hey experts :)

**Irena1809** · 21.03.2009, 23:38

Hey , I ve had terrible problems with my computer lately. First it couldnt move at all , it couldnt even start SYSTEM RESTOre and afrer some 100 hours-waited installation I succed in re-installin SYSTEM RESTORE tool and then it started moving but with difficulties.. Now , my kaspersky keep telling me about viruses that I thought I have removed..
So please, try to help me !
tnx !

**drongo** · 22.03.2009, 12:54

Hi!
Please, exactly follow the instructions:

Download special avz in my signature.
Please execute this script in avz( how-to: http://virusinfo.info/showthread.php?t=9207) (Do remember before execution scripts to exit antivirus and disconnect from internet, disable System Restore )

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\KCFG32.CPL','');
 QuarantineFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe','');
 DelBHO('{02478D38-C3F9-4efb-9B51-7695ECA05670}');
 DelBHO('{5C255C8A-E604-49b4-9D64-90988571CECB}');
 DelBHO('{31FC1F5B-A825-4335-827F-9A604838884A}');
 QuarantineFile('C:\WINDOWS\AdobeR.exe','');
 QuarantineFile('C:\Program Files\WordWeb\wweb32.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\part dead amok eggs\cool chin.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\Mail For File Wave\Blue Cool.exe','');
 QuarantineFile('C:\DOCUME~1\BOY200~1\APPLIC~1\INTERN~1\Drv blue.exe','');
 QuarantineFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\nicsk32.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\nchssvad.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\fips32cup.sys','');
 QuarantineFile('C:\WINDOWS\system32\drivers\amd64si.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\PxHelp20.sys','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys','');   
 DeleteFile('C:\WINDOWS\system32\drivers\ws2_32sik.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\nicsk32.sys');
  DeleteFile('C:\WINDOWS\system32\drivers\fips32cup.sys');
 DeleteFile('C:\WINDOWS\system32\drivers\amd64si.sys');
 DeleteFile('C:\DOCUME~1\BOY200~1\APPLIC~1\INTERN~1\Drv blue.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\Mail For File Wave\Blue Cool.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\part dead amok eggs\cool chin.exe');
 DeleteFile('C:\WINDOWS\AdobeR.exe');
 DeleteFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe');
 DeleteFile('C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys');
BC_DeleteSvc('amd64si');
BC_DeleteSvc('mferkdk');
BC_DeleteSvc('fips32cup');
BC_DeleteSvc('nicsk32');
BC_DeleteSvc('ws2_32sik');
BC_DeleteSvc('mferkdk');
BC_ImportAll;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
BC_Activate;
SetAVZPMStatus(true);
RebootWindows(true);
end.

System will reboot.
Please upload quarantine according to Appendix# 3 of rules by red link in your topic.
Please read carefully: http://virusinfo.info/showthread.php?t=9184 and make all 3 logs, as described and do attach them to next post in this topic.(use special avz, don't need update it)

**Irena1809** · 22.03.2009, 15:08

ok , I hope I ll get by.. I ll let u know when I finish
Thanx a lot !

hey , I hope I did this well..

**drongo** · 22.03.2009, 17:21

You did forget upload quarantine.

Код:

Please upload quarantine according to Appendix# 3 of rules by red link in your topic.

use link: http://virusinfo.info/upload_virus_eng.php?tid=42216
No quarantine, no help.

**Irena1809** · 22.03.2009, 18:46

oh ok .. please tell me how to upload quarantine?

I dont get this part : Enter the list of files which were asked to send in the top window
which is that part ?

Upload result
File saved as 090322_184539_virus_49c65d233f140.zip
File size 1260798
MD5 ef360403e0cae74b3eabac255c55d399

File uploaded, thank you!

is that it ?

**Rene-gad** · 22.03.2009, 19:14

Please execute this script in avz( how-to: http://virusinfo.info/showthread.php?t=9207) (Do remember before execution scripts to exit antivirus and disconnect from internet, disable System Restore )

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 StopService('fsssvc');
QuarantineFile('C:\Program Files\Windows Live\Family Safety\fsssvc.exe','');
 QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\2a2686e81c99515\fssclient_x86.msi','');
 QuarantineFile('C:\WINDOWS\Installer\382bbf.msi','');
 DeleteService('Bonjour Service');
 DeleteFile('%programfiles%\bonjour\mdnsresponder.exe');
 DeleteFile('%programfiles%\bonjour\mdnsNSP.dll');
 DeleteFile('C:\WINDOWS\Installer\382bbf.msi');
 DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\2a2686e81c99515\fssclient_x86.msi');
 DeleteFile('C:\Program Files\Windows Live\Family Safety\fsssvc.exe');
 DeleteService('fsssvc');
BC_DeleteSvc('fsssvc');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(false);
RebootWindows(true);
end.

System will reboot.
Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
Please upload quarantine according to Appendix# 3 of rules by red link in your topic.
Please read carefully: http://virusinfo.info/showthread.php?t=9184 and make all 3 logs, as described and do attach them to next post in this topic.(use special avz, don't need update it)

**Irena1809** · 22.03.2009, 20:10

here u go ser , I m gonna upload quarantine file on that link that u gave me on previous msg

Upload result
File saved as 090322_201422_virus_49c671ee5b577.zip
File size 5396306
MD5 0a21a4ee77c44684d4d224488c4dfd0d

File uploaded, thank you!

**drongo** · 23.03.2009, 01:11

Almost

Fix this in hijack this:

Код:

O4 - HKLM\..\Run: [PremierOpinion] C:\Program Files\PremierOpinion\pmropn.exe -boot
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing

then, execute this script in avz:

Код:

begin
Clearquarantine; 
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe','');
 QuarantineFile('C:\Program Files\Common Files\Windows Live\.cache\301ddec01c9847c\fssclient_x86.msi','');
 QuarantineFile('C:\Program Files\PremierOpinion\pmropn.exe','');
 DeleteFile('C:\Program Files\PremierOpinion\pmropn.exe');
 DeleteFile('c:\docume~1\boy200~1\applic~1\intern~1\manager ooze media.exe');
 DeleteFile('C:\Program Files\Common Files\Windows Live\.cache\301ddec01c9847c\fssclient_x86.msi');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Again, a new quarantine upload by red link only.
Make new logs

Код:

 virusinfo_syscure.zip
	virusinfo_syscheck.zip 
	hijackthis.log

**Irena1809** · 23.03.2009, 02:13

cool

wait , i didnt read ur note about fixing that in hijack .. I ll do the hijackk again

Добавлено через 4 минуты

can u explain how can I fix things in hijack ?

Добавлено через 8 минут

hey I m sorry cause I m far from professional but I can find only that boujour ..

2nd hijack

**Rene-gad** · 23.03.2009, 12:10

How to fix: http://virusinfo.info/showthread.php?t=9206

**Irena1809** · 23.03.2009, 15:34

ok, i fixed that bounjour thing , but I can find the first one - O4 - HKLM\..\Run: [PremierOpinion] C:\Program Files\PremierOpinion\pmropn.exe -boot

Добавлено через 2 минуты

sorry , I CANT *

**drongo** · 23.03.2009, 17:07

It is ok, if you can't find this line- it is gone

I don't see any sign of infection anymore. But it is very important to update or uninstall your acrobat reader. You can be infected trough this application, cause it quiet popular and have well documented exploits

**Irena1809** · 23.03.2009, 18:44

woow really ? THanx soooo much !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

))))))
one more question : when I open internet explorer every time WINDOWS INSTALLER turns on.. what should I do ?

Добавлено через 44 секунды

or microsofr office xp professional with front page installer or some windows installer with kind of network icon turns on ..

Добавлено через 51 минуту

they are asking for some fssclienx_x86.msi and when I wanted to install it , it couldnt cause it says that newer version is in my comp

**drongo** · 23.03.2009, 18:45

About internet explorer - uninstall it and install latest version from official site

Nevertheless, i don't recommend you using internet explorer in internet, because it can't be configured secured and useful in same time, even their latest the 8.0 version can't.
Use firefox + NoScript add-on.

About office xp professional -i don't know, perhaps some update is missing. Sometimes helps to update the windows installer from windows update site

Use an alternative, if such problems persists.
http://www.koffice.org/
http://download.openoffice.org/index.html

**Irena1809** · 24.03.2009, 00:42

regards from firefox

Im on mozilla and its great !
all my problems fixed !!

) thanx a lottttttt !!!!!!!!1
love ur lab forum

)))))))))))))))))))))))))

regards from Montenegro

)

Добавлено через 4 часа 30 минут

one more issue and I m gone - i have problem 0x8007007e when I try to sign to my msn .. I guess some DLL file is missing , so how can I figure out which one ?

**drongo** · 24.03.2009, 11:31

remember in firefox to install NoScript https://addons.mozilla.org/en-US/firefox/addon/722, and use it with wisdom

try this instruction: http://www.petri.co.il/wu_problems_8007007e.htm

**Irena1809** · 24.03.2009, 17:23

ok thanx a lot !! thanx !!!!!!!!!!!!!

hey experts :)

Опции темы

hey experts :)

Похожие темы

Cyber-criminals targeting social networks: experts

Ваши права в разделе