1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Fizevisi.dll; biyusuvazi

Discussion in 'Virus & Other Malware Removal' started by Mordred, Apr 19, 2010.

Thread Status:
Not open for further replies.
  1. Mordred

    Mordred Thread Starter

    Joined:
    Apr 19, 2010
    Messages:
    1
    Today something utterly crippled my system. Before, I had UAC turned off and immediatly upon startup it would begin to close any processes running including explorer.exe, before eventually blue screening. After I turned UAC back on it no longer did this, but after about 40 seconds the entire computer went down with a blue screen citing a thread crucial to windows operation had been unexpectedly terminated.

    In safe mode it does not crash, but still displays several other attributes.

    In msconfig, under startup is a new startup item named biyasuvazi. It's only command is - Rundll32.exe "fizevisi.dll",s -

    This is also in the registry. If I try to disable it in startup, it will re enable itself within about 5 seconds. It will also re-add itself to the registry if deleted; or fix itself if it is tampered with.

    I am running windows 7.



    Running processes:
    C:\Windows\Explorer.EXE
    C:\Windows\system32\ctfmon.exe
    C:\Windows\system32\msconfig.exe
    C:\Windows\regedit.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {ac59c2ca-ee0c-497b-b249-685ffb3c1671} - tizijehe.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [biyasuvazi] Rundll32.exe "fizevisi.dll",s
    O4 - HKLM\..\Policies\Explorer\Run: [9xsl] C:\Users\Mordred\AppData\Local\Temp\77wi.exe
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User '?')
    O4 - HKUS\S-1-5-20\..\Run: [biyasuvazi] Rundll32.exe "fizevisi.dll",s (User '?')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User '?')
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O13 - Gopher Prefix:
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{032F8AB8-66AF-451F-877A-AB0474FFF547}: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D79DD4A8-AE3B-418B-8B61-6C31FC3D3677}: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DA9BECF9-8415-4E96-B34E-BEC0970961A9}: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CS1\Services\Tcpip\..\{032F8AB8-66AF-451F-877A-AB0474FFF547}: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CS2\Services\Tcpip\..\{032F8AB8-66AF-451F-877A-AB0474FFF547}: NameServer = 93.188.162.184,93.188.166.146
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.184,93.188.166.146
    O20 - AppInit_DLLs: nmklo,pimodage.dll
    O22 - SharedTaskScheduler: Deskscapes - {EC654325-1273-C2A9-2B7C-45D29BCE68FB} - C:\Program Files\Stardock\Object Desktop\DeskScapes3\deskscapes.dll (file missing)
    O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\iDumpPro\NMSAccessU.exe (file missing)
     
  2. CatByte

    CatByte Malware Specialist

    Joined:
    Feb 24, 2009
    Messages:
    3,930
    Hi,

    Please do the following:

    Please download DDS from either of these links

    LINK 1
    LINK 2

    and save it to your desktop.
    • Disable any script blocking protection
    • Double click dds.pif to run the tool.
    • When done, two DDS.txt's will open.
    • Save both reports to your desktop.
    ---------------------------------------------------
    Please include the contents of the following in your next reply:

    DDS.txt
    Attach.txt.

    NEXT


    [​IMG]
    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

      [​IMG]
      Click the image to enlarge it
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
    • Save it where you can easily find it, such as your desktop, and attach it in your reply.

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/917970

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice