GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

System Security hijacked my PC

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved System Security hijacked my PC

Post by LordZet on Wed Aug 26, 2009 4:17 pm

I can't access anything. Only internet explorer works. It won't let me use my task manager, firefox, or any other program besides IE.

I can't go into safe mode it won't let me it just gives me a BSOD if I do.

I'm screwed aren't I :/

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Safan on Wed Aug 26, 2009 5:02 pm

Hello,

Please follow these instructions to try and remove System Security
[You must be registered and logged in to see this link.]

If this does not work please follow these instructions and post the log in this thread.
[You must be registered and logged in to see this link.]

If there are problems please post back stating what it is and The GeekPolice staff will try to help you as soon as possible.

Thank you,
Safan


[You must be registered and logged in to see this link.]


Safan
Master
Master

Status :
Online
Offline

Posts : 3292
Joined : 2008-03-03
Gender : Male
OS : Windows 7 x64
Points : 40823
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Aug 26, 2009 11:19 pm

What part of i can't open anything can you not understand? I can't install anything, i can't open any programs. i tried that guide got MBAM to run but the virus BSOD'd my PC 30 minutes into the scan.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Sun Aug 30, 2009 11:58 pm

I guess I should bump

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Mon Aug 31, 2009 1:42 am

Hello.
Not even the renamed version of Hijack This works?

Please download SilentRunners from here:
[You must be registered and logged in to see this link.]
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 02, 2009 10:50 pm

Sorry for teh late reply my power has been shut off till tonight (im at school) I'll get to it tonight.

And yes I renamed HJT, to funny.xyz and it still wouldn't open. i can't reformat due to not having a CD and can't back up my data. I had back ups from july but someone lost them.

And we didn't find out till ti was too late :/

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 02, 2009 11:55 pm

Okay, can you still try SilentRunners for me?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Thu Sep 03, 2009 3:36 pm

It won't unzip...wonderful. winrar won't open either.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Thu Sep 03, 2009 10:17 pm

Hello.
Try this version of Hijack This, no longer an exe file.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Fri Sep 04, 2009 5:23 pm

Yeah didn't work.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Fri Sep 04, 2009 5:36 pm

Okay the bastard just installed an icon on my desktop and I found out where iit was located and moved it to a new folder...

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Fri Sep 04, 2009 5:44 pm

GOOOD NEWS I got it to work. Somehow it installed itself on my PC and I found where it was installed and moved it toa new location.

I regained control over my PC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:35:43 PM, on 9/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe logon.exe
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem.com
O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [13420934] C:\Documents and Settings\All Users\Application Data\13420934\13420934.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7484 bytes

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Fri Sep 04, 2009 9:38 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: Shell=Explorer.exe logon.exe
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 94.232.248.66 antivirsystem.com
    O1 - Hosts: 94.232.248.66 [You must be registered and logged in to see this link.]
    O4 - HKLM\..\Run: [13420934] C:\Documents and Settings\All Users\Application Data\13420934\13420934.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 4:19 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:54 PM, on 9/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\iqflnq\ygsmsysguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
O1 - Hosts: 91.212.127.221 awareremover.com
O1 - Hosts: 91.212.127.221 [You must be registered and logged in to see this link.]
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BHO - {12BC3DAB-D768-4f05-88A5-FCC9099F5A0F} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7728 bytes

I managed to remove the virus...and then my brother reinfects me.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Tue Sep 08, 2009 2:04 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.127.221 awareremover.microsoft.com
    O1 - Hosts: 91.212.127.221 awareremover.com
    O1 - Hosts: 91.212.127.221 [You must be registered and logged in to see this link.]
    O2 - BHO: BHO - {12BC3DAB-D768-4f05-88A5-FCC9099F5A0F} - C:\WINDOWS\system32\iehelper.dll
    O4 - HKLM\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe
    O4 - HKCU\..\Run: [system tool] C:\Program Files\iqflnq\ygsmsysguard.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 2:27 pm

Okay, but also my anti virus avira won't work. I can update it but yah. And I still have the remains of that system security 2009. Just an icon and folder they don't work, but want me to remove them too?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Tue Sep 08, 2009 2:33 pm

Yes, remove the leftovers.
If you can, please run MBAM.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 4:17 pm

Im running MBAM...

a folder called back ups appeared on my desktop. I'm assuming its my back ups

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 4:25 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2758
Windows 5.1.2600 Service Pack 2

9/8/2009 11:21:00 AM
mbam-log-2009-09-08 (11-21-00).txt

Scan type: Quick Scan
Objects scanned: 107693
Time elapsed: 8 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\lsp.dll (LSP.Hijacker) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lsp.dll (LSP.Hijacker) -> Delete on reboot.
C:\WINDOWS\syssvc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\gap\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 4:31 pm

Avira still isn't working

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Tue Sep 08, 2009 7:46 pm

Hello.
We'll look at Avira now, but I want one more scan.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 08, 2009 9:10 pm

DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 16:05:06.03 on Tue 09/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.552 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\npjpi160_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - [You must be registered and logged in to see this link.]
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: XUL Cache: {7C11F23E-325D-495E-B43D-3D68CCA702E4} - c:\documents and settings\gap\local settings\application data\{7C11F23E-325D-495E-B43D-3D68CCA702E4}
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 npkycryp;npkycryp;\??\c:\documents and settings\gap\desktop\flow\npkycryp.sys --> c:\documents and settings\gap\desktop\flow\npkycryp.sys [?]
S3 Partizan;Partizan;c:\windows\system32\drivers\partizan.sys --> c:\windows\system32\drivers\Partizan.sys [?]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 XDva076;XDva076;\??\c:\windows\system32\xdva076.sys --> c:\windows\system32\XDva076.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 XDva167;XDva167;\??\c:\docume~1\temp\locals~1\temp\dine3.tmp --> c:\docume~1\temp\locals~1\temp\DINE3.tmp [?]
S3 XDva277;XDva277;\??\c:\windows\system32\xdva277.sys --> c:\windows\system32\XDva277.sys [?]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-07 23:03 --d----- c:\program files\where im storing the virus
2009-09-04 18:21 -cd----- c:\windows\system32\dllcache\cache
2009-09-04 17:57 230,912 a------- c:\windows\PEV.exe
2009-09-04 17:57 161,792 a------- c:\windows\SWREG.exe
2009-09-04 17:57 98,816 a------- c:\windows\sed.exe
2009-09-04 17:57 --ds---- C:\ComboFix
2009-08-25 19:09 --d----- C:\test
2009-08-25 14:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-25 14:41 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll
2009-08-10 16:28 --d----- C:\ultima7
2009-08-10 16:13 --d----- c:\program files\Cobian Backup 8
2009-08-10 16:10 --d----- c:\program files\Cobian Backup 9
2009-08-10 13:30 --d----- c:\program files\Exult

==================== Find3M ====================

2009-09-03 10:28 8,416 a------- c:\windows\system32\drivers\61883.sys
2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:49 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 16:05:44.71 ===============

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 09, 2009 12:00 am

Well, I'm glad I asked for another scan, more malware has cropped up.

Please download GooredFix from one of the locations below and save it to your Desktop
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 12:06 am

GooredFix by jpshortstuff (12.07.09)
Log created at 19:01 on 08/09/2009 (gap)
Firefox version 3.0.13 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{7C11F23E-325D-495E-B43D-3D68CCA702E4} -> Success!
Deleting C:\Documents and Settings\gap\Local Settings\Application Data\{7C11F23E-325D-495E-B43D-3D68CCA702E4} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:52 27/07/2005]
{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} [19:41 20/05/2007]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [08:22 15/08/2007]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:08 08/08/2009]

-=E.O.F=-

What exactly did it delete? And you sure it was malware and not a mistake?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 12:09 am

Either way...firefox just sped up to faster than chrome what the hell did you do you just made my firefox ultra fast.

Well whatever you did I love you. My PC is no longer slow ^__^

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 09, 2009 12:21 am

Hello.

Either way...firefox just sped up to faster than chrome what the hell did you do you just made my firefox ultra fast.

Heh, it removed a Firefox hijacker, cause random Google searches to re-direct to malicious websites.

Lets clean this up now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 1
    Java(TM) 6 Update 2

Next, I need to know if you know what this folder is and what's inside it:

c:\program files\where im storing the virus

Lastly,

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    kl1
    npkycryp
    Partizan
    PsSdk30
    XDva076
    XDva090
    XDva134
    XDva167
    XDva277


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 12:25 am

Uhh thats where the virus was being stored. I disabled it from running by moving the folder intoa new folder...I'll assume you want me to delete it.

Can I ask why we're removing java?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 12:27 am

========== SERVICES/DRIVERS ==========

Service\Driver kl1 deleted successfully.

Service\Driver npkycryp deleted successfully.

Service\Driver Partizan deleted successfully.

Service\Driver PsSdk30 deleted successfully.

Service\Driver XDva076 deleted successfully.

Service\Driver XDva090 deleted successfully.

Service\Driver XDva134 deleted successfully.

Service\Driver XDva167 deleted successfully.

Service\Driver XDva277 deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_192211


Uhh npkycrpyt wasn't a virus that was part of my game...oh damnit, i really hope my game works

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 1:31 pm

I dunno what happened it came back...nobody was on. It just keeps coming back. Maybe it'sa rootkit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:58 AM, on 9/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\PC clean\HJTfunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - Startup: ikowin32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7897 bytes

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 09, 2009 6:43 pm

Hello.
I think Sony is to blame here, do you/have you installed anything from Sony lately? a game perhaps? anything at all from Sony?

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
    O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
    O4 - Startup: ikowin32.exe
    O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 7:29 pm

Yeah I do have stuff installed from Sony. Securom can't be deleted or I can't play any games. Because it's an anti piracy software that does more harm than good. :/

Should I go ahead and delete UAService7 and UAService? >__>

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 09, 2009 7:36 pm

Hello.
I wouldn't trust Sony, they have been sued in the past for using malware in their products, see here:
More: [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 7:37 pm

I don't trust that crap either but last time I removed it none of my games worked anymore <__<...


O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e

isn't being deleted. I pressed fixed and it still appears.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 7:54 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2766
Windows 5.1.2600 Service Pack 2

9/9/2009 2:49:56 PM
mbam-log-2009-09-09 (14-49-56).txt

Scan type: Quick Scan
Objects scanned: 112735
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nbinajijoh (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sgavd32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sgavd32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\qhg3d54.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tceb586.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\Documents and Settings\gap\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv391251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv511248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv801251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\abizuwip.dll (Trojan.Agent) -> Delete on reboot.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Wed Sep 09, 2009 10:04 pm

What happens if we just stop the services? but not delete the files?

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 09, 2009 10:53 pm

Nuddin...I always stop them when I get bored.


DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 17:47:57.26 on Wed 09/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.579 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_15.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - [You must be registered and logged in to see this link.]
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {1181DA92-58E9-4113-9B4F-DB76EFF5A537} - c:\documents and settings\gap\local settings\application data\{1181da92-58e9-4113-9b4f-db76eff5a537}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-09 16:51 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-09 07:07 120 a------- c:\windows\Pzacohahurozec.dat
2009-09-08 19:22 --d----- C:\_OTM
2009-09-07 23:03 --d----- c:\program files\where im storing the virus
2009-09-04 18:21 -cd----- c:\windows\system32\dllcache\cache
2009-09-04 17:57 230,912 a------- c:\windows\PEV.exe
2009-09-04 17:57 161,792 a------- c:\windows\SWREG.exe
2009-09-04 17:57 98,816 a------- c:\windows\sed.exe
2009-09-04 17:57 --ds---- C:\ComboFix
2009-08-25 19:09 --d----- C:\test
2009-08-25 14:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-25 14:41 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-09-03 10:28 8,416 a------- c:\windows\system32\drivers\61883.sys
2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:49 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 17:48:47.71 ===============

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Thu Sep 10, 2009 7:12 pm

Can you download/run GooredFix again?

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\Pzacohahurozec.dat
    c:\windows\system32\drivers\61883.sys


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Thu Sep 10, 2009 7:37 pm

========== FILES ==========
c:\windows\Pzacohahurozec.dat moved successfully.
c:\windows\system32\drivers\61883.sys moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09102009_143233

UYhhh can I delete the folder where I was storing the virus...you always ask what's in it but never ask me to delete it...<__<

and yeah I can use goorfix I still have it

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Fri Sep 11, 2009 1:21 am

Hello.
Yeah, you can delete that folder where you stored it.
Then delete this folder.

C:\_OTM

Please run Gooredfix. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Fri Sep 11, 2009 2:11 pm

GooredFix by jpshortstuff (12.07.09)
Log created at 09:06 on 11/09/2009 (gap)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!
Deleting C:\Documents and Settings\gap\Local Settings\Application Data\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:52 27/07/2005]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [21:51 09/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:08 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:51 09/09/2009]

---------- Old Logs ----------
GooredFix[00.01.49_09-09-2009].txt

-=E.O.F=-

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Fri Sep 11, 2009 7:53 pm

Hello.
How is it now? this should be fine now from what I can tell.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Fri Sep 11, 2009 8:11 pm

How is what now? I still can't turn on my avira.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Sun Sep 13, 2009 12:14 am

Oh, and am I clean yet?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Mon Sep 14, 2009 12:26 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Mon Sep 14, 2009 4:48 pm

GMER 1.0.15.15086 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-14 11:43:56
Windows 5.1.2600 Service Pack 2
Running: pwyfyyj4.exe; Driver: C:\DOCUME~1\gap\LOCALS~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT F7E70FC6 ZwCreateKey
SSDT F7E70FBC ZwCreateThread
SSDT F7E70FCB ZwDeleteKey
SSDT F7E70FD5 ZwDeleteValueKey
SSDT F7E70FDA ZwLoadKey
SSDT F7E70FA8 ZwOpenProcess
SSDT F7E70FAD ZwOpenThread
SSDT F7E70FE4 ZwReplaceKey
SSDT F7E70FDF ZwRestoreKey
SSDT F7E70FD0 ZwSetValueKey
SSDT F7E70FB7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? hoeq.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\gap\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#[You must be registered and logged in to see this link.] 95 bytes

---- EOF - GMER 1.0.15 ----

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Mon Sep 14, 2009 9:12 pm

Hello.
This should be okay now, just uninstall Avira, then re-install it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 15, 2009 1:48 am

yeah but what about the viruses inside my quarantine? I have several from when I was last reinfected a long while ago that got sent will they be released?

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on Tue Sep 15, 2009 5:48 pm

No, once quarantined, they are dead. When Avira is uninstalled, the quarantine location is removed, and so are the files inside it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Tue Sep 15, 2009 9:42 pm

Okay, I reinstalled and it works.

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on Wed Sep 16, 2009 5:23 pm

I'm assuming I'm now clean ^__^

LordZet
Intermediate
Intermediate

Status :
Online
Offline

Posts : 100
Joined : 2009-08-26
OS : XP
Points : 27454
# Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum