# packed.generic.200 virus

1. ## packed.generic.200 virus

I have installed and used the following, Combo Fix, Gmer rootkit, Root repeal (didn't work),ATF cleaner and now using Kasperski's Manual fix option. It has brought me here to send reports (attached) I am awaiting a script to paste in the Kas. window to exec. My avf file will not upload onto this site??????

2. Please, don't do anything without our request.
Now, disconnect from internet, disable your symantec.
Execute this script in avz ( i know, you have it ) http://virusinfo.info/showthread.php?t=9207
Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DelBHO('{07B18EA9-A523-4961-B6BB-170DE4475CCA}');
DelBHO('{07B18EA1-A523-4961-B6BB-170DE4475CCA}');
DelBHO('{02478D38-C3F9-4efb-9B51-7695ECA05670}');
QuarantineFile('C:\WINDOWS\system32\ps2.exe','');
QuarantineFile('C:\Program Files\MX610LL\MX610LL.exe','');
QuarantineFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe','');
QuarantineFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe','');
QuarantineFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL','');
DeleteService('rootrepeal');
QuarantineFile('C:\WINDOWS\system32\drivers\rootrepeal.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\AEC6710D.sys','');
QuarantineFile('C:\WINDOWS\System32\drivers\CdaC15BA.SYS','');
QuarantineFile('C:\WINDOWS\system32\UACunhsvgrq.dll','');
TerminateProcessByName('c:\progra~1\mywebs~1\bar\2.bin\m3srchmn.exe');
QuarantineFile('c:\progra~1\mywebs~1\bar\2.bin\m3srchmn.exe','');
DeleteFile('c:\progra~1\mywebs~1\bar\2.bin\m3srchmn.exe');
DeleteFile('C:\WINDOWS\system32\UACunhsvgrq.dll');
DeleteFile('C:\WINDOWS\system32\drivers\rootrepeal.sys');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

After that make a set of logs according to rules: http://virusinfo.info/showthread.php?t=9184

Upgrade acrobat reader or better remove it at all. You can use for example: http://portableapps.com/apps/office/...a_pdf_portable

3. ## Ok, I have exec...

I have executed the script that you gave me. What do I do next?

4. quarantine,
new logs...

5. I have got the new reports....attached. Acrobat has been updated and I am having problems trying to get a Quarantine file in avz, The quar. is empty....?? How do I get them?

Are you there?

6. Where ist the log virusinfo_syscure.zip?

7. Is this it? I am from the US. Our hours are much different. Sorry for the delay.

8. No, your file is wrong.

Instruction how to create virusinfo_syscure.zip :
Read carefully, specially the part: Analysis 1

9. ## New Logs

Thanks, I have attached a new set of logs as directed in the rules. Thank you for your patients.

10. Do you need BackWeb ? I suggest you to go to add/remove programs and uninstall it. It is kind of nasty program.

Don't forget to disable norton antivirus and disconnect from internet, only then execute this script in avz:
Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\COUPON~1.OCX','');
QuarantineFile('C:\Program Files\NetZero\qsacc\X1IEBHO.dll','');
QuarantineFile('C:\WINDOWS\system32\ps2.exe','');
QuarantineFile('C:\WINDOWS\system32\UACphwtkuin.dll','');
QuarantineFile('C:\WINDOWS\system32\UACqeystrqv.dll','');
QuarantineFile('C:\WINDOWS\system32\UACsyxarhca.dll','');
QuarantineFile('C:\WINDOWS\system32\UACtuaiisko.dll','');
QuarantineFile('C:\WINDOWS\system32\drivers\UACagvatkkj.sys','');
DeleteService('MyWebSearchService');
QuarantineFile('\\?\globalroot\systemroot\system32\UACqeystrqv.dll','');
DeleteFile('\\?\globalroot\systemroot\system32\UACqeystrqv.dll');
DeleteFile('C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe');
DeleteFile('C:\WINDOWS\system32\ps2.exe');
DeleteFile('C:\WINDOWS\system32\UACphwtkuin.dll');
DeleteFile('C:\WINDOWS\system32\UACqeystrqv.dll');
DeleteFile('C:\WINDOWS\system32\UACsyxarhca.dll');
DeleteFile('C:\WINDOWS\system32\UACtuaiisko.dll');
DeleteFile('C:\WINDOWS\system32\drivers\UACagvatkkj.sys');
DeleteFile('C:\WINDOWS\COUPON~1.OCX');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
SetAVZPMStatus(true);
RebootWindows(true);
end.
System will reboot.
The avz's database was last updated 2/8/2009 it is necessary to update the bases using automatic updates (File/Database update). Please do update, then make a set of new logs and attach them to next post in this topic.

11. ## back web

There is no program called "Backweb" in the program list given in my add/remove programs. should I proceed with the script you gave me?

12. Ñîîáùåíèå îò arthur
There is no program called "Backweb" in the program list given in my add/remove programs. should I proceed with the script you gave me?
yes, proceed.
i will try to find the original uninstaller.

Could you find in add/remove programs? : something like
Updates from HP/Compaq Connections
Uninstall it. It should remove your backweb client

13. ## Ok

I have run the script, updated avz database, and created new logs. I am having a problem with uploading the quarantine files, because they are not zip files they are data files. Is there something I can do to turn them into zips and send? HP also deleted.....

14. Ñîîáùåíèå îò arthur
Is there something I can do to turn them into zips and send?
File/Quarantine folder viewer..

15. Êîä:
Appendix 3. How to send us requested files.

1. Start AVZ, choose from the menu "File"-> "Quarantine folder viewer ".
2. Mark files in the list which should be sent.
3. Click "Archive" and specify a place on the disk where the archive should be kept. We recommend to accept the default filename, i.e. virus.zip.
4. Upload the archive using the download link (Upload quarantined files) at the top of your thread (the "thread link" field will be filled automatically), or use this link: http://virusinfo.info/upload_virus_eng.php, where you need to fill the "thread link" field manually. (It should look like httр: // virusinfo.info/showthread.php?t=XXXX).

16. ## Uploaded Quarantine files

Thank you for you patients. This morning my system has not been showing any signs of the virus in Norton and is working quite well. No unusual search problems or strange activity. Am I clean?

17. I don't see something unusual either.
The backweb client's dll still exist, lets remove it along with avz trails:
Execute this script in avz:
Êîä:
begin
SetAVZGuardStatus(true);
SetAVZPMStatus(false);
ExecuteStdScr(6);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.
After restart you will be able delete \BackWeb\ folder in C:\Program Files\ manually.
You should upgrade acrobat reader. Or uninstall and use an alternative.(for example: http://portableapps.com/apps/office/...a_pdf_portable )
Uninstall kaspersky virus removal tool.
You may now enable system restore, or do much better -> to use another program for creation image of your system disk like acronis, norton go back, etc.

P.s. on "Thanks" you are welcome to click, as well you welcome to help us too:

18. ## Sent packed generic...Packing its bags! YES!

Drongo,
I cannot express my graditude enough. You are a genius! Thank you SO much my friend. I uploaded the clean files sucessfully to help out. It has been an honor working with you. Again Thank you!