Find your solution!

jssch · 07:06 AM

If a pc is infected with the Security Tools bug, can I perform a system restore back to a date when I know it was clean and that take care of it or does system restore not help in a situation like this? I am running Windows Xp Pro.

flavallee · 21-Oct-2009, 08:47 AM #2

How do you know if the System Restore points aren't infected too?

System Restore doesn't always work either, and then you have to update and reinstall everything that you did between the present date and the restore date.

-----------------------------------------------------------------

Go here and click the green icon to download HijackThis 2.0.2.

Close all open windows, then install it in its default location.

Run a scan with it - which will take less than 30 seconds.

Save the resulting log in Notepad.

Return here, then copy-and-paste the entire log here.

---------------------------------------------------------------

jssch · 23-Oct-2009, 07:15 AM #3

I am not supposed to post hijackthis logs here in this forum, am I? Just checking before I do so.

blues_harp28 · 23-Oct-2009, 07:21 AM #4

Hi jssch - It's ok flavallee is a Trusted Advisor - any Malware found and he will have your post moved to the correct forum.

flavallee · 23-Oct-2009, 09:28 AM #5

jssch:

You can post a HijackThis log in any forum section, if there's a need for it.

If it's determined that your computer is infected and needs the assistance of a malware expert, I'll request to have your thread moved to the "Malware Removal & HijackThis Logs" section, or I'll advise you to start a new thread there.

Make sure to close all open windows before running a HijackThis scan.

---------------------------------------------------------------

jssch · 03:20 PM

Okay, was going to post a HJT Log, but.... can't install HJT in normal and Safe Mode is a problem too. I attempt to boot into Safe Mode and I am getting the blue error screen saying a problem has been detected and Windows has been shut down to prevent damage to your computer.

The bug on this one is actually the Windows Police Pro, not the Security Tools one. (I am working on that one on a different pc).

Running Windows XP Professional.

If it helps... Safe mode gets to \drivers\agp440.sys when it returns the blue shut down message each time.

Okay, also just noted that this pc is fighting antivirus 2010, windows police pro and security tools all at once.

flavallee · 23-Oct-2009, 06:08 PM #7

I've requested that your thread be moved to the "Malware Removal & HijackThis Logs" section for assistance.

It's a busy section, so it may be 24 - 48 hours before you get a reply by a malware expert.

------------------------------------------------------------------

**cybertech** · 24-Oct-2009, 12:07 PM #8

Is this: http://forums.techguy.org/malware-re...warebytes.html the machine in question here?

learntofixyourpc · 02:38 PM

Content removed - not authorized

**Cookiegal** · 24-Oct-2009, 02:38 PM **#10**

learntofixyourpc,

Please refer to the rules concerning HijackThis log analysis and malware removal.

http://www.techguy.org/rules.html

Log Analysis/Malware Removal - In order to ensure that advice given to users is consistent and of the highest quality, those who wish to assist with security related matters must first graduate from one of the malware boot camp training universities or be approved by the administration as already being qualified. Those authorized to help with malware issues have a gold shield

next to their name and authorized malware removal trainees have a blue shield next to their

next to their names. Anyone wishing to participate in a training program should contact a Moderator for more information.

Please refrain from replying to security related matters on this forum until you have presented evidence to one of the moderators or admins here that proves you to be qualified to do so. If you are not yet qualified and interested in being trained, we will be glad to help you get enrolled at one of the free online training facilities. Just PM me or one of the other moderators that work Security and we'll point you in the right direction.

Thanks in advance for your cooperation.

jssch · 10:48 AM

No, cybertech, that was my other machine. I was able to get someone to help me with that one using Combofix. Can't get a HJT on this machine yet because of my safe mode issue.

**cybertech** · 26-Oct-2009, 06:28 PM **#12**

There is a new tool you can try.

Download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

Let me know how that goes and if you can get HJT to work.

jssch · 27-Oct-2009, 07:42 AM **#13**

I was able to get the first one to work (YIPPEE!).
Below is my HJT Log file that followed:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:03 AM, on 10/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\mysql\bin\mysqld-max-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jics.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe cpcp.cpo bef0regiiav
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivirprotection.com
O1 - Hosts: 94.232.248.66 www.antivirprotection.com
O2 - BHO: C:\WINDOWS\system32\yyw4l.dll - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\yyw4l.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [PSDiagnosticM] "C:\Program Files\Linksys Wireless-G Print Server\PSDiagnosticM.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [Security Central] C:\Program Files\Security Central\Security Central.exe
O4 - HKLM\..\Run: [Antivirus Pro 2010] "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe" /hide
O4 - HKLM\..\Run: [Xbifugahopir] rundll32.exe "C:\WINDOWS\eqecatev.dll",Startup
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [29127627] C:\Documents and Settings\All Users\Application Data\29127627\29127627.exe
O4 - HKLM\..\Run: [hitimozem] Rundll32.exe "c:\windows\system32\terowuko.dll",a
O4 - HKLM\..\Run: [55983333] C:\DOCUME~1\ALLUSE~1\APPLIC~1\55983333\55983333.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\Mitchell\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [Login Software 2009] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\fzw4vz.exe
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\Mitchell\LOCALS~1\Temp\debug.exe
O4 - HKCU\..\Run: [inixs] C:\WINDOWS\system32\minix32.exe
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: Domain = jics.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: Domain = jics.org
O17 - HKLM\System\CS1\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS3\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: Domain = jics.org
O17 - HKLM\System\CS3\Services\Tcpip\..\{4EF5B7A8-C522-4373-A8E7-561515415A95}: NameServer = 208.67.222.222,208.67.220.220
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\terowuko.dll,voladeti.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: kiguzunuk - {e536cd76-e145-4ba9-a092-b85f28cc7ee5} - c:\windows\system32\terowuko.dll
O22 - SharedTaskScheduler: gsajkfh873whdngo8wuidgs4rgfr4 - {A2234B15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\yyw4l.dll
O22 - SharedTaskScheduler: gahurihor - {e536cd76-e145-4ba9-a092-b85f28cc7ee5} - c:\windows\system32\terowuko.dll
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-max-nt.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: WDefend - Unknown owner - C:\WINDOWS\svohost.exe

--
End of file - 8659 bytes

flavallee · 27-Oct-2009, 11:31 AM **#14**

jssch:

I'll assist you later with trimming down the startup load and with some other things after Cybertech gets done with you. It'll likely be awhile because your HijackThis log doesn't look good at all.

--------------------------------------------------------------

jssch · 27-Oct-2009, 12:17 PM **#15**

Thanks a bunch.... and I was somewhat prepared for that sad face diagnostic look ... you guys are the best there is........

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)