| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 104658 | 2009-11-04 03:05:00 | Security Tool Virus? | ajwhite10 (13469) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 827024 | 2009-11-04 03:05:00 | ...probably just one of many bugs on my PC right now. My CP is slow as hell & I can't see any of my icons on my desktop. Here is my HT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:04:48 PM, on 11/3/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\restorer32_a.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Registry Mechanic\RegMech.exe C:\Documents and Settings\user\restorer32_a.exe C:\WINDOWS\sa23sl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\DOCUME~1\ALLUSE~1\APPLIC~1\46440624\46440624.ex e C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\New Folder\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = go.microsoft.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:7171 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local> O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\s wg.dll O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe O4 - HKLM\..\Run: [Wyasosivolu] rundll32.exe "C:\WINDOWS\iwagoxoyi.dll",Startup O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe O4 - HKLM\..\Run: [46440624] C:\DOCUME~1\ALLUSE~1\APPLIC~1\46440624\46440624.ex e O4 - HKLM\..\RunOnce: [Trojan Remover] "C:\Program Files\Trojan Remover\RMVTRJAN.EXE" /restart O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H O4 - HKCU\..\Run: [ttool] C:\WINDOWS\sa23sl.exe O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\user\restorer32_a.exe O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user') O4 - Startup: zavupd32.exe O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe O23 - Service: Google Update Service (gupdate1c9e56b4f9834ea) (gupdate1c9e56b4f9834ea) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe -- End of file - 6036 bytes Any help would be much appreciated. Thanks! |
ajwhite10 (13469) | ||
| 827025 | 2009-11-04 03:15:00 | Its probably fake / rogue software. I wouldnt hang around, these are backdoor trojans. Reboot, then boot into safe mode / networking. Tick these then tick fix checked. This looks like its a trojan. C:\WINDOWS\system32\restorer32_a.exe <- delete this file after This is a trojan C:\WINDOWS\sa23sl.exe <- delete this file after C:\DOCUME~1\ALLUSE~1\APPLIC~1\46440624\46440624.ex e Uninstall askbar O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [restorer32_a] C:\WINDOWS\system32\restorer32_a.exe O4 - HKLM\..\Run: [Wyasosivolu] rundll32.exe "C:\WINDOWS\iwagoxoyi.dll",Startup O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe O4 - HKLM\..\Run: [46440624] C:\DOCUME~1\ALLUSE~1\APPLIC~1\46440624\46440624.ex e -< delete this file after O4 - HKCU\..\Run: [ttool] C:\WINDOWS\sa23sl.exe O4 - HKCU\..\Run: [restorer32_a] C:\Documents and Settings\user\restorer32_a.exe O4 - Startup: zavupd32.exe <- delete this file after O23 - Service: AntiPol (AntipPolice_) - Unknown owner - C:\WINDOWS\svchast.exe (file missing) Then reboot then run trojan remover update it then scan. Then select all options under utilities. Then update malwarebytes, then do a full scan |
Speedy Gonzales (78) | ||
| 827026 | 2009-11-04 03:52:00 | Yea, now I can't open MWBAM, TR, or HT....as I am getting little messages from Security Tool that they are all infected....which I know is bullshit. I'll restart in safe mode, run HT, fix what you told me to & try to delete the other files & see where that gets me. I hate this crap. | ajwhite10 (13469) | ||
| 827027 | 2009-11-04 04:00:00 | ok. Let me know how you get on. BUT if you havent (booted into safe mode / networking yet), and ticked any of those entries yet, I wouldnt hang around If you need help get teamviewer (send me the ID and password in a PM) and I can do it from here |
Speedy Gonzales (78) | ||
| 827028 | 2009-11-04 04:20:00 | Ok, I'm posting from my hamdheld now. I shut down my pc & rebooted in safemode. I ran HT. what should I do next? Should I tick the items you listed from my HT log & fix them or should I delete the files in system32? Thanks. | ajwhite10 (13469) | ||
| 827029 | 2009-11-04 04:25:00 | safe mode / networking. That way you can connect to the internet Tick the entries I posted (then tick fix checked), then delete the files I said to delete: restorer32_a.exe, sa23sl.exe, 46440624\46440624.ex e, and zavupd32.exe Or if ccleaner is installed go to tools/startup and delete all of the entries I posted there. |
Speedy Gonzales (78) | ||
| 827030 | 2010-01-04 04:05:00 | :badpc: Startup in safe made goto Start, then run, type "msconfig" goto the start tab and disable all, only click your AV program restart google "combofix.exe" and download, and run - takes a bit of time :sleep google "hijackthis.exe" and download, and run remove anything that looks bad or copy and paste the info into this website to tell which is bad www.hijackthis.de run Malwarebytes and SuperAntiSpyware - basic scan at the same time If issues, run the full scan too for both run CCleaner run Spybot goto www.eset.com and click on the right "online Scanner" all this will remove all possible isures Richard Scott |
scottwww (15334) | ||
| 1 | |||||