Packed.Generic.200 disabled AntiMalware

Compaq DESKTOP
May 14, 2009 at 22:26:08
Specs: Windows XP
My WinXP system caught the Packed.Generic.200 bug. Since Symantec/Norton couldn't help me for less than $99 and their software couldn't remove the darn thing, here I am.

I followed the steps you've outlined to other computer users with this virus. When I downloaded and installed Malwarebytes' AntiMalware, it wouldn't run. I renamed all of the .exe files and it still will not run.

What do I do now?

Joyce


See More: Packed.Generic.200 disabled AntiMalware

Report •


#1
May 15, 2009 at 05:25:05
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and past the link here.


Report •

#2
May 15, 2009 at 05:26:56
When I got up this morning and tried to use my computer, I found that nothing is clickable. The mouse moves around but I cannot click-to-open anything.

Next step? (I'm using my office computer to reply here)

Joyce


Report •

#3
May 15, 2009 at 05:32:17
Boot in the safe mode and perform above steps.

Report •

Related Solutions

#4
May 18, 2009 at 06:11:51
The infected computer will not allow me to access the internet. I get the "Internet Explorer cannot display the webpage" error.

Can I save the zip file to a thumb drive and move it to the infected computer that way?


Report •

#5
May 18, 2009 at 06:13:55
Yes you can.

Report •

#6
May 20, 2009 at 08:56:35
http://rapidshare.com/files/2352439...
MD5: D4777DBAEE81432C25CB713290E31325

Report •

#7
May 20, 2009 at 10:58:57
Run this script in AVZ same way as before your and PC will reboot:


begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 RegKeyDel('HKLM','SOFTWARE\Microsoft\Code Store Database\Distribution Units\{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}');
 QuarantineFile('C:\WINDOWS\Downloaded Program Files\popcaploader.dll','');
 DelBHO('{C2BA40A1-74F3-42BD-F434-12345A2C8953}');
 QuarantineFile('NA.exe','');
 QuarantineFile('GTGina.dll','');
 QuarantineFile('C:\WINDOWS\system32\sdra64.exe','');
 QuarantineFile('c:\windows\pp07.exe','');
 QuarantineFile('c:\windows\ld08.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\98000926\98000926.exe','');
 QuarantineFile('C:\Documents and Settings\All Users\Application Data\17990934\17990934.exe','');
 QuarantineFile('C:\WINDOWS\system32\config\systemprofile\reader_s.exe','');
 TerminateProcessByName('C:\WINDOWS\system32\config\systemprofile\reader_s.exe');
 QuarantineFile('C:\WINDOWS\system32\SYS32DLL.exe','');
 QuarantineFile('C:\WINDOWS\TEMP\ksr5vna.exe','');
 QuarantineFile('C:\RECYCLER\S-1-5-21-5919743261-8719704671-988344186-1398\service.exe','');
 QuarantineFile('C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe','');
 QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F20879C2.exe','');
 QuarantineFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\169860710.exe','');
 QuarantineFile('\\?\globalroot\systemroot\system32\UACxylpfovhbewdyft.dll','');
 QuarantineFile('C:\WINDOWS\system32\jkshfuiehi.dll','');
 TerminateProcessByName('C:\WINDOWS\system32\__c00BD990.dat');
 QuarantineFile('C:\WINDOWS\system32\__c00BD990.dat','');
 DeleteFile('C:\WINDOWS\system32\__c00BD990.dat');
 DeleteFile('C:\WINDOWS\system32\jkshfuiehi.dll');
 DeleteFile('\\?\globalroot\systemroot\system32\UACxylpfovhbewdyft.dll');
 DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\169860710.exe');
 DeleteFile('C:\DOCUME~1\Owner\LOCALS~1\Temp\_A00F20879C2.exe');
 DeleteFile('C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe');
 DeleteFile('C:\RECYCLER\S-1-5-21-5919743261-8719704671-988344186-1398\service.exe');
 DeleteFile('C:\WINDOWS\TEMP\ksr5vna.exe');
 DeleteFile('C:\WINDOWS\system32\SYS32DLL.exe');
 DeleteFile('C:\WINDOWS\system32\config\systemprofile\reader_s.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\17990934\17990934.exe');
 DeleteFile('C:\Documents and Settings\All Users\Application Data\98000926\98000926.exe');
 DeleteFile('c:\windows\ld08.exe');
 DeleteFile('c:\windows\pp07.exe');
 DeleteFile('C:\WINDOWS\system32\sdra64.exe');
 DeleteFile('GTGina.dll');
 DeleteFile('NA.exe');
 DeleteFile('C:\WINDOWS\Downloaded Program Files\popcaploader.dll');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
ExecuteRepair(13);
RebootWindows(true);
end.

After your computer reboots follow these directions:
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

--------------------------------------------
To Private Message me Click Here


Report •

#8
May 20, 2009 at 11:46:35
1) Is there a chance that I could infect my 2nd computer, by using the thumb drive to move these log files back and force?

2) I can't get to the internet on the infected computer. How am I supposed to do the steps related to the bleepingcomputer site?


Report •

#9
May 20, 2009 at 11:51:15
if you do first AVZ part you should be able to access the internet. Did you do the first part? Yes there is chance make sure you scan your drive when dealing with infected pc.

--------------------------------------------
To Private Message me Click Here


Report •

#10
May 20, 2009 at 18:56:30
Okay, this is not going well. I cannot connect to the internet on the infected computer, so I downloaded ComboFix to a thumb drive but noticed that it acquired some data from this computer, during the download.

When I ran ComboFix on the infected computer, I received an error message that stated, "Alert - It is NOT SAFE to continue!" and also stated the ComboFix file may be compromised and the computer may be infected with a file patching virus (Virut). I thought the error may be the result of downloading the program on my non-infected computer.

What can I possibly do now? Can we use HijackThis or something that doesn't require me to connect directly to the internet?


Report •

#11
May 20, 2009 at 19:12:28
"I thought the error may be the result of downloading the program on my non-infected computer."

That is not true.

Download new copy of combofix trasfer it over in Safe mode of infected machine and try to run it. Let me know if you get the same error and if you get the same error in safe mode redo Response Number 1 and post the new log.

--------------------------------------------
To Private Message me Click Here


Report •

#12
May 20, 2009 at 19:27:18
I ran ComboFix in SafeMode. The computer is barely usable, otherwise. The virus(es) have completely taken it over.

Report •

#13
May 20, 2009 at 19:32:46
Please read Response Number 7 Combofix part carefully.

--------------------------------------------
To Private Message me Click Here


Report •

#14
May 20, 2009 at 19:42:13
http://rapidshare.com/files/2354332...
MD5: 0ADAB68D2078515CF0B408D0DBF2026F

Report •

#15
May 20, 2009 at 19:45:09
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.

--------------------------------------------
To Private Message me Click Here


Report •

#16
May 20, 2009 at 20:19:27
Now, you are confusing me. This is what you wrote:

"if you get the same error in safe mode redo Response Number 1 and post the new log"

So I did that and posted the AVZ log, per your first response, because I get an error when I try to run ComboFix in safe mode on the infected computer.


Report •

#17
May 20, 2009 at 20:41:19
Ah i see now you confused me with this: "I ran ComboFix in SafeMode. The computer is barely usable, otherwise. The virus(es) have completely taken it over." Please follow in order numbered.

1) Execute this script in AVZ:

begin
ExecuteRepair(1);
ExecuteRepair(5);
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
ExecuteRepair(10);
SetAVZPMStatus(True);
rebootwindows(true);
end.

2) You PC will reboot after its reboots redo Response Number 1 and re-post the new log.

3) Download and run Kaspersky AVP tool:

http://devbuilds.kaspersky-labs.com...

Once you download and start the tool select all the objects/places to be scanned and hit Scan. Fix what it detects and at the end of the scan post screen shot/log of detected items that is fixed and which it could not fix.

Note: this looks like a serious infection.

--------------------------------------------
To Private Message me Click Here


Report •

#18
May 20, 2009 at 21:31:39
Also can you please upload C:\WINDOWS\system32\Drivers\NDIS.sys to rapidshare and private message me its link.

--------------------------------------------
To Private Message me Click Here


Report •

#19
May 21, 2009 at 19:17:10
The Forum isn't allowing my Kaspersky log to post. I think it may be too big at 319KB.

I uploaded it to RapidShare, instead:

http://rapidshare.com/files/2358056...
MD5: B7772598948A4827486BCADD658CF123


Report •

#20
May 21, 2009 at 19:21:34
Delete old version of Combofix and try to redo Response Number 15 (re-download combofix).

--------------------------------------------
To Private Message me Click Here


Report •

#21
May 21, 2009 at 19:47:50
I deleted the old ComboFix and downloaded a new one to my thumb drive. I double-clicked it on my infected computer and received the same error that came up before, stating, "Alert - It is NOT SAFE to continue!" and that my computer "may be infected with a file patching virus (Virut)."

Report •

#22
May 21, 2009 at 20:04:43
Virus.Win32.Virut.ce Might have spread to your other computer aswell. Please read http://www.symantec.com/security_re... carefully and follow direction. Other way to get rid of the virus is Antivirus bootdisk. ftp://ftp.kaspersky.com/devbuilds/RescueDisk/ Make sure you burn a bootdisk from clean PC. You can also try drweb's cureit: http://www.freedrweb.com/download+c...
Note: Run any scanner you choose twice to make sure infection is gone.

--------------------------------------------
To Private Message me Click Here


Report •

#23
May 22, 2009 at 09:24:37
I followed Symantec's instructions and this computer does not have a virus.

Next? :-)


Report •

#24
May 22, 2009 at 09:26:43
Follow Response Number 20.

--------------------------------------------
To Private Message me Click Here


Report •

#25
May 23, 2009 at 18:54:14
I deleted the old ComboFix from my thumb drive and downloaded it, renaming it, on the thumb drive. I tried to open the app in safe mode on the infected computer and am still getting the "Alert - It is NOT SAFE to continue!" warning.

I have scanned my 2nd computer and it is clean. This is the computer I'm using to download ComboFix.


Report •

#26
May 23, 2009 at 19:00:10
What did you scan your PC with? Rerun Response Number 17 Part 3 (AVP tool) on both PC change setting from recommended to High before scanning. Post the scan log at the end.

Note: Make sure you Uninstall old version and download AVP tool again.

--------------------------------------------
To Private Message me Click Here


Report •

#27
May 23, 2009 at 19:09:30
See Response #22. I followed Symantec's instructions.

I will have to run the Kaspersky scan when I have time. The last scan on the infected PC took 10 hours.


Report •

#28
May 23, 2009 at 19:19:58
Best way is boot from CD: ftp://ftp.kaspersky.com/devbuilds/RescueDisk/kav_rescue_2008.iso and clean infection. That way virut can't infect programs that are meant to clean it.

--------------------------------------------
To Private Message me Click Here


Report •


Ask Question