My homepage changes to www.patchyoursystem.com and I get fake alerts in the icon tray that just brings me to a spy trooper site. I cant get rid of this I will post my hjt.
Patchyoursystem.com
- Thread starter brett_heywood
- Start date
- Status
going by previous logs, this is probably the culprit for it (though by no means sure)...
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpD783.tmp
but you have far more in the log than that and it really needs sorting out.
I don't have the time right now to do it, but if you hang around someone else may.
the entry above is safe enough to boot into safemode, fix with HJT, and delete the file. while you're at it, fix all 016 entries,.
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hpD783.tmp
but you have far more in the log than that and it really needs sorting out.
I don't have the time right now to do it, but if you hang around someone else may.
the entry above is safe enough to boot into safemode, fix with HJT, and delete the file. while you're at it, fix all 016 entries,.
getting worse
I Can't even visit any pages, whenever i try to type something in the URL it redirects me to http://www.securityerror.com/ and the page keeps refreshing itself until i click on stop
I Can't even visit any pages, whenever i try to type something in the URL it redirects me to http://www.securityerror.com/ and the page keeps refreshing itself until i click on stop
OK. Just to do us a little favour, could you please reboot and close down any applications you would usually have open and post a new log. If you're finding that things are getting worse, then there could be extra infection and so new entries in the HJT file. If you are able to do this in the next hour or so I will take a look at it tonight if nobody else takes a look at it first.
new hjt
I rebooted and here is the new hjt
I rebooted and here is the new hjt
Just in your running processes you have these nasties...
C:\WINDOWS\system32\msole32.exe - Troj/Fakespy-B (advertising program by Adclicker)
C:\WINDOWS\system32\shnlog.exe - Troj/Puper-A
C:\WINDOWS\system32\i2blm27f.exe
C:\WINDOWS\system32\intmon.exe - Troj/Puper-D
I've been through your logfile and picked out all the nasties (excluding programs that are generally useless but do little harm, such as viewpoint, and excluding the theme manager which I'm slightly suspicious of.)
Please could you go to the how to remove trojans and its ilk thread and follow the instructions there, and then post both the ewido log and a new hjt log.
for reference I'm attaching a list of things I found in your log.
C:\WINDOWS\system32\msole32.exe - Troj/Fakespy-B (advertising program by Adclicker)
C:\WINDOWS\system32\shnlog.exe - Troj/Puper-A
C:\WINDOWS\system32\i2blm27f.exe
C:\WINDOWS\system32\intmon.exe - Troj/Puper-D
I've been through your logfile and picked out all the nasties (excluding programs that are generally useless but do little harm, such as viewpoint, and excluding the theme manager which I'm slightly suspicious of.)
Please could you go to the how to remove trojans and its ilk thread and follow the instructions there, and then post both the ewido log and a new hjt log.
for reference I'm attaching a list of things I found in your log.
ran ewido
ran hjt
posted new logs
ran hjt
posted new logs
As an aside to the instructions below, I'd like to bring to your attention something which I saw in your ewido log...
The first is a type of application that you probably want to stay away from. Downloading this type of stuff is risky business as it's often virus ridden, and annoys people. The second thing is that the detection of MRT.exe is likely a false positive, easily fixed by downloading the latest version of the tool from http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en. anyways, instructions below...
reboot to safe mode. disable system restore.
open task manager and make sure that the following are not running...
zydcdmr.exe
LimeWire.exe
EmpirePoker.exe
run HJT and fix the following entries...
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
go through the list above and delete the files made bold...
clear your temporary internet files and cookies...
delete the contents of the following folders...
C:\windows\prefetch
C:\windows\temp (except for those files with todays date, ie, 17th october)
C:\Documents and Settings\[username]\Local Settings\Temp (repeat for each username on the computer)
reboot, scan with HJT, and post a log to check if it's clean and check to see if your problem has been fixed.
The first is a type of application that you probably want to stay away from. Downloading this type of stuff is risky business as it's often virus ridden, and annoys people. The second thing is that the detection of MRT.exe is likely a false positive, easily fixed by downloading the latest version of the tool from http://www.microsoft.com/downloads/...E0-E72D-4F54-9AB3-75B8EB148356&displaylang=en. anyways, instructions below...
reboot to safe mode. disable system restore.
open task manager and make sure that the following are not running...
zydcdmr.exe
LimeWire.exe
EmpirePoker.exe
run HJT and fix the following entries...
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
go through the list above and delete the files made bold...
clear your temporary internet files and cookies...
delete the contents of the following folders...
C:\windows\prefetch
C:\windows\temp (except for those files with todays date, ie, 17th october)
C:\Documents and Settings\[username]\Local Settings\Temp (repeat for each username on the computer)
reboot, scan with HJT, and post a log to check if it's clean and check to see if your problem has been fixed.
RealBlackStuff
Posts: 6,450 +3
You should really uninstall that useless Logitech Desktop Messenger.
When done, go to www.stardownloader.com and get their FREE Stardownloader
First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/S/ Service needs to be stopped
/U/ UNinstall anything to do with this
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
/P/U/ O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
/P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
/P/U/ O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
/P/ O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
/P/U/ O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
/P/ O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
Unless these IP-numbers are from your ISP, fix these O17 Allstream Corp. in Toronto
O17 - HKLM\System\CCS\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
/P/S/ O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
...................................................................................................
When done, go to www.stardownloader.com and get their FREE Stardownloader
First Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
/S/ Service needs to be stopped
/U/ UNinstall anything to do with this
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp605E.tmp
/P/U/ O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
/P/U/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
/P/U/ O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
/P/ O4 - HKLM\..\Run: [zydcdmr] C:\WINDOWS\zydcdmr.exe
/P/U/ O4 - Global Startup: LimeWire 4.2.6 Pro.lnk = C:\Program Files\LimeWire\LimeWire 4.2.6 Pro\LimeWire.exe
/P/ O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Documents and Settings\Brett Heywood\My Documents\EmpirePoker.exe
Unless these IP-numbers are from your ISP, fix these O17 Allstream Corp. in Toronto
O17 - HKLM\System\CCS\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O17 - HKLM\System\CS3\Services\Tcpip\..\{069C3B6A-C138-44E9-A066-ED0F74ACEC9A}: NameServer = 66.46.117.2,66.46.116.6
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG6 Service (AvgServ) - Unknown owner - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe (file missing)
/P/S/ O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
...................................................................................................
problem over
the problem is done! THIS SITE RULES!
the problem is done! THIS SITE RULES!
RealBlackStuff
Posts: 6,450 +3
Follow these instructions EXACTLY and put HijackThis in e.g C:\Program Files\HJT and NOT in Temp or on the Desktop!.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties
Then Read: How to post your Hijackthis log-files as an attachment.
Read: How to remove Begin2Search/Coolwebsearch and Other Nasties
Then Read: How to post your Hijackthis log-files as an attachment.
i've been having the same problems... my homepage has been changed to http://www.patchyoursystem .com/, with a W32.Sinnaka.A@mm warning, my desktop background has been changed and my computer is just generally running a lot slower than usual. can anyone help, please? :dead:
RealBlackStuff
Posts: 6,450 +3
Prismaticshadow
Go here first: Read: How to remove Trojans and its ilk!
If that does not work for some reason,
Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/P/ C:\WINDOWS\system32\shnlog.exe
/P/ C:\WINDOWS\system32\intmon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
/P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp2EDB.tmp
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122585923796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
...................................................................................................
Go here first: Read: How to remove Trojans and its ilk!
If that does not work for some reason,
Read: Only use these HJT-instructions when asked!
/P/ Process needs to be stopped
The text between the dotted lines underneath goes between the dotted lines of that post.
Make sure to follow ALL instructions, and in HJT tick/fix ALL lines!
...................................................................................................
/P/ C:\WINDOWS\system32\shnlog.exe
/P/ C:\WINDOWS\system32\intmon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lookfor.cc?pin=28129
/P/ O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp2EDB.tmp
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: DSLMON.lnk = ?
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122585923796
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
...................................................................................................
- Status
Similar threads
Latest posts
-
Microsoft VASA tech can create realistic deepfakes using a single photo and one audio track- Squid Surprise replied
-
Amazon denies reports it started a business just to spy on rivals- nitebird replied
-
Nvidia GeForce RTX 3050 6GB Review: Quiet Release, Dodgy Name- captaincranky replied
