TechSpot

Problems with Kerio Firewall

By adesito
Mar 30, 2007
  1. Hello this is my first post

    I have installed Sunbelt Kerio Firewall as it is suggested in Viruses/Spyware/Malware, preliminary removal instructions.

    Every time I open a program an alert comes than an intrusion intent comes from:
    C:\windows\system32\pshizk.exe

    Also it cant open IE pages.
    Wats the problem?
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I can`t find any info for pshizk.exe. This makes it look suspicious.

    Go and read this thread HERE and post a HJT log as an attachment into this thread.

    Regards Howard :wave: :wave:

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. adesito

    adesito TS Rookie Topic Starter Posts: 17

    AVG Antirootkit also detected them same file.
    This is the result:
    C:\WINDOWS\System32\PSHIZK.EXE,Hidden application file, Hidden file
    c:\WINDOWS\system32\pshizk.dat,Hidden file
    c:\WINDOWS\system32\pshizk_navps.dat,Hidden file
    c:\WINDOWS\system32\pshizk_nav.dat,Hidden file
    c:\WINDOWS\Prefetch\PSHIZK.EXE-3073AAAD.pf,Hidden file

    In the meantime I have Kerio inactive because I cant open pages with IE
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, have AVG Antirootkit fix those entries. Let`s see what other nasties(if any), you have on your system.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. adesito

    adesito TS Rookie Topic Starter Posts: 17

    You mean to remove all this items with AVG Antirootkit?
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes mate, that`s what I mean.

    If you`re in any doubt, you can always have the file checked over at Jotti`s, but as far as I`m concerned they`re nasty.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file C:\WINDOWS\System32\PSHIZK.EXE
    * Click Open Then, do the same for the other PSHIZK files.
    * Please let me know the results.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. adesito

    adesito TS Rookie Topic Starter Posts: 17

    This is HJT log without removing the problems with AVG Antirootkit.
    Sorry I cant atache the logfile: pop-up window is beeing blocked.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It could be the infection that`s stopping you from uploading your HJT log. See this thread HERE and try again.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. adesito

    adesito TS Rookie Topic Starter Posts: 17

    I tried again but the pop-up window doesnt open.
    Do you want to paste the results in the thread?
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, copy and paste your logfile. I`ll remove it once I`ve finished with it.

    Did you upload the files to Jotti? If so what were the results.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. adesito

    adesito TS Rookie Topic Starter Posts: 17

    Did you received the log files?

    I re-activate Kerio: an infection to C:windows\system32\svchost.exe is beeing continuosly detected
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    No, I can`t see any logfiles.

    Can`t you just copy and paste the results?

    I`ll ask you again. Did you upload the PSHIZK.EXE files to Jotti`s?

    Did you have AVG Antirootkit fix the PSHIZK.EXE entries?

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. adesito

    adesito TS Rookie Topic Starter Posts: 17

    Well I post a reply where I copy paste the results.
    I´m redoing what you say in your Viruses/Spyware/Malware, preliminary removal instructions.
    I didnt upload the PSHIZK.EXE files to Jotti`s, I just fixed them with the AVG Antirootkit.
    Some virus still re appear.
    Ill try to attached the logs through this computer, if the other doesnt work still.

    I send log files of Combofix (2 logs, diferent scans), HJT, and SSD.
    Antrootkit is indicating nothing, and AVG detected virus in dcpromo.log this morning
    Still cant opened pop-up windows: opening is blocked (¿hoew can I un block it?)
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Absolute Poker

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows Local Hosting Service

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    Absolute Poker.lnk
    mscgy.exe
    userinit.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

    O4 - HKLM\..\Run: [C:\WINDOWS\userinit.exe] C:\WINDOWS\system32\dllcache\userinit.exe

    O4 - HKLM\..\Run: [Windows Local Hosting Service] C:\WINDOWS\System32\mscgy.exe

    O4 - HKLM\..\RunServices: [Windows Local Hosting Service] C:\WINDOWS\System32\mscgy.exe

    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab

    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker<Delete the entire folder.
    C:\WINDOWS\System32\mscgy.exe
    C:\WINDOWS\userinit.exe
    C:\WINDOWS\system32\dllcache\userinit.exe

    Reboot into normal mode and rehide your protected OS files.

    Post a fresh HJT log as well as an AVG Antispyware log.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. adesito

    adesito TS Rookie Topic Starter Posts: 17

    Done what you said:
    -Windows Local Hosting Services: not found
    -None of the process indicated were found running in the task manager processes tab
    -After running HJT both 09 were not found:
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

    After rebooting to normal mode Windows cant open: it stops at a "Welcome"
    screen with "user", if you click in user it will close tehe account and appear again user account and a close tab.
    If you boot into safe mode same thing happens, only diference is you have also administrator account tab.
    What to do? I cant find a rescue disk.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Instead of trying to boot into safe mode, try last known good config and see if that helps.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. adesito

    adesito TS Rookie Topic Starter Posts: 17

    Same thing happens: stops at a welcome screen with a buttom for user account, if you press the user account buttom it begans to charge user account configuration and then to close it, and remains on the same screen; only the close buttoms works.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s not good. You really need to find your Windows/rescue disks.

    Regards Howard :(

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. Fiziks

    Fiziks Banned Posts: 226

    as howard was posting I was going to say the same thing.. time for a reformat.
     
  20. adesito

    adesito TS Rookie Topic Starter Posts: 17

    It seems there are no rescue disks.
    What was it I did wrong?
     
  21. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t think you did anything wrong. Your system was/is infected with some kind of rootkit, which may well have damaged your OS files.

    Do you have a rescue partition on your hard drive? What brand and model is your computer?

    Regards Howard :(
     
  22. adesito

    adesito TS Rookie Topic Starter Posts: 17

    How can I know if I have a rescue partition in the hd?
    I dont know brand nor model, I think its a clon.
     
  23. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m just wondering, if when we deleted the rogue userinit.exe file, that`s what`s caused your problem.

    Download a live Knoppix ISO from HERE and burn it to cd as an image.

    Download a fresh copy of userinit.exe from HERE. Burn it to a cd.


    Boot from the Knoppix cd.

    Click on the hard drive icon.

    Click the Windows folder.

    Click the system32 folder.

    Insert the cd with the userinit.exe file on it, open the cd and drag the userinit.exe file to the system32 folder.

    Close the window.

    Right click the desktop and select log out of knoppix. Remove the knoppix cd when prompted to do so. Reboot your system.

    See if you can now boot into Windows.

    If that doesn`t help, try placing the userinit.exe file in the Windows folder.

    let us know the results.


    Regards Howard :)
     
  24. adesito

    adesito TS Rookie Topic Starter Posts: 17

    If you mean copy by burn, I cant copy into a cd because the cd copier is in the xp computer not in this one.
    Where is the good userinit.exe file suppose to be?
     
  25. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    userinit.exe is normally found in the C:\windows\system32 folder.

    Yours were in the C:\windows and C:\windows\system32\dllcache folders, which as far as I`m concerned are bogus.

    Unless you can follow the instructions in my post above, I don`t know what else to try. Perhaps you can get one of your friends to burn the necessary cd`s for you. Maybe you can take the cd burner out of your system an use it in the system you`re on now, then replace it once you`re done.

    Regards Howard :)

    This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...