PDA

Просмотр полной версии : Help me - PCsod virus



lysk88
14.05.2008, 01:17
i got PCsod virus, everytime i opne internet explorer there are pop-ups of PCsod.

i prepared all of 3 logs and attached.
thank you!

Bratez
14.05.2008, 02:46
Execute the following script in AVZ:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\khfeCVLD.dll', '');
QuarantineFile('C:\WINDOWS\system32\nnnNGYPg.dll', '');
QuarantineFile('C:\WINDOWS\system32\tppaiexq.dll', '');
QuarantineFile('C:\WINDOWS\system32\rqRIyXOh.dll', '');
DeleteFile('C:\WINDOWS\system32\rqRIyXOh.dll');
DeleteFile('C:\WINDOWS\system32\tppaiexq.dll');
DeleteFile('C:\WINDOWS\system32\nnnNGYPg.dll');
DeleteFile('C:\WINDOWS\system32\khfeCVLD.dll');
BC_ImportALL;
DelBHO('{CEA9FFDA-A195-472A-9FB1-62371382A07F}');
DelBHO('{CBC5C692-5316-431A-BA67-920F118AA335}');
DelBHO('{B3102264-D09D-4322-B625-503FBF18DD7E}');
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
The system will reboot.

Upload all quarantined files according to Appendix #3 of the Rules (use red link above).

Make new logfiles.

! While using AVZ, internet connection and antivirus program should be off.

lysk88
14.05.2008, 08:07
thank you..
but, how do i execute the script in AVZ?

Rene-gad
14.05.2008, 08:27
but, how do i execute the script in AVZ?http://virusinfo.info/showthread.php?t=9207

lysk88
14.05.2008, 16:46
Rene-gad thanks.

i uploded the quarantined files..should i gave you some link or something? cuz i dont find one.

and this is the new logfiles:
moderated:::You should repead all 3 log files and attach them to your post.

Rene-gad
14.05.2008, 17:00
.should i gave you some link or something?No, Thanks ;)

lysk88
14.05.2008, 21:06
here is the all 3 log files

Bratez
15.05.2008, 09:01
Now everything seems to be OK. Just fix the following lined in HijackThis:


O2 - BHO: (no name) - {0C8BD81F-DAA2-4E46-B910-440FE28D7987} - (no file)
O2 - BHO: (no name) - {61A673EA-D1C3-45B4-94A6-CDECB532CA19} - C:\WINDOWS\system32\rqRIyXOh.dll (file missing)
O2 - BHO: (no name) - {EDCD05B8-F2BD-4286-9C3B-69F893CE2598} - (no file)
O2 - BHO: (no name) - {F90E7ABD-6413-4020-8883-98192764E5D4} - (no file)


Добавлено через 1 минуту

Repeat HijackThis log once more.

Do you still have any problems?

Rene-gad
15.05.2008, 09:05
here is the all 3 log filesIt wasn't too complicated, was it? ;)
Fix with HJT

O2 - BHO: (no name) - {61A673EA-D1C3-45B4-94A6-CDECB532CA19} - C:\WINDOWS\system32\rqRIyXOh.dll (file missing)
Run the script

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}');
DelBHO('{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E}');
DelBHO('{F90E7ABD-6413-4020-8883-98192764E5D4}');
DelBHO('{EDCD05B8-F2BD-4286-9C3B-69F893CE2598}');
DelBHO('{61A673EA-D1C3-45B4-94A6-CDECB532CA19}');
DelBHO('{0C8BD81F-DAA2-4E46-B910-440FE28D7987}');
StopService('SetupNTGLM7X');
DeleteService('SetupNTGLM7X');
StopService('GMSIPCI');
DeleteService('GMSIPCI');
QuarantineFile('E:\NTGLM7X.sys','');
QuarantineFile('E:\INSTALL\GMSIPCI.SYS','');
DeleteFile('E:\INSTALL\GMSIPCI.SYS');
DeleteFile('E:\NTGLM7X.sys');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
The PC will be rebooted. Upload all quarantined files according to Appendix #3 of the Rules (use red link above). Make new logfiles.While using AVZ, internet connection and antivirus program should be off.

lysk88
16.05.2008, 00:59
Bratez :
after i fixed what Rene-gad told me to fix,i didn't saw the files you tell me to fix.

Rene-gad :
i tried to upload the quarantined files , but AVZ didn't find any quarantined files .
(after i did "automatic quarantining" AVZ did found quarantined files
and i uploded them)
i attached the 3 logfiles.

there no more pop-ups, but theKaspersky Anti-Virus found :
"trojan.win32.Monder"
"trojan.win32.KillAv"

drongo
16.05.2008, 18:37
Fix this in hijack this:

O20 - Winlogon Notify: nnnNGYPg - C:\WINDOWS\Execute this script in avz:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('E:\NTACCESS.sys');
BC_DeleteSvc('NTACCESS');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
RebootWindows(true);
end. P.S. spydoctor and spybot in your case are superfluous. Uninstall them.Recheck settings in kaspersky accourding to the link in the rules. Rescan all computer, better one time in safe mode and one in normal. In order to prevent infection-> More effective idea is to use ( especially, in the internet) an limited user account instead of an administrator account. P.s. If you can't understand something in my english, i can explain you in PM in Hebrew ;)

lysk88
16.05.2008, 20:42
hey man..i done what you said,hope for the best (:
i sent to you PM(:
thanks!

what should i do next?
moderated:::full quote removed

drongo
16.05.2008, 21:39
Please update kaspersky, rescan all your computer. Cure/delete- if it will find something. Then disable your antivirus and make a fresh logs.

lysk88
17.05.2008, 13:55
i did what you said
here is a fresh new logs

Rene-gad
17.05.2008, 14:02
They seems to be clean. But what is the Drive E:\ ?
I mean this file: E:\INSTALL\GMSIPCI.SYS

lysk88
17.05.2008, 20:27
They seems to be clean. But what is the Drive E:\ ?
I mean this file: E:\INSTALL\GMSIPCI.SYS


i dont know..E is the cdrom.
but i got 2 local disk(C,D)
i search for this file GMSIPCI.SYS (at D drive) and i dont find one. also as hidden files.