# Is My computer infected?

1. ## Is My computer infected?

KIS 2009 stops working, Windows sends an error report to MS. Kaspersky uploads system dump. Restarts. Happening several times an hour.

Regards
Debansu

Êîä:
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\JM\JMInsIDE.exe','');
QuarantineFile('C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys','');
QuarantineFile('C:\WINDOWS\System32\Drivers\PxHelp20.sys','');
QuarantineFile('C:\WINDOWS\system32\Drivers\NTGDT.SYS','');
QuarantineFile('C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll','');
QuarantineFile('c:\program files\pdfforge toolbar\searchsettings.exe','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.
After reboot, please execute the following script:
Êîä:
begin
CreateQurantineArchive('C:\quarantine.zip');
end.
Let us know when you will done.
Kaspersky is freeze or kaspersky's icon is black or something else? Please describe, what do you mean by " kis stops working"

P.s. For my opinion askt bar better uninstall from add/remove programs, along with pdfforge toolbar.

3. ## Is My computer infected?

2. Removed pdfforge toolbar
3. Couldn't remove asktbar as there was no such programme in the computer.
4. KIS icon goes gray for a few seconds and then comes back on, i.e. becomes red. Then the error messages comes on to the screen.

Today the same thing happened after I boot the computer, but didn't happen after reboot as per your advise.

Regards

Debansu

4. We have get your files, thanks.
Disable windows system restore.
Execute this script:
Êîä:
begin
DelBHO('{FE063DB9-4EC0-403e-8DD8-394C54984B2C}');
DelBHO('{FE063DB1-4EC0-403e-8DD8-394C54984B2C}');
DelBHO('{9CB65201-89C4-402c-BA80-02D8C59F9B1D}');
DelBHO('{02478D38-C3F9-4EFB-9B51-7695ECA05670}');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(1);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.
Do attach this virusinfo_syscure.zip to next post in this topic.

5. Thank you drongo,
I ran the script. But unfortunately being a novice, was unable to execute the next phase of the operation. i.e. to download in your signature etc. etc. If you please elaborate the same, I will be able to do it, I hope.
Regards
Debansu

6. Ñîîáùåíèå îò debansu1952
If you please elaborate the same, I will be able to do it, I hope.
Are you really sure, if drongo will copy the rules in his post, it would be more understandably for you?
Read and do!!! If it's not possible pls. call somebody from your friends to help and explain it for you. Otherwise call a PC -specialist in your city.

7. ## Is My computer infected.

It was not the rules that baffled me. It was that "special signature" that created the confusion. Not being a computer savvy one, it took your push to look closely and now I know, I am to down load the rapidshare file. Then go on doing whatever has been asked by drongo. I will be able to do it today evening, after I reach home. I'm now answering from my office.
Thanks.
Regards
Debansu

8. Ñîîáùåíèå îò debansu1952
It was that "special signature"
It's not a special signature, but a special polymorph version of AVZ (special avz @ rapidshare.com), which can be downloaded over the link in drongo's signature

9. Ewe, I'm to run that one too?

Ok, ok, I'll do it. I had completed the others.

BTW, there is a Generic Win 32 problem being faced while booting the computer. Not always, but once in a while.

Äîáàâëåíî ÷åðåç 1 ÷àñ 40 ìèíóò

I'm uploading two files. One of these SETUP_U.exe was put in to a trusted zone by Kaspersky, There was another N.bat which I couldn't find out.
I just thought you shpuld know.

10. And now please repeat the log files with polymorphic AVZ and Hijackthis (3 logs)

11. The polymorphic AVZ was run yesterday and the log was uploaded in the file. Any way I'm uploading the zip file once again. There is a system info file too in the zip file.

Uploaded file details: File saved as 090424_073017_Sys_info_debansu_49f1324942830.zip
File size 226242
MD5 20565eae3cf9d5ec11ba4bd3b99bb11e

12. Logs should be attached into your post, quarantine should be send by red link.
What exactly you don't understand?

13. Except the two below, I followed your rules.
2. Zipped the log files through my 7z utility. And sent through the wrong uploader.
Sorry.
Regards
Debansu

14. You must attach three log files:
virusinfo_syscure.zip
virusinfo_syscheck.zip
hijackthis.log

neither more no other files

15. ## Is My computer infected?

Log files, attached.

16. Êîä:
virusinfo_syscure.zip
virusinfo_syscheck.zip
is not
Êîä:
sys_check.txt
avz_log_25_04._09.txt

17. ## Is My computer infected?

Sys_cure & Sys_info files

18. Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore
-Fix
Êîä:
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
- Execute following script
Êîä:
begin
SetAVZGuardStatus(True);
QuarantineFile('C:\WINDOWS\system32\Drivers\NTGDT.SYS','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.

After reboot:
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Build a file virus.zip as described in appendix 3 of the rules.

20. Ñîîáùåíèå îò debansu1952