only can work in safe mode. here is my log
I hope I did this right.
only can work in safe mode. here is my log
I hope I did this right.
.
Hello.
Execute the script:After restart, try to start in the normal mode. If the system starts, upload quarantine via the link http://virusinfo.info/upload_virus_eng.php?tid=55823 , as it's described in app.3 of the rules, and make new logs (you'd better make 3 logs as it's described in the rules). If the system doesn't start, make the same logs in the safe mode.Код:begin QuarantineFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll',''); QuarantineFile('C:\WINDOWS\system32\nubipana.dll',''); QuarantineFile('c:\windows\system32\wefojuho.dll',''); QuarantineFile('C:\WINDOWS\system32\olhcwe80w.dll',''); QuarantineFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe',''); QuarantineFile('C:\WINDOWS\\SystemRoot\\SystemRoot\system32\DRIVERS\sr.sys',''); QuarantineFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys',''); QuarantineFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys',''); QuarantineFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll',''); QuarantineFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll',''); DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll'); BC_DeleteFile('C:\WINDOWS\system32\gasfkywqgkvdkx.dll'); DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll'); BC_DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll'); DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys'); BC_DeleteFile('C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\jswmidin.sys'); DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys'); BC_DeleteFile('C:\WINDOWS\system32\drivers\rgchrqnltjyyc.sys'); DeleteFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe'); BC_DeleteFile('C:\Documents and Settings\Compaq_Administrator\Application Data\svcst.exe'); DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll'); BC_DeleteFile('C:\WINDOWS\system32\olhcwe80w.dll'); DeleteFile('c:\windows\system32\wefojuho.dll'); BC_DeleteFile('c:\windows\system32\wefojuho.dll'); DeleteFile('C:\WINDOWS\system32\nubipana.dll'); BC_DeleteFile('C:\WINDOWS\system32\nubipana.dll'); DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll'); BC_DeleteFile('C:\Program Files\AskBarDis\bar\bin\askBar.dll'); DeleteService('jswmidin'); DeleteService('lfzekafgucza'); BC_DeleteSvc('jswmidin'); BC_DeleteSvc('lfzekafgucza'); DelBHO('{3041d03e-fd4b-44e0-b742-2d9b88305f98}'); BC_ImportquarantineList; BC_Activate; ExecuteSysClean; end.
I am not sure what files you want sent by upload quarantine...can you help? thanks
After the first script just execute the second:After this script execution file c:\quarantine.zip will be created. Upload it via the link http://virusinfo.info/upload_virus_eng.php?tid=55823Код:begin createqurantinearchive('c:\quarantine.zip'); end.
now I am trying to attach the files for the logs. I cannot find this
Healing/Quarantine and Advanced System Analysis"
I have been able to do the other two scans...
Hello again.
I'm sorry, but logs you've attached are not quite the same logs i've expected to see. Hijackthis' log is ok, but you've missed the AVZ's logs. Look into the "Log" sub-folder in AVZ's folder. There should be two archives there: virusinfo_syscure.zip and virusinfo_syscheck.zip . They are the same logs I've expected to see - just attach them to your post here.
the other I cannot do because there is no link for
Healing/Quarantine and Advanced System Analysis in the AVZ
anyway I think I have the right one now.
1. You should update avz bases (File/Database Update).Attention !!! Database was last updated 8/21/2009 it is necessary to update the database (via File - Database update)
2. Execute the script in AVZ:
3. Attach a new virusinfo_syscheck.zip.Код:begin ExecuteRepair(13); SetAVZPMStatus(True); RebootWindows(true); end.
Сердце решает кого любить... Судьба решает с кем быть...
I think I did the last one wrong.
1. Please, disable System Restore and antivirus (if you have).
2. Execute the script in AVZ:
3. Fix with HijackThis:Код:begin SearchRootkit(true, true); SetAVZGuardStatus(True); DeleteFile('\\?\globalroot\systemroot\system32\gasfkywqgkvdkx.dll'); DeleteFile('\systemroot\system32\drivers\gasfkymrmneltp.sys'); BC_ImportDeletedList; ExecuteSysClean; ExecuteRepair(13); BC_Activate; RebootWindows(true); end.
4. Attach a new virusinfo_syscheck.zip.O2 - BHO: (no name) - {0ED403E8-470A-4a8a-85A4-D7688CFE39A3} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\olhcwe80w.dll - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\olhcwe80w.dll (file missing)
O20 - AppInit_DLLs: nubipana.dll
O21 - SSODL: putefezad - {92837540-9f4f-4132-932d-ff7214f5b733} - (no file)
Сердце решает кого любить... Судьба решает с кем быть...
in the properties area of my computer. If i try and go into System restore it tells me that it cannot protect my computer and to reboot and open it again. I have rebooted and it is not helping. Any ideas?
Skip this item.
Сердце решает кого любить... Судьба решает с кем быть...
I tried to disable my AVG virus but could only disable the resident shield otherwise I think I would have had to uninstall the whole thing.
Сердце решает кого любить... Судьба решает с кем быть...
I hope I did it right
thanks again
Lisa
1. Close all open documents as this will reboot your PC.
2. Double click on gmer.exe to launch GMER. If it warns you about rootkit activity and asks if you want to run scan, click No/cancel.
3. Click on the >>> tab. This will open up the rest of the tabs for you.
4. Click on the CMD tab. Make sure CMD.EXE is selected.
5. Now highlight the contents of the below codebox and copy it to the clipboard by pressing ctrl+c.
6. Paste the contents into the top black box in GMER by using ctrl+v.Код:gmer.exe -killall gmer.exe -del service gasfkyuknoxflj gmer.exe -del file "c:\windows\system32\drivers\gasfkymrmneltp.sys" gmer.exe -del file "c:\windows\system32\gasfkyhwvxkegq.dll" gmer.exe -del file "c:\windows\system32\gasfkyitmpnyoa.dat" gmer.exe -del file "c:\windows\system32\gasfkypipmkorx.dll" gmer.exe -del file "c:\windows\system32\gasfkytdbsdqlr.dat" gmer.exe -del file "c:\windows\system32\gasfkywqgkvdkx.dll" gmer.exe -del reg "HKLM\SYSTEM\ControlSet001\Services\gasfkyuknoxflj" gmer.exe -del reg "HKLM\SYSTEM\ControlSet002\Services\gasfkyuknoxflj" gmer.exe -del reg "HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuknoxflj" gmer.exe -reboot
7. Click Run, the script will run and then your PC will be rebooted.
8. After rebooted, rerun GMER and attach the new log-file.
9. Execute the script in AVZ:
10. Attach a new virusinfo_syscheck.zip.Код:begin ClearHostsFile; DeleteFile('D:\autorun.inf'); ExecuteSysClean; ExecuteWizard('TSW', 3, 3, true); RebootWindows(true); end.
Сердце решает кого любить... Судьба решает с кем быть...
after running the GMER
had to manually reboot.
it would not let me upload the AVZ file said I already uploaded it.?
1. Edit the hosts file and save it.
This is the original hosts file.C:\windows\system32\drivers\etc\hosts
Attention: this file has not any extension!Код:# Copyright (c) 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 127.0.0.1 localhost
2. Execute the script in AVZ:
3. Attach a new virusinfo_syscheck.zip.Код:begin DeleteFile('D:\autorun.inf'); ExecuteSysClean; ExecuteWizard('TSW', 3, 3, true); RebootWindows(true); end.
Сердце решает кого любить... Судьба решает с кем быть...