFile('C:\WINDOWS\System32\msftp.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Beep.SYS') ;
DeleteFile('C:\WINDOWS\system32\drivers\lvvbanpf.d at');
DeleteFile('C:\Documents and Settings\Administrator\Local Settings\Application Data\cftmon.exe');
DeleteFile('C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe');
DeleteFile('C:\WINDOWS\System32\J8dj3jg.dll');
DeleteFile('C:\WINDOWS\System32\bolenjx.exe');
DeleteFile('C:\WINDOWS\System32\uauk.dll');
DeleteFile('C:\WINDOWS\mmall.exe');
DeleteFile('C:\Program Files\Helper\superdirectsearch.dll');
DeleteFile('C:\WINDOWS\kus552.dat');
DeleteFile('C:\WINDOWS\System32\kus552.dat');
BC_ImportALL;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
Upload quarantine using this page: http://virusinfo.info/upload_virus_eng.php?tid=16690.
Make a new logfile in AVPTool.

I'm not sure if this is the quarantine that I should upload but this is all I got

Execute one more script:


begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('Beep');
StopService('ftmxhlqz');
TerminateProcessByName('spool.exe');
DeleteFile('C:\WINDOWS\system32\drivers\spool.exe' );
DeleteFile('C:\WINDOWS\System32\msftp.dll');
DeleteFile('C:\WINDOWS\System32\Drivers\Beep.SYS') ;
DeleteFile('C:\Documents and Settings\All Users\Documents\Settings\partnership.dll');
DeleteFile('C:\WINDOWS\system32\drivers\lvvbanpf.d at');
DeleteFile('C:\WINDOWS\bolenjx.exe');
DeleteFile('C:\WINDOWS\System32\bolenjx.exe');
DelBHO('{7E853D72-626A-48EC-A868-BA8D5E23E045}');
DelBHO('{B5AC49A2-94F2-42BD-F434-2604812C897D}');
DelBHO('{B5AF0562-94F3-42BD-F434-2604812C797D}');
DelBHO('{DD36FFB4-4F50-4071-9E6F-2E4947841DE2}');
DelBHO('{F10587E9-0E47-4CBE-84AE-7DD20B8684CC}');
DelWinlogonNotifyByKeyName('partnershipreg');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
and make a logfile once again.

Hi

After executing the second script a blue screen appeared then the pc restarted after that each time I try to log on, it log off by itself!!

I'm terribly sorry! There was nothing bad in my script...

So, let's try to boot in Safe Mode. If logging on your user account is still impossible, try to log on as Administrator. In case of success, make a new logfile in AVPTool. Else try to run "Last known good configuration" in boot menu.

After executing the second script a blue screen appeared then the pc restarted after that each time I try to log on, it log off by itself!!
Unfortunately the registry was damaged by virus. Try following this instruction:
http://support.microsoft.com/kb/555648
Correct path for yours computer is
Userinit=C:\windows\system32\userinit.exe

I tried to log on in safe mode and in "Last known good configuration" but it doesn't work either
how can I edit the registry without logging into windows?

Well, i know how to edit registry using bootable disk, like http://www.nu2.nu/bootcd/
Can you create such a disk by yourself?

I have Hiren's bootCD 9.3 and it has a program to edit the registry but the program won't work

I'm not sure if the bootable disk from the website you posted works the same way
is all I have to do is download files put it together and burn it?

Here for example: http://regeditpe.sourceforge.net/
http://windowsxp.mvps.org/peboot.htm
Instructions with pictures are available.
Remember, that you need to upload the registry file of the infected windows ( C:\Windows\System32\Config) and not one of the bootcd.