Printable View
From today morning the moment I've started the computer a desk top was substituted saying that the computer is infected. A programme in c:/program/advancevirusremovar/pavrm.exe is executing in the back ground and is not allowing any dos program to work. It says 'the program is infected.'
I've run avz4 and ran KVRT 7.0, but can not locate the zip file after wards. I've run hijack this.
Please help
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
-[URL="http://virusinfo.info/showthread.php?t=9206"]Fix[/URL] with Hijackthis
[CODE]F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: XML module - {500BCA15-57A7-4eaf-8143-8C619470B13D} - C:\WINDOWS\system32\msxml71.dll
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [Advanced Virus Remover] C:\Program Files\AdvancedVirusRemover\PAVRM.exe
O4 - HKUS\S-1-5-18\..\Run: [Cognac] C:\WINDOWS\TEMP\b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Cognac] C:\WINDOWS\TEMP\b.exe (User 'Default user')
[/CODE]
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Cure
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Program Files\AdvancedVirusRemover\PAVRM.exe','');
QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
QuarantineFile('C:\WINDOWS\system32\winupdate.exe','');
QuarantineFile('C:\WINDOWS\system32\msxml71.dll','');
QuarantineFile('C:\WINDOWS\TEMP\b.exe','');
DeleteFile('C:\WINDOWS\TEMP\b.exe');
DeleteFile('C:\WINDOWS\system32\msxml71.dll');
DeleteFile('C:\WINDOWS\system32\winupdate.exe');
DeleteFile('C:\WINDOWS\system32\sdra64.exe');
DeleteFile('C:\Program Files\AdvancedVirusRemover\PAVRM.exe');
DelBHO('{500BCA15-57A7-4eaf-8143-8C619470B13D}');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.
[/CODE]
After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual Cure
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool [URL="http://support.microsoft.com/?scid=kb%3Ben-us%3B315246&x=17&y=6"]cleanmgr[/URL] or [URL="http://www.ccleaner.com/"]CCleaner[/URL] or [URL="http://www.clearprog.de/"]ClearProg[/URL]
- Close all the programs and start only Internet Explorer!!!
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
- Attach a log to your new post..
Ran the scripts. Once without the system restore off. 2nd time with system restore off. Uploaded the quarantine.zip as instructed.
Presently Adobe CS2 & one DOS program working.
Did not found any balloons from advance virus remover after reboot. Desktop is not changing to the normal. It is not working.
Hijackthis log file is not getting attached. Attaching virusinfo_syscheck.zip
Thank You.
Debansu
ps: I wanted to donate but the link under your post is in Russian. I couldn't understand what to do. I've never used paypal.
Switch off/Disable:
- Antivirus and and, if you have - Firewall.
- System Restore
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL] in Manual Cure
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('C:\WINDOWS\SaveStartDate.Exe','');
DeleteFile('C:\WINDOWS\SaveStartDate.Exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(1);
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(11);
ExecuteRepair(16);
ExecuteRepair(17);
RebootWindows(true);
end.
[/CODE]
After reboot [URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL] in Manual Cure
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool [URL="http://support.microsoft.com/?scid=kb%3Ben-us%3B315246&x=17&y=6"]cleanmgr[/URL] or [URL="http://www.ccleaner.com/"]CCleaner[/URL] or [URL="http://www.clearprog.de/"]ClearProg[/URL]
- Close all the programs and start only Internet Explorer!!!
- Repeat a log file.
- Switch Antivirus and, if you have - Firewall, on.
- Go On-Line
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
- Attach a log to your new post..
__________________________________________________________________________
[QUOTE=debansu1952;422270]I wanted to donate but the link under your post is in Russian. I couldn't understand what to do. [/QUOTE]Thank you very much :)
For using of PayPal or moneybookers.com you should have a reference bank account, be authorized there and become a personal account. For payers is the using of PayPal for free, at moneybookers.com all payments are charged with a small fee.
Alternative you can use WesternUnion. This system works especially with cash payments and fee is relative high. Pls. search in internet about the conditions legal for your country and contact our administrator [B]anton_dr[/B] per PM.
Ran the script as instructed.
Desktop once again in working condition.
Quarantine file uploaded.
virusinfo_syscheck.zip attached.
Thanks
Debansu
[QUOTE=Rene-gad;422286]
__________________________________________________________________________
contact our administrator [B]anton_dr[/B] per PM.[/QUOTE]
Pmed anton_dr.
Thanks once again.
Debansu
[QUOTE=debansu1952;422364]
virusinfo_syscheck.zip attached. [/QUOTE]Pls. make all 3 logs (as written in the rules)
Once again ran AVZ and hijackthis. Logs attached.
The uploader is not accepting hijackthis log file. Says [B]"You have already attached this file"[/B] even after I renamed it "hijackthis_redone".
[QUOTE=debansu1952;422461] Says [B]"You have already attached this file"[/B] even after I renamed it "hijackthis_redone".[/QUOTE]Upload engine checks the md5-sum of file. In your case: you try to upload the old file for the 2.nd time. Delete old hjt-log from your PC or rename it to prevent the mixing-up with a new one , make a new log and attach it. To find two files with the same MD5-sum is alike to find 2 people with the same finger prints.
The logs are looking OK. Any problem more?
No, not any more. It's almost midnight over here. May I upload the hjt tomorrow?
Thank you a lot.
Debansu
Attaching. Attached.
Thanks
Remove all the jobs from Task Scheduler and stop the Task Scheduler service.
Install IE8
Hold your system uptodate, check the settings for Autoupdates in Windows Security Center.
I don't have any scheduled task as of now.
Using cccleaner every alternate day. Virus check once a week.
Is there any problem with Mozila Firefox? I use the latest version of the same. Not IE.
My windows and KIS 2009 is uptodate as of now. Both are on Auto Update.
Thanks
[QUOTE=debansu1952;422936]
I use the latest version of the same. Not IE. [/QUOTE]It's not relevant: IE is a part of the OS, all it's vulnerabilities are automatically the system's one.
Updating to IE8.
Thanks