only can work in safe mode. here is my log
I hope I did this right.
Printable View
only can work in safe mode. here is my log
I hope I did this right.
.
Hello.
Execute the script: [code]begin
QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll','');
QuarantineFile('C:\WINDOWS\system32\nubipana.dll','');
QuarantineFile('c:\windows\system32\wefojuho.dll','');
QuarantineFile('C:\WINDOWS\system32\olhcwe80w.dll','');
QuarantineFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe','');
QuarantineFile('C:\WINDOWS\\SystemRoot\\SystemRoot\system32\DRIVERS\sr.sys','');
QuarantineFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys','');
QuarantineFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys','');
QuarantineFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll','');
QuarantineFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll','');
DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll');
BC_DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll');
DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
BC_DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys');
BC_DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys');
DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys');
BC_DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys');
DeleteFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe');
BC_DeleteFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe');
DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll');
BC_DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll');
DeleteFile('c:\windows\system32\wefojuho.dll');
BC_DeleteFile('c:\windows\system32\wefojuho.dll');
DeleteFile('C:\WINDOWS\system32\nubipana.dll');
BC_DeleteFile('C:\WINDOWS\system32\nubipana.dll');
DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll');
BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll');
DeleteService('jswmidin');
DeleteService('lfzekafgucza');
BC_DeleteSvc('jswmidin');
BC_DeleteSvc('lfzekafgucza');
DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}');
BC_ImportquarantineList;
BC_Activate;
ExecuteSysClean;
end.[/code] After restart, try to start in the normal mode. If the system starts, upload quarantine via the link [url]http://virusinfo.info/upload_virus_eng.php?tid=55823[/url] , as it's described in app.3 of [url=http://virusinfo.info/showthread.php?t=9184]the rules[/url], and make new logs (you'd better make 3 logs as it's described in the rules). If the system doesn't start, make the same logs in the safe mode.
I am not sure what files you want sent by upload quarantine...can you help? thanks
[QUOTE=liwesas;475946]I am not sure what files you want sent by upload quarantine...can you help? thanks[/QUOTE]
After the first script just execute the second: [code]begin
createqurantinearchive('c:\quarantine.zip');
end.[/code] After this script execution file c:\quarantine.zip will be created. Upload it via the link [url]http://virusinfo.info/upload_virus_eng.php?tid=55823[/url]
now I am trying to attach the files for the logs. I cannot find this
[B]Healing/Quarantine and Advanced System Analysis"[/B]
I have been able to do the other two scans...
Hello again.
I'm sorry, but logs you've attached are not quite the same logs i've expected to see. Hijackthis' log is ok, but you've missed the AVZ's logs. Look into the "Log" sub-folder in AVZ's folder. There should be two archives there: virusinfo_syscure.zip and virusinfo_syscheck.zip . They are the same logs I've expected to see - just attach them to your post here.
the other I cannot do because there is no link for
[B]Healing/Quarantine and Advanced System Analysis in the AVZ[/B]
[B]anyway I think I have the right one now.[/B]
[QUOTE]Attention !!! Database was last updated 8/21/2009 it is necessary to update the database (via File - Database update)[/QUOTE]
1. You should update avz bases (File/Database Update).
2. Execute the script in AVZ:
[CODE]begin
ExecuteRepair(13);
SetAVZPMStatus(True);
RebootWindows(true);
end.[/CODE]
3. Attach a new [B]virusinfo_syscheck.zip.[/B]
I think I did the last one wrong.
:clapping:
1. Please, disable System Restore and antivirus (if you have).
2. Execute the script in AVZ:
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll');
DeleteFile('\systemroot\system32\drivers\gasfkymrmneltp.sys');
BC_ImportDeletedList;
ExecuteSysClean;
ExecuteRepair(13);
BC_Activate;
RebootWindows(true);
end.[/CODE]
3. [URL="http://virusinfo.info/showthread.php?t=9206"]Fix with HijackThis:[/URL]
[QUOTE]O2 - BHO: (no name) - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\olhcwe80w.dll - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\olhcwe80w.dll (file missing)
O20 - AppInit_DLLs: nubipana.dll
O21 - SSODL: putefezad - {92837540-9f4f-4132-932d-ff7214f5b733} - (no file)[/QUOTE]
4. Attach a new [B]virusinfo_syscheck.zip.[/B]
in the properties area of my computer. If i try and go into System restore it tells me that it cannot protect my computer and to reboot and open it again. I have rebooted and it is not helping. Any ideas?
Skip this item.
I tried to disable my AVG virus but could only disable the resident shield otherwise I think I would have had to uninstall the whole thing.
[URL="http://www.gmer.net"]Make a log with GMER.[/URL]
I hope I did it right
thanks again
Lisa
1. Close all open documents as this will reboot your PC.
2. Double click on gmer.exe to launch GMER. If it warns you about rootkit activity and asks if you want to run scan, click No/cancel.
3. Click on the >>> tab. This will open up the rest of the tabs for you.
4. Click on the CMD tab. Make sure CMD.EXE is selected.
5. Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c.
[CODE]gmer.exe -killall
gmer.exe -del service gasfkyuknoxflj
gmer.exe -del file "c:\windows\system32\drivers\gasfkymrmneltp.sys"
gmer.exe -del file "c:\windows\system32\gasfkyhwvxkegq.dll"
gmer.exe -del file "c:\windows\system32\gasfkyitmpnyoa.dat"
gmer.exe -del file "c:\windows\system32\gasfkypipmkorx.dll"
gmer.exe -del file "c:\windows\system32\gasfkytdbsdqlr.dat"
gmer.exe -del file "c:\windows\system32\gasfkywqgkvdkx.dll"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gasfkyuknoxflj"
gmer.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\gasfkyuknoxflj"
gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuknoxflj"
gmer.exe -reboot[/CODE]
6. Paste the contents into the top black box in GMER by using ctrl+v.
7. Click Run, the script will run and then your PC will be rebooted.
8. After rebooted, rerun GMER and attach the new log-file.
9. Execute the script in AVZ:
[CODE]begin
ClearHostsFile;
DeleteFile('D:\autorun.inf');
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
RebootWindows(true);
end.[/CODE]
10. Attach a new [B]virusinfo_syscheck.zip.[/B]
after running the GMER
had to manually reboot.
it would not let me upload the AVZ file said I already uploaded it.?
1. Edit the hosts file and save it.
[QUOTE]C:\windows\system32\drivers\etc\hosts[/QUOTE]
This is the original hosts file.
[CODE]# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost[/CODE]
[COLOR="Red"][B]Attention: this file has not any extension![/B][/COLOR]
2. Execute the script in AVZ:
[CODE]begin
DeleteFile('D:\autorun.inf');
ExecuteSysClean;
ExecuteWizard('TSW', 3, 3, true);
RebootWindows(true);
end.[/CODE]
3. Attach a new [B]virusinfo_syscheck.zip.[/B]
hope i did it right
would not let me upload file says I already uploaded it. It seems like it is not saving before it reboots.
How are things looking?
Delete old attachments and try again.
.
Replace the hosts file. Your log file seems to be clean. Do you have any problem more?
it says it is infected with a packed monder and it moved it to the virus vault? ALso I still cannot access the system restore. Other than that it seems to be running ok.
[QUOTE=liwesas;478123]it says it is infected with a packed monder and it moved it to the virus vault? ALso I still cannot access the system restore. Other than that it seems to be running ok.[/QUOTE]What is infected? If you have gotten some alerts while antivirus scan works - it's ok, because we can only see an active infection with the logs, We cannot see infected files that are inactive, so we can't help you to get rid of all of them, but only full scan with antivirus can. As for system restore, try these steps:
Run AVZ - upper menu "File" - "System restore" - select positions 6 ("Delete all current user Policies") and 17 ("unlock Registry Editor") - and press "execute selected operations" . You'd better restart your PC after that. After restart, try to turn system restore on again.
system restore and it is still doing the same thing. It open but that box comes up and it will not let me into it at all. Other than that things look awesome! How do I keep it this way! :) :clapping::beer:
to both of you for helping me!! :clapping::clapping::clapping::clapping::beer::beer::beer: