Is My computer infected?

[debansu1952]

KIS 2009 stops working, Windows sends an error report to MS. Kaspersky uploads system dump. Restarts. Happening several times an hour.

Regards
Debansu

[drongo]

Please execute this script:

Код:

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
 QuarantineFile('C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll','');
 QuarantineFile('C:\WINDOWS\JM\JMInsIDE.exe','');
 QuarantineFile('C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys','');
 QuarantineFile('C:\WINDOWS\System32\Drivers\PxHelp20.sys','');
 QuarantineFile('C:\WINDOWS\system32\Drivers\NTGDT.SYS','');
 QuarantineFile('C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\c7ktcoqh.default\extensions\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}\components\FFExternalAlert.dll','');
 QuarantineFile('C:\Program Files\pdfforge Toolbar\WidgiToolbarIE.dll','');
 QuarantineFile('c:\program files\pdfforge toolbar\searchsettings.exe','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.

After reboot, please execute the following script:

Код:

begin
CreateQurantineArchive('C:\quarantine.zip');
end.

- Upload the C:\quarantine.zip over the link Upload quarantined files on the top of this page.
Let us know when you will done.
Kaspersky is freeze or kaspersky's icon is black or something else? Please describe, what do you mean by " kis stops working"

P.s. For my opinion askt bar better uninstall from add/remove programs, along with pdfforge toolbar.

[debansu1952]

1. Uploaded quarantine.zip as requested.
2. Removed pdfforge toolbar
3. Couldn't remove asktbar as there was no such programme in the computer.
4. KIS icon goes gray for a few seconds and then comes back on, i.e. becomes red. Then the error messages comes on to the screen.

Today the same thing happened after I boot the computer, but didn't happen after reboot as per your advise.

Regards

Debansu

[drongo]

We have get your files, thanks.
Disable windows system restore.
Execute this script:

Код:

begin
 DelBHO('{FE063DB9-4EC0-403e-8DD8-394C54984B2C}');
 DelBHO('{FE063DB1-4EC0-403e-8DD8-394C54984B2C}');
 DelBHO('{9CB65201-89C4-402c-BA80-02D8C59F9B1D}');
 DelBHO('{02478D38-C3F9-4EFB-9B51-7695ECA05670}');
 DeleteFile('C:\Program Files\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL');
 DeleteFile('C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(1);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.

Please download in my signature special avz, put it in a new folder, disable kis, disconnect from internet and make a virusinfo_syscure.zip, read how-to in rules http://virusinfo.info/showthread.php?t=9184
Do attach this virusinfo_syscure.zip to next post in this topic.

[debansu1952]

Thank you drongo,
I ran the script. But unfortunately being a novice, was unable to execute the next phase of the operation. i.e. to download in your signature etc. etc. If you please elaborate the same, I will be able to do it, I hope.
Regards
Debansu

[Rene-gad]

If you please elaborate the same, I will be able to do it, I hope.

Are you really sure, if drongo will copy the rules in his post, it would be more understandably for you?
Read and do!!! If it's not possible pls. call somebody from your friends to help and explain it for you. Otherwise call a PC -specialist in your city.

[debansu1952]

Dear Rene-gad,
It was not the rules that baffled me. It was that "special signature" that created the confusion. Not being a computer savvy one, it took your push to look closely and now I know, I am to down load the rapidshare file. Then go on doing whatever has been asked by drongo. I will be able to do it today evening, after I reach home. I'm now answering from my office.
Thanks.
Regards
Debansu

[Rene-gad]

It was that "special signature"

It's not a special signature, but a special polymorph version of AVZ (special avz @ rapidshare.com), which can be downloaded over the link in drongo's signature

[debansu1952]

Ewe, I'm to run that one too?

Ok, ok, I'll do it. I had completed the others.

BTW, there is a Generic Win 32 problem being faced while booting the computer. Not always, but once in a while.

Добавлено через 1 час 40 минут

I'm uploading two files. One of these SETUP_U.exe was put in to a trusted zone by Kaspersky, There was another N.bat which I couldn't find out.
I just thought you shpuld know.

[Rene-gad]

And now please repeat the log files with polymorphic AVZ and Hijackthis (3 logs)

[debansu1952]

The polymorphic AVZ was run yesterday and the log was uploaded in the file. Any way I'm uploading the zip file once again. There is a system info file too in the zip file.

Uploaded file details: File saved as 090424_073017_Sys_info_debansu_49f1324942830.zip
File size 226242
MD5 20565eae3cf9d5ec11ba4bd3b99bb11e

[drongo]

Logs should be attached into your post, quarantine should be send by red link.
What exactly you don't understand?

[debansu1952]

Except the two below, I followed your rules.
1. Didn't quarantine as advised.
2. Zipped the log files through my 7z utility. And sent through the wrong uploader.
Sorry.
Regards
Debansu

[Rene-gad]

You must attach three log files:
virusinfo_syscure.zip
virusinfo_syscheck.zip
hijackthis.log
neither more no other files

[debansu1952]

Log files, attached.

[drongo]

Код:

virusinfo_syscure.zip
virusinfo_syscheck.zip

is not

Код:

sys_check.txt 
avz_log_25_04._09.txt

[debansu1952]

Sys_cure & Sys_info files

[Rene-gad]

Switch off:
- Antivirus and and, if you have - Firewall.
- System Restore
-Fix

Код:

R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll

- Execute following script

Код:

begin
SetAVZGuardStatus(True);
 QuarantineFile('C:\WINDOWS\system32\Drivers\NTGDT.SYS','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.

After reboot:
- Clean Temp-Maps, Cache of Browsers, Recycler. Use Windows service tool cleanmgr or CCleaner or ClearProg
- Build a file virus.zip as described in appendix 3 of the rules.
- Upload the over the link Upload quarantined files on the top of this page.

[debansu1952]

Virus.Zip uploaded

[Rene-gad]

Virus.Zip uploaded

but not here: http://virusinfo.info/upload_virus_eng.php?tid=44152