Problems with Kerio Firewall

Status
Not open for further replies.

adesito

Posts: 17   +0
Hello this is my first post

I have installed Sunbelt Kerio Firewall as it is suggested in Viruses/Spyware/Malware, preliminary removal instructions.

Every time I open a program an alert comes than an intrusion intent comes from:
C:\windows\system32\pshizk.exe

Also it cant open IE pages.
Wats the problem?
 
Hello and welcome to Techspot.

I can`t find any info for pshizk.exe. This makes it look suspicious.

Go and read this thread HERE and post a HJT log as an attachment into this thread.

Regards Howard :wave: :wave:

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
AVG Antirootkit also detected them same file.
This is the result:
C:\WINDOWS\System32\PSHIZK.EXE,Hidden application file, Hidden file
c:\WINDOWS\system32\pshizk.dat,Hidden file
c:\WINDOWS\system32\pshizk_navps.dat,Hidden file
c:\WINDOWS\system32\pshizk_nav.dat,Hidden file
c:\WINDOWS\Prefetch\PSHIZK.EXE-3073AAAD.pf,Hidden file

In the meantime I have Kerio inactive because I cant open pages with IE
 
Ok, have AVG Antirootkit fix those entries. Let`s see what other nasties(if any), you have on your system.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes mate, that`s what I mean.

If you`re in any doubt, you can always have the file checked over at Jotti`s, but as far as I`m concerned they`re nasty.

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\WINDOWS\System32\PSHIZK.EXE
* Click Open Then, do the same for the other PSHIZK files.
* Please let me know the results.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
This is HJT log without removing the problems with AVG Antirootkit.
Sorry I cant atache the logfile: pop-up window is beeing blocked.
 
It could be the infection that`s stopping you from uploading your HJT log. See this thread HERE and try again.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Yes, copy and paste your logfile. I`ll remove it once I`ve finished with it.

Did you upload the files to Jotti? If so what were the results.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Did you received the log files?

I re-activate Kerio: an infection to C:windows\system32\svchost.exe is beeing continuosly detected
 
No, I can`t see any logfiles.

Can`t you just copy and paste the results?

I`ll ask you again. Did you upload the PSHIZK.EXE files to Jotti`s?

Did you have AVG Antirootkit fix the PSHIZK.EXE entries?

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Well I post a reply where I copy paste the results.
I´m redoing what you say in your Viruses/Spyware/Malware, preliminary removal instructions.
I didnt upload the PSHIZK.EXE files to Jotti`s, I just fixed them with the AVG Antirootkit.
Some virus still re appear.
Ill try to attached the logs through this computer, if the other doesnt work still.

I send log files of Combofix (2 logs, diferent scans), HJT, and SSD.
Antrootkit is indicating nothing, and AVG detected virus in dcpromo.log this morning
Still cant opened pop-up windows: opening is blocked (¿hoew can I un block it?)
 
You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Absolute Poker

Close control panel.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Windows Local Hosting Service

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

Absolute Poker.lnk
mscgy.exe
userinit.exe

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O4 - HKLM\..\Run: [C:\WINDOWS\userinit.exe] C:\WINDOWS\system32\dllcache\userinit.exe

O4 - HKLM\..\Run: [Windows Local Hosting Service] C:\WINDOWS\System32\mscgy.exe

O4 - HKLM\..\RunServices: [Windows Local Hosting Service] C:\WINDOWS\System32\mscgy.exe

O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://www.worldwinner.com/games/v48/pool/pool.cab

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker<Delete the entire folder.
C:\WINDOWS\System32\mscgy.exe
C:\WINDOWS\userinit.exe
C:\WINDOWS\system32\dllcache\userinit.exe

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log as well as an AVG Antispyware log.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Done what you said:
-Windows Local Hosting Services: not found
-None of the process indicated were found running in the task manager processes tab
-After running HJT both 09 were not found:
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Usuario\Menú Inicio\Programas\Absolute Poker\Absolute Poker.lnk

After rebooting to normal mode Windows cant open: it stops at a "Welcome"
screen with "user", if you click in user it will close tehe account and appear again user account and a close tab.
If you boot into safe mode same thing happens, only diference is you have also administrator account tab.
What to do? I cant find a rescue disk.
 
Instead of trying to boot into safe mode, try last known good config and see if that helps.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Same thing happens: stops at a welcome screen with a buttom for user account, if you press the user account buttom it begans to charge user account configuration and then to close it, and remains on the same screen; only the close buttoms works.
 
I don`t think you did anything wrong. Your system was/is infected with some kind of rootkit, which may well have damaged your OS files.

Do you have a rescue partition on your hard drive? What brand and model is your computer?

Regards Howard :(
 
How can I know if I have a rescue partition in the hd?
I dont know brand nor model, I think its a clon.
 
I`m just wondering, if when we deleted the rogue userinit.exe file, that`s what`s caused your problem.

Download a live Knoppix ISO from HERE and burn it to cd as an image.

Download a fresh copy of userinit.exe from HERE. Burn it to a cd.


Boot from the Knoppix cd.

Click on the hard drive icon.

Click the Windows folder.

Click the system32 folder.

Insert the cd with the userinit.exe file on it, open the cd and drag the userinit.exe file to the system32 folder.

Close the window.

Right click the desktop and select log out of knoppix. Remove the knoppix cd when prompted to do so. Reboot your system.

See if you can now boot into Windows.

If that doesn`t help, try placing the userinit.exe file in the Windows folder.

let us know the results.


Regards Howard :)
 
If you mean copy by burn, I cant copy into a cd because the cd copier is in the xp computer not in this one.
Where is the good userinit.exe file suppose to be?
 
userinit.exe is normally found in the C:\windows\system32 folder.

Yours were in the C:\windows and C:\windows\system32\dllcache folders, which as far as I`m concerned are bogus.

Unless you can follow the instructions in my post above, I don`t know what else to try. Perhaps you can get one of your friends to burn the necessary cd`s for you. Maybe you can take the cd burner out of your system an use it in the system you`re on now, then replace it once you`re done.

Regards Howard :)

This thread is for the use of adesito only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.
Back