TechSpot

patchyoursystem.com

By brett_heywood
Oct 16, 2005
  1. My homepage changes to www.patchyoursystem.com and i get fake alerts in the icon tray that just brings me to a spy trooper site. I cant get rid of this i will post my hjt.
     

    Attached Files:

  2. Spike

    Spike TS Evangelist Posts: 2,168

    going by previous logs, this is probably the culprit for it (though by no means sure)...

    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpD783.tmp

    but you have far more in the log than that and it really needs sorting out.

    I don't have the time right now to do it, but if you hang around someone else may.

    the entry above is safe enough to boot into safemode, fix with HJT, and delete the file. while you're at it, fix all 016 entries,.
     
  3. brett_heywood

    brett_heywood TS Rookie Topic Starter

    getting worse

    I Can't even visit any pages, whenever i try to type something in the URL it redirects me to http://www.securityerror.com/ and the page keeps refreshing itself until i click on stop
     
  4. Spike

    Spike TS Evangelist Posts: 2,168

    OK. Just to do us a little favour, could you please reboot and close down any applications you would usually have open and post a new log. If you're finding that things are getting worse, then there could be extra infection and so new entries in the HJT file. If you are able to do this in the next hour or so I will take a look at it tonight if nobody else takes a look at it first.
     
  5. brett_heywood

    brett_heywood TS Rookie Topic Starter

    new hjt

    i rebooted and here is the new hjt
     

    Attached Files:

  6. Spike

    Spike TS Evangelist Posts: 2,168

    Just in your running processes you have these nasties...

    C:\WINDOWS\system32\msole32.exe - Troj/Fakespy-B (advertising program by Adclicker)
    C:\WINDOWS\system32\shnlog.exe - Troj/Puper-A
    C:\WINDOWS\system32\i2blm27f.exe
    C:\WINDOWS\system32\intmon.exe - Troj/Puper-D

    I've been through your logfile and picked out all the nasties (excluding programs that are generally useless but do little harm, such as viewpoint, and excluding the theme manager which I'm slightly suspicious of.)

    Please could you go to the how to remove trojans and its ilk thread and follow the instructions there, and then post both the ewido log and a new hjt log.

    for reference I'm attaching a list of things I found in your log.
     

    Attached Files:

  7. brett_heywood

    brett_heywood TS Rookie Topic Starter

    ran ewido

    ran hjt

    posted new logs
     
  8. Spike

    Spike TS Evangelist Posts: 2,168

    As an aside to the instructions below, I'd like to bring to your attention something which I saw in your ewido log...

    The first is a type of application that you probably want to stay away from. Downloading this type of stuff is risky business as it's often virus ridden, and annoys people. The second thing is that the detection of MRT.exe is likely a false positive, easily fixed by downloading the latest version of the tool from http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en. anyways, instructions below...

    reboot to safe mode. disable system restore.

    open task manager and make sure that the following are not running...
    zydcdmr.exe
    LimeWire.exe
    EmpirePoker.exe

    run HJT and fix the following entries...
    O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
    O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
    O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe

    go through the list above and delete the files made bold...

    clear your temporary internet files and cookies...

    delete the contents of the following folders...
    C:\windows\prefetch
    C:\windows\temp (except for those files with todays date, ie, 17th october)
    C:\Documents and Settings\[username]\Local Settings\Temp (repeat for each username on the computer)

    reboot, scan with HJT, and post a log to check if it's clean and check to see if your problem has been fixed.
     
  9. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    You should really uninstall that useless Logitech Desktop Messenger.
    When done, go to www.stardownloader.com and get their FREE Stardownloader

    First Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    /S/ Service needs to be stopped
    /U/ UNinstall anything to do with this
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
    /P/U/ O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    /P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    /P/U/ O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    /P/ O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
    /P/U/ O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
    /P/ O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
    Unless these IP-numbers are from your ISP, fix these O17 Allstream Corp. in Toronto
    O17 - HKLM\System\CCS\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
    O17 - HKLM\System\CS3\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
    O20 - AppInit_DLLs: MsgPlusLoader.dll
    O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
    /P/S/ O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    ...................................................................................................
     
  10. brett_heywood

    brett_heywood TS Rookie Topic Starter

    problem over

    the problem is done! THIS SITE RULES!
     
  11. Spike

    Spike TS Evangelist Posts: 2,168

    he he. You're welcome - one little bit of advice though - you probably should stop installing too many programs from unknown sources, or programs wrapped with adware etc if you want to stay clean.

    Feel free to stick around :)
     
  12. blumgart

    blumgart TS Rookie

    Please help!

    My home page reverts to patchyoursystem.com
    If anyone can please help me to remove this pest I'll be very grateful.

    Here is the "Highjackthis" log:
     
  13. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

  14. Prismaticshadow

    Prismaticshadow TS Rookie

    i've been having the same problems... my homepage has been changed to http://www.patchyoursystem .com/, with a W32.Sinnaka.A@mm warning, my desktop background has been changed and my computer is just generally running a lot slower than usual. can anyone help, please? :dead:
     
  15. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Prismaticshadow

    Go here first: Read: How to remove Trojans and its ilk!

    If that does not work for some reason,
    Read: Only use these HJT-instructions when asked!
    /P/ Process needs to be stopped
    The text between the dotted lines underneath goes between the dotted lines of that post.
    Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
    ...................................................................................................
    /P/ C:\WINDOWS\system32\shnlog.exe
    /P/ C:\WINDOWS\system32\intmon.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
    /P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp2EDB.tmp
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: DSLMON.lnk = ?
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122585923796
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    ...................................................................................................
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...