Need help to get rid of a virus

rammy007

We seem to have a problem i think a virus we are using panda internet security 2008 and when we do a full scan the panda starts up scanning gets so far then disapears off screen it doesnt do the full scan and when i check the event log it says virus detected Trj / Agent.HZA Path C:\ WINDOW \system 32 \drivers \prsykjtj.dat Result. disinfected but when i start the scan again to see if it will scan the whole computer it get so far then disapears again so i think could this virus still be on our computer and making panda not scan properly can anybody help use please

espresso

Have you looked to see if the file is still there? Have you tried scanning in safe mode?

aliEnRIK

Download MALWAREBYTES
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
UPDATE and SCAN

I would also suggest getting rid of Panda, I found it useless when I tried it out!

Reluctant_spender

As you know the path of the file it may be worth submitting it to a file scanning site. There it will be scanned by 30 plus anti virus products and may give us the name of the infection. This will allow a targeted removal approach.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\system32\drivers\prsykjtj.dat
Click Send.
Please post the results of this scan to this thread.

rammy007

Had a email from panda tech people telling me to download MALWAREBYTES which i did scanned our computer again then clicked remove all restarted the computer and scanned same problems scan so far then disapears from screen check report view event and it shows C:\WINDOWS \system32 \drivers\prsykjtj.dat Result Disinfected then ive gone to the virustotal web site all it comes back with is
0 bytes size received / Se ha recibido un archivo vacioi`ll try scanning in safe mode if the scan doesnt pick it up (in safe mode)what do we do then

Reluctant_spender

Is the file still showing your computer?

Try an online scan here at Kaspersky
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

rammy007

Done a scan in safe mode same problems panda got so far scanning then disapeared off screen but i noticed that it had picked the Trj/Agent.HZA C:\WINDOWS\system32\drivers\prsykjtj dat up again forgot to say using windows xp

Reluctant_spender

Right, thanks for that - this should do the trick then. Forget Kaspersky.

This should remove the infected file;

Please go to Eset Onlinescan (NOD32)
(You need to use InternetExplorer or enable IEView in Firefox)

• You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
• Now click Start
• Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
• Click Start (the Onlinescanner will now prepare itself for running on your pc)
• To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
• Press Scan
  The Onlinescan will now start and scan your pc (please let it run to completion)
• When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
• Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  The Scan results will now open in Notepad
• Click into the text area, right-click and chose "select all"
• Right-click again and chose "copy"
• Close Notepad

Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

Include this log in your reply by right-clicking and "paste" in the text area of the reply post you just created.

rammy007

Ive done a scan using Eset Onlinescan (NOD32) and it found 2 threats ive copyed from the note pad and this is what it says
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3538 (20081020)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=175116370c812c468d18c777246b8e2d
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-10-20 08:55:48
# local_time=2008-10-20 09:55:48 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=408957
# found=2
# scan_time=6276
C:\Documents and Settings\Chris.CHRIS-2F53BC459\Local Settings\Temp\removalfile.bat Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\drivers\etc\hosts Win32/Qhost trojan (unable to clean - deleted (after the next restart)) 557684A784F70060BFAE381A4FDA9483

Reluctant_spender

have you rebooted? It will clear out two files.

Download and run the following;
Malware Bytes

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

rammy007

Ive already downloaded this and done a full scan this afternoon ive restarted the computer and opened Malwarebytes Anti-Malware and clicked on quick scan these are the results
Malwarebytes' Anti-Malware 1.29
Database version: 1295
Windows 5.1.2600 Service Pack 3
20/10/2008 23:21:56
mbam-log-2008-10-20 (23-21-56).txt
Scan type: Quick Scan
Objects scanned: 101892
Time elapsed: 17 minute(s), 42 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a7bc82a3-de0a-47a9-9c6a-df294f158ebb} (Trojan.BHO.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a7bc82a3-de0a-47a9-9c6a-df294f158ebb} (Trojan.BHO.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\fhyhzoen (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\fhyhzoen (Rootkit.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fhyhzoen (Rootkit.Agent) -> Delete on reboot.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Chris.CHRIS-2F53BC459\Local Settings\Temporary Internet Files\Content.IE5\PPI3IW64\3077htsbdjyf[1].dll (Trojan.BHO.H) -> Delete on reboot.
C:\WINDOWS\system32\Drivers\prsykjtj.dat (Rootkit.Agent) -> Delete on reboot.