System Security hijacked my PC

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 9th September 2009, 12:21 am

Hello.

Either way...firefox just sped up to faster than chrome what the hell did you do you just made my firefox ultra fast.

Heh, it removed a Firefox hijacker, cause random Google searches to re-direct to malicious websites.

Lets clean this up now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 1
    Java(TM) 6 Update 2

Next, I need to know if you know what this folder is and what's inside it:

c:\program files\where im storing the virus

Lastly,

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    kl1
    npkycryp
    Partizan
    PsSdk30
    XDva076
    XDva090
    XDva134
    XDva167
    XDva277


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 12:25 am

Uhh thats where the virus was being stored. I disabled it from running by moving the folder intoa new folder...I'll assume you want me to delete it.

Can I ask why we're removing java?

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 12:27 am

========== SERVICES/DRIVERS ==========

Service\Driver kl1 deleted successfully.

Service\Driver npkycryp deleted successfully.

Service\Driver Partizan deleted successfully.

Service\Driver PsSdk30 deleted successfully.

Service\Driver XDva076 deleted successfully.

Service\Driver XDva090 deleted successfully.

Service\Driver XDva134 deleted successfully.

Service\Driver XDva167 deleted successfully.

Service\Driver XDva277 deleted successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09082009_192211


Uhh npkycrpyt wasn't a virus that was part of my game...oh damnit, i really hope my game works

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 1:31 pm

I dunno what happened it came back...nobody was on. It just keeps coming back. Maybe it'sa rootkit.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:58 AM, on 9/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\9129837.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\gap\Desktop\PC clean\HJTfunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
N3 - Netscape 7: # Mozilla User Preferences
// This is a generated file!

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "http://www.sonystyle.com/webapp/wcs/stores/servlet/StoreCatalogDisplay?storeId=10151&catalogId=10551&langId=-1");
user_pref("browser.search.defaultengine", "http://www.google.com/");
user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
user_pref("browser.tabs.forceHide", true);
user_pref("intl.charsetmenu.browser.cache", "ISO-8859-1, UTF-8");
user_pref("ldap_2.servers.history.filename", "history.mab");
user_pref("ldap_2.servers.history.replication.lastChangeNumber", 0);
user_pref("ldap_2.servers.pab.filename", "abook.mab");
user_pref("ldap_2.servers.pab.replication.lastChangeNumber", 0);
user_pref("mail.smtpservers", "");
user_pref("mail.ui.folderpane.version", 2);
user_pref("mailnews.global_html_domains.version", 2);
user_pref("mailnews.html_domains", "netscape.net,ne
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\gap\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
O4 - Startup: ikowin32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7897 bytes

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 9th September 2009, 6:43 pm

Hello.
I think Sony is to blame here, do you/have you installed anything from Sony lately? a game perhaps? anything at all from Sony?

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e
    O4 - HKCU\..\Run: [ttool] C:\WINDOWS\9129837.exe
    O4 - Startup: ikowin32.exe
    O23 - Service: SecuROM User Access Service (UserAccess) - Unknown owner - C:\WINDOWS\system32\UAService.exe
    O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 7:29 pm

Yeah I do have stuff installed from Sony. Securom can't be deleted or I can't play any games. Because it's an anti piracy software that does more harm than good. :/

Should I go ahead and delete UAService7 and UAService? >__>

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 9th September 2009, 7:36 pm

Hello.
I wouldn't trust Sony, they have been sued in the past for using malware in their products, see here:
More: [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 7:37 pm

I don't trust that crap either but last time I removed it none of my games worked anymore <__<...


O4 - HKLM\..\Run: [Nbinajijoh] rundll32.exe "C:\WINDOWS\abizuwip.dll",e

isn't being deleted. I pressed fixed and it still appears.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 7:54 pm

Malwarebytes' Anti-Malware 1.40
Database version: 2766
Windows 5.1.2600 Service Pack 2

9/9/2009 2:49:56 PM
mbam-log-2009-09-09 (14-49-56).txt

Scan type: Quick Scan
Objects scanned: 112735
Time elapsed: 10 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\qhg3d54 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tceb586 (Rootkit.Kryptik) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nbinajijoh (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sgavd32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\sgavd32.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\qhg3d54.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\tceb586.sys (Rootkit.Kryptik) -> Quarantined and deleted successfully.
C:\Documents and Settings\gap\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipcmd.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\sysdiag.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv391251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv511248190332.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\temp\wpv801251946612.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\9129837.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\abizuwip.dll (Trojan.Agent) -> Delete on reboot.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 9th September 2009, 10:04 pm

What happens if we just stop the services? but not delete the files?

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt just yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 9th September 2009, 10:53 pm

Nuddin...I always stop them when I get bored.


DDS (Ver_09-07-30.01) - NTFSx86
Run by gap at 17:47:57.26 on Wed 09/09/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.579 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\UAService.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\gap\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar\01.01.2607.0\en-us\msntb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
uRun: [Google Update] "c:\documents and settings\gap\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_15.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\windowsupdate
Trusted Zone: microsoft.com\[You must be registered and logged in to see this link.]
Trusted Zone: windowsupdate.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - [You must be registered and logged in to see this link.]
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - [You must be registered and logged in to see this link.]
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - [You must be registered and logged in to see this link.]
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gap\applic~1\mozilla\firefox\profiles\tiz06pr6.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\gap\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npActiveGS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XUL Cache: {1181DA92-58E9-4113-9B4F-DB76EFF5A537} - c:\documents and settings\gap\local settings\application data\{1181da92-58e9-4113-9b4f-db76eff5a537}\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-4 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-4 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-4 55656]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2004-10-28 15104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-4 185089]
S4 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2004-6-26 86098]
S4 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]

=============== Created Last 30 ================

2009-09-09 16:51 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-09 07:07 120 a------- c:\windows\Pzacohahurozec.dat
2009-09-08 19:22 --d----- C:\_OTM
2009-09-07 23:03 --d----- c:\program files\where im storing the virus
2009-09-04 18:21 -cd----- c:\windows\system32\dllcache\cache
2009-09-04 17:57 230,912 a------- c:\windows\PEV.exe
2009-09-04 17:57 161,792 a------- c:\windows\SWREG.exe
2009-09-04 17:57 98,816 a------- c:\windows\sed.exe
2009-09-04 17:57 --ds---- C:\ComboFix
2009-08-25 19:09 --d----- C:\test
2009-08-25 14:42 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-25 14:41 655,872 -c------ c:\windows\system32\dllcache\mstscax.dll

==================== Find3M ====================

2009-09-03 10:28 8,416 a------- c:\windows\system32\drivers\61883.sys
2009-08-05 20:16 55,656 a------- c:\windows\system32\drivers\avgntflt.sys
2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-29 15:49 1,285,026,321 a------- C:\MSSetupv73.exe
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 11:12 827,392 -------- c:\windows\system32\wininet.dll
2009-06-29 11:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 11:12 17,408 a------- c:\windows\system32\corpol.dll
2009-06-16 09:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:55 82,432 a------- c:\windows\system32\fontsub.dll
2001-06-20 16:19 40,960 a------- c:\program files\ACMonitor_X83.exe
2007-02-16 08:54 8,026,400 a--sh--- c:\windows\system32\drivers\fidbox.dat
2007-02-16 02:52 68,384 a--sh--- c:\windows\system32\drivers\fidbox2.dat

============= FINISH: 17:48:47.71 ===============

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 10th September 2009, 7:12 pm

Can you download/run GooredFix again?

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\Pzacohahurozec.dat
    c:\windows\system32\drivers\61883.sys


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 10th September 2009, 7:37 pm

========== FILES ==========
c:\windows\Pzacohahurozec.dat moved successfully.
c:\windows\system32\drivers\61883.sys moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09102009_143233

UYhhh can I delete the folder where I was storing the virus...you always ask what's in it but never ask me to delete it...<__<

and yeah I can use goorfix I still have it

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 11th September 2009, 1:21 am

Hello.
Yeah, you can delete that folder where you stored it.
Then delete this folder.

C:\_OTM

Please run Gooredfix. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 11th September 2009, 2:11 pm

GooredFix by jpshortstuff (12.07.09)
Log created at 09:06 on 11/09/2009 (gap)
Firefox version 3.5.3 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!
Deleting C:\Documents and Settings\gap\Local Settings\Application Data\{1181DA92-58E9-4113-9B4F-DB76EFF5A537} -> Success!

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [11:52 27/07/2005]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [21:51 09/09/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [08:08 08/08/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [21:51 09/09/2009]

---------- Old Logs ----------
GooredFix[00.01.49_09-09-2009].txt

-=E.O.F=-

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 11th September 2009, 7:53 pm

Hello.
How is it now? this should be fine now from what I can tell.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 11th September 2009, 8:11 pm

How is what now? I still can't turn on my avira.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 13th September 2009, 12:14 am

Oh, and am I clean yet?

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 14th September 2009, 12:26 am

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 14th September 2009, 4:48 pm

GMER 1.0.15.15086 - [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-14 11:43:56
Windows 5.1.2600 Service Pack 2
Running: pwyfyyj4.exe; Driver: C:\DOCUME~1\gap\LOCALS~1\Temp\aujasnkj.sys


---- System - GMER 1.0.15 ----

SSDT F7E70FC6 ZwCreateKey
SSDT F7E70FBC ZwCreateThread
SSDT F7E70FCB ZwDeleteKey
SSDT F7E70FD5 ZwDeleteValueKey
SSDT F7E70FDA ZwLoadKey
SSDT F7E70FA8 ZwOpenProcess
SSDT F7E70FAD ZwOpenThread
SSDT F7E70FE4 ZwReplaceKey
SSDT F7E70FDF ZwRestoreKey
SSDT F7E70FD0 ZwSetValueKey
SSDT F7E70FB7 ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? hoeq.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\gap\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#[You must be registered and logged in to see this link.] 95 bytes

---- EOF - GMER 1.0.15 ----

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 14th September 2009, 9:12 pm

Hello.
This should be okay now, just uninstall Avira, then re-install it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 15th September 2009, 1:48 am

yeah but what about the viruses inside my quarantine? I have several from when I was last reinfected a long while ago that got sent will they be released?

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 15th September 2009, 5:48 pm

No, once quarantined, they are dead. When Avira is uninstalled, the quarantine location is removed, and so are the files inside it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 15th September 2009, 9:42 pm

Okay, I reinstalled and it works.

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 16th September 2009, 5:23 pm

I'm assuming I'm now clean ^__^

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Belahzur on 16th September 2009, 5:36 pm

Yep, this should be fine now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by LordZet on 16th September 2009, 5:59 pm

Thank you ^__^

LordZet
Intermediate
Intermediate

Posts Posts : 100
Joined Joined : 2009-08-26
OS OS : XP
Points Points : 27524
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: System Security hijacked my PC

Post by Dr Jay on 16th September 2009, 9:52 pm

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14309
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302960
# Likes # Likes : 10

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum