Просмотр полной версии : Another machine, another problem

30.01.2008, 21:32
Hi guys,

Unfortunately I was unable to run them with IE - I was unable to make it run.
Another problem that I have encountered I was unable to copy files from my desktop to usb disk in normal mode.

So, I've gone via safe mode and opened files via notepad and saved them onto the memory stick. Then I've saved themas zips with different extentions:)

So, there is a result - hope it is helpful

If I have done something wrong let me know:)))

Thank you

31.01.2008, 04:40
Execute the following script in AVZ:

SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\beqooniy.dll', '');
QuarantineFile('C:\WINDOWS\system32\ddabx.dll','') ;
Your system will reboot.
Upload quarantine according to Appendix #3 of Rules using this page:
Make new logfiles (xml files not needed).

31.01.2008, 10:52
Before making new log files you have to update AVZ bases.

31.01.2008, 11:17
good morning:)

Couple of questions sorry:
do I need to update the AVZ first?

than execute the script and afterwards then run AVZ again,

Another thing as I cannot make IE run - I will just do a new download of AVZ - would it be ok?

thank you

31.01.2008, 11:37
Execute the Bratez's script at first.
Don't download AVZ just update the bases. AVZ menu -> File -> Update databases.
And fulfil the points 8-13 of the rules.

31.01.2008, 21:50
Thank you guys,

update avz and then zipped it.

run the script so here you are

IE po prezhnemu ne rabotaet

Thank you

04.02.2008, 12:44
hi guys

any update please?

04.02.2008, 13:09

We need 3 logs ref. our rules.

Where they are?

Nam nuzhny 3 loga po pravilam

Gde oni?

04.02.2008, 16:17
hi, I cannot upload those files as zips files

These are html files with .txt extension

AndreyKa has advised that you don't need xml files.

Is this ok?


04.02.2008, 17:35
These are html files with .txt extension
No, they aren't. You have uploaded the avz-log.txt 2 times.

I cannot upload those files as zips files
Why? Use any free-hoster to upload these files an give here the links.

04.02.2008, 18:32

Oops, haven't realized it.

I am not sure as to why but when I tried to save zip from the log folder onto the memory stick I was unable to do so.

And I cannot use IE as it just shuts down everytime I try to run it.

Добавлено через 9 минут

Hi I checked my files and it seems to me that these are correct files first referring to step 8, second - second AVZ scan and the last is hijack.

Do I need to re-scan my computer? If yes, do I need to run Bratez's code again or not?


04.02.2008, 18:41
Fix the following lines in HijackThis:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - (no file)
O2 - BHO: (no name) - {96AD0473-517F-450F-BEA2-BC5F8FFB6C0B} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {C5495E37-E402-4989-A0A0-812F47EBDE37} - (no file)
O2 - BHO: (no name) - {EBBE0252-DDBC-486A-B08A-9EEAEDCDA25D} - C:\WINDOWS\system32\ddabx.dll (file missing)

then re-scan computer as you did at the very beginning.
You may ignore xml files, we need html only.
No need to run my script again.

04.02.2008, 18:58

Could you please provide me with more detailed instructions as to how I could fix those lines.

It doesn't really matter if you use English or Russian as soon as it will be something like Run/CMD/nslookup

thank you

04.02.2008, 19:08

04.02.2008, 20:41
Hi guys,

well read instructions and alas
when opened HiJack and went to main menu, selected Open The Misc Tools section ,
then Delete an NT service
I entered the key name and done for every thing, everytime the message was - key not found.

So now I am supposed to run the scan again, do I do it with DrWeb - CureIT? and just follow rules from the beginning?
Sorry but I'd rather be safe than sorry

Well I am sorry anyway:)

Have a good evening guys - speak to you tomorrow and wish me luck I am trying to re-install windows on my home machine.


05.02.2008, 06:25
How to "Fix in HijackThis"

In the Help Me section helpers and experts often advise "fixing in HijackThis" some items and enumerate them.

That means that you are supposed to run HijackThis, do a system scan, then check the enumerated items in the log and click the "Fix Checked" button. After the operation you should reboot the PC.

That's all. Nothing about Deleting an NT Service has been said ;)

05.02.2008, 21:14
hello, guys

Sorry Bratez, but I do require advanced guidelines:))
Anyway done as advised - fixed checked and here are results:

Thank you

05.02.2008, 21:15
just forgotten to add

I cannot make IE run even via task manager.

06.02.2008, 16:46
Leave IE :)
What about the correct logs of the avz, i can't read yours :)

06.02.2008, 18:59
Hi guys
well that's what I have got - I run the analysis and saved the logs as .txt

Delaya bolshie glaza ona sprosila - chto opyat ne tak???
So have I done something wrong?

06.02.2008, 19:11
Especially your avz's logs. What or who does told you make them manually ?
Read rules again, if you can't understand simple english, read rules in russian (http://virusinfo.info/showthread.php?t=1235). I can't help you with it, i am deeply sorry.

06.02.2008, 19:46

The process for me is download AVZ on the disk, extract, extract, update,send to zip.

Then I extract AVZ files on the infected machine, run scripts as advised in the rules section,
then I save the log files on the disk as I cannot save them on the disk in the zip format.

I tried a number of times but the only work-around I found is open the file and save it as.
Sorry I haven't got the better solution:(

06.02.2008, 19:55
You don't need to save them in any way,zip files will be created automatically by AVZ itself in avz folder, after you will follow our rules.
see steps 8, 10 :rtfm:

06.02.2008, 20:05

Indeed they are but I need to upload them somehow, right?

And I cannot do so as ie is not working so I need to save them on the memory stick and that is the only way I could do it:(

06.02.2008, 20:25
ok, what about firefox ? it is better browser in my opinion :)
Very strange stick memory that accept only ~txt, did you try to format it?
You can change file association of the "zip" file to the "txt" , and on the computer where you have an internet, change file back to the "zip". Then upload zip to your post.

06.02.2008, 20:39
here were are,

these are the results of the yesterday scan after running fixed checked in hiJackthis

06.02.2008, 20:41

I don't have it intalled, I don't think it is a problem with a memory stick I think it is a problem with an infected machine

Anyway have a good evening and I, sincerely hope these are the ones you are after:)

06.02.2008, 20:58
Or there some system bugs, or some viruses, or both :) We need to check some files to figure it out.
In order to do that, please do exactly as we say to you, not like you want to. If you can't do something, explain why in the topic. We can't read your mind :)
On the infected computer ( from where you did these logs ) execute the following script in avz :

SearchRootkit(true, true);
QuarantineFile('C:\WINDOWS\system32\ie4uinit.exe', '');
QuarantineFile('C:\WINDOWS\system32\advpack.dll',' ');
QuarantineFile('C:\WINDOWS\system32\IEDKCS32.DLL', '');
QuarantineFile('C:\WINDOWS\system32\schannel.dll', '');
QuarantineFile('C:\WINDOWS\system32\webcheck.dll', '');
QuarantineFile('C:\WINDOWS\system32\shell32.dll',' ');
QuarantineFile('C:\WINDOWS\system32\iedkcs32.dll', '');
QuarantineFile('C:\WINDOWS\system32\Drivers\RDPWD. sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\smwdm. sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\IFXTPM .SYS','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\update .sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\tcpip. sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\srv.sy s','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\secdrv .sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\Ntfs.s ys','');
QuarantineFile('C:\WINDOWS\system32\ntoskrnl.exe', '');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\fw.sys ','');
QuarantineFile('C:\WINDOWS\System32\Drivers\dump_K R10I.sys','');

Your system will reboot.
Then upload all quarantined files according to appendix #3 of Rules.
Your link is : http://virusinfo.info/upload_virus_eng.php?tid=17243
P.S. If you haven't Internet on this computer, use your magic like you did before ;)

A question to you : on this computer i see McAfee - is there only antivirus or firewall too ?

07.02.2008, 01:32
Hi Drongo,

both, but it might not be working - we have experienced some problems.

I'll run your scirpt first thing in the morning.

see ya

07.02.2008, 16:53
Next time, make sure, that archive are password protected before sending us.
Well, i don't see any suspicious file in your archive. I think is more a system malfunction problem, than a virus.
Try to execute this script in avz :


I understand that you did upgrade to IE 7 , you can try to downgrade to IE6.
Moreover, if you have an windows cd - will be good idea to check files like here : http://www.networkclue.com/os/Windows/commands/sfc.aspx

07.02.2008, 21:13
Hi Drongo,

i've installed firefox and it works perfectly.

IE doesn't work, also the start line is missing.

I am more than happy to do the full scan again - can you please advise.

thank you

P.S. no pop-up and security warnings this time while using Firefox

07.02.2008, 23:59
Happy for you :)
Still, did you try go to the control panel, add/remove programes and uninstall IE 7 ? Then reboot your computer.
Just do it, like in commercial :)
The next step is described on the http://windowsxp.mvps.org/IEFIX.htm

08.02.2008, 01:11
Good evening/morning

I tried to do it already but was unable to find IE7 in the Add/Remove programs.

I will double check tomorrow if not can I do it via registry?


08.02.2008, 18:19