Printable View
Hey , I ve had terrible problems with my computer lately. First it couldnt move at all , it couldnt even start SYSTEM RESTOre and afrer some 100 hours-waited installation I succed in re-installin SYSTEM RESTORE tool and then it started moving but with difficulties.. Now , my kaspersky keep telling me about viruses that I thought I have removed..
So please, try to help me !
tnx !
Hi!
Please, exactly follow the instructions:
Download special avz in my signature.
Please execute this script in avz( how-to: [url]http://virusinfo.info/showthread.php?t=9207[/url]) ([B]Do remember[/B] before execution scripts to exit antivirus and disconnect from internet, disable [B]System Restore[/B] )
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\KCFG32.CPL','');
QuarantineFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe','');
DelBHO('{02478D38-C3F9-4efb-9B51-7695ECA05670}');
DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
DelBHO('{31FC1F5B-A825-4335-827F-9A604838884A}');
QuarantineFile('C:\WINDOWS\AdobeR.exe','');
QuarantineFile('C:\Program Files\WordWeb\wweb32.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\part dead amok eggs\cool chin.exe','');
QuarantineFile('C:\Documents and Settings\All Users\Application Data\Mail For File Wave\Blue Cool.exe','');
QuarantineFile('C:\DOCUME~1\BOY200~1\APPLIC~1\INTERN~1\Drv blue.exe','');
QuarantineFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\nicsk32.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\nchssvad.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\fips32cup.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\amd64si.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\PxHelp20.sys','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys','');
DeleteFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys');
DeleteFile('C:\WINDOWS\system32\drivers\nicsk32.sys');
DeleteFile('C:\WINDOWS\system32\drivers\fips32cup.sys');
DeleteFile('C:\WINDOWS\system32\drivers\amd64si.sys');
DeleteFile('C:\DOCUME~1\BOY200~1\APPLIC~1\INTERN~1\Drv blue.exe');
DeleteFile('C:\Documents and Settings\All Users\Application Data\Mail For File Wave\Blue Cool.exe');
DeleteFile('C:\Documents and Settings\All Users\Application Data\part dead amok eggs\cool chin.exe');
DeleteFile('C:\WINDOWS\AdobeR.exe');
DeleteFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe');
DeleteFile('C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys');
BC_DeleteSvc('amd64si');
BC_DeleteSvc('mferkdk');
BC_DeleteSvc('fips32cup');
BC_DeleteSvc('nicsk32');
BC_DeleteSvc('ws2_32sik');
BC_DeleteSvc('mferkdk');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.[/CODE]
System will reboot.
Please upload quarantine according to Appendix# 3 of rules by red link in your topic.
Please read carefully: [url]http://virusinfo.info/showthread.php?t=9184[/url] and make all 3 logs, as described and do attach them to next post in this topic.(use special avz, don't need update it)
ok , I hope I ll get by.. I ll let u know when I finish
Thanx a lot !
hey , I hope I did this well..
You did forget upload quarantine.
[code]Please upload quarantine according to Appendix# 3 of rules by red link in your topic.[/code]
use link: [url]http://virusinfo.info/upload_virus_eng.php?tid=42216[/url]
No quarantine, no help.
oh ok .. please tell me how to upload quarantine?
I dont get this part : Enter the list of files which were asked to send in the top window
which is that part ?
Upload result
File saved as 090322_184539_virus_49c65d233f140.zip
File size 1260798
MD5 ef360403e0cae74b3eabac255c55d399
File uploaded, thank you!
is that it ?
Please execute this script in avz( how-to: [url]http://virusinfo.info/showthread.php?t=9207[/url]) ([B]Do remember[/B] before execution scripts to exit antivirus and disconnect from internet, disable [B]System Restore[/B] )
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
StopService('fsssvc');
QuarantineFile('C:\Program Files\Windows Live\Family Safety\fsssvc.exe','');
QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\2a2686e81c99515\fssclient_x86.msi','');
QuarantineFile('C:\WINDOWS\Installer\382bbf.msi','');
DeleteService('Bonjour Service');
DeleteFile('%programfiles%\bonjour\mdnsresponder.exe');
DeleteFile('%programfiles%\bonjour\mdnsNSP.dll');
DeleteFile('C:\WINDOWS\Installer\382bbf.msi');
DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\2a2686e81c99515\fssclient_x86.msi');
DeleteFile('C:\Program Files\Windows Live\Family Safety\fsssvc.exe');
DeleteService('fsssvc');
BC_DeleteSvc('fsssvc');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(false);
RebootWindows(true);
end.[/CODE]
System will reboot.
Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool [URL="http://support.microsoft.com/?scid=kb%3Ben-us%3B315246&x=17&y=6"]cleanmgr[/URL] or [URL="http://www.ccleaner.com/"]CCleaner[/URL] or [URL="http://www.clearprog.de/"]ClearProg[/URL]
Please upload quarantine according to Appendix# 3 of rules by red link in your topic.
Please read carefully: [url]http://virusinfo.info/showthread.php?t=9184[/url] and make all 3 logs, as described and do attach them to next post in this topic.(use special avz, don't need update it)
here u go ser , I m gonna upload quarantine file on that link that u gave me on previous msg
Upload result
File saved as 090322_201422_virus_49c671ee5b577.zip
File size 5396306
MD5 0a21a4ee77c44684d4d224488c4dfd0d
File uploaded, thank you!
Almost :)
Fix this in hijack this:
[code]O4 - HKLM\..\Run: [PremierOpinion] C:\Program Files\PremierOpinion\pmropn.exe -boot
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
[/code]
then, execute this script in avz:
[code]begin
Clearquarantine;
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe','');
QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\301ddec01c9847c\fssclient_x86.msi','');
QuarantineFile('C:\Program Files\PremierOpinion\pmropn.exe','');
DeleteFile('C:\Program Files\PremierOpinion\pmropn.exe');
DeleteFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe');
DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\301ddec01c9847c\fssclient_x86.msi');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.[/code]
Again, a new quarantine upload by red link only.
Make new logs
[code] virusinfo_syscure.zip
virusinfo_syscheck.zip
hijackthis.log [/code]
cool :)
wait , i didnt read ur note about fixing that in hijack .. I ll do the hijackk again
[size="1"][color="#666686"][B][I]Добавлено через 4 минуты[/I][/B][/color][/size]
can u explain how can I fix things in hijack ?
[size="1"][color="#666686"][B][I]Добавлено через 8 минут[/I][/B][/color][/size]
hey I m sorry cause I m far from professional but I can find only that boujour ..
2nd hijack
How to fix: [url]http://virusinfo.info/showthread.php?t=9206[/url]
ok, i fixed that bounjour thing , but I can find the first one - O4 - HKLM\..\Run: [PremierOpinion] C:\Program Files\PremierOpinion\pmropn.exe -boot
[size="1"][color="#666686"][B][I]Добавлено через 2 минуты[/I][/B][/color][/size]
sorry , I CANT *
It is ok, if you can't find this line- it is gone :)
I don't see any sign of infection anymore. But it is very important to update or uninstall your acrobat reader. You can be infected trough this application, cause it quiet popular and have well documented exploits :)
woow really ? THanx soooo much !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! :)))))))
one more question : when I open internet explorer every time WINDOWS INSTALLER turns on.. what should I do ?
[size="1"][color="#666686"][B][I]Добавлено через 44 секунды[/I][/B][/color][/size]
or microsofr office xp professional with front page installer or some windows installer with kind of network icon turns on ..
[size="1"][color="#666686"][B][I]Добавлено через 51 минуту[/I][/B][/color][/size]
they are asking for some fssclienx_x86.msi and when I wanted to install it , it couldnt cause it says that newer version is in my comp
About internet explorer - uninstall it and install latest version from official site ;)
Nevertheless, i don't recommend you using internet explorer in internet, because it can't be configured secured and useful in same time, even their latest the 8.0 version can't.
Use firefox + NoScript add-on.
About office xp professional -i don't know, perhaps some update is missing. Sometimes helps to update the windows installer from windows update site;)
Use an alternative, if such problems persists.
[url]http://www.koffice.org/[/url]
[url]http://download.openoffice.org/index.html[/url]
regards from firefox ;)
Im on mozilla and its great !
all my problems fixed !! :)) thanx a lottttttt !!!!!!!!1
love ur lab forum :))))))))))))))))))))))))))
regards from Montenegro :))
[size="1"][color="#666686"][B][I]Добавлено через 4 часа 30 минут[/I][/B][/color][/size]
one more issue and I m gone - i have problem 0x8007007e when I try to sign to my msn .. I guess some DLL file is missing , so how can I figure out which one ?
remember in firefox to install NoScript [url]https://addons.mozilla.org/en-US/firefox/addon/722[/url], and use it with wisdom :)
try this instruction: [url]http://www.petri.co.il/wu_problems_8007007e.htm[/url]
ok thanx a lot !! thanx !!!!!!!!!!!!!