Computer Support Forum

Really Bad Trojan And Virus, Win32, Smitfraud & More Keep Coming Back (

Question: Really Bad Trojan And Virus, Win32, Smitfraud & More Keep Coming Back (

Hi Guys.Im having a hard time with my computer, excuse some of my english. keep crashing and strange things keep automatically opening Internet Explorer 7. its has completely taken over my IE7 changing the homepage. Main program is virus that open up in to many chinese websites www,6781,com and caiyi8,com. when deleted by AVG still come back. i have looked around many virus show up in my process list. boolan57.exe and 647e1.exe and im sure alot more on computer that i cant find can you please help me?Spybot & Destory detected smithfaud KooWo.i have similiar problem to the person in this thread: http://www.bleepingcomputer.com/forums/t/89992/nasty-trojan-and-virus-problem/i tried to follow the it but could not get it to work.I have also folowed preparation guide before posting in HiJackThis.Programs i have used: Kaspersky AV trial, AVG-AntiSpyware 7.5 free, Spybot & Destroy, Ad-Aware 2007, SuperANTIspyware free and including preparation guide programs.If possible can someone please help me Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:11:07 PM, on 8/08/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\RunDLL32.exeC:\Program Files\Nero\Nero 7\InCD\InCD.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Windows Media Player\wmplayer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kzdh.com/?gR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1" target="_blank" class="invilink">http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:4001O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: ???QQ - {54EBD53A-9BC1-480B-966A-843A333CA162} - C:\WINDOWS\QQIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: ff Class - {95279A0A-B7FA-4877-9571-BF0F27F79272} - C:\WINDOWS\system32\e641.dllO2 - BHO: windows ??????? - {B1B9CA6E-D469-4501-9ADC-90DC1F1EE841} - C:\WINDOWS\system32\serverhelp.dllO4 - HKLM\..\Run: [VTTimer] VTTimer.exeO4 - HKLM\..\Run: [S3Trayp] S3trayp.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exeO4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exeO4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182445661078O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1182445618406O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: msv1_1 - C:\WINDOWS\SYSTEM32\msv1_1.dllO23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Kaspersky Anti-Virus Service (kavsvc) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exeO23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe--AVG spyware 7.5 log found few and put int Quarintine section:--------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 4:59:20 PM 8/08/2007 + Scan result: C:\Program Files\Common Files\CPUSH\Uninst.exe -> Dropper.BHO.av : Cleaned with backup (quarantined).:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Com : Cleaned.:mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.:mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.:mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.:mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.:mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.:mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Safer-networking : Cleaned.:mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\y2iln8fe.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.C:\Documents and Settings\Owner\Local Settings\Temp\8D58A6D1.exe -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\Program Files\Common Files\Microsoft Shared\MSInfo\8D58A6D1.dat -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP74\A0022306.exe -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP75\A0023309.exe -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\WINDOWS\Help\8D58A6D1.chm -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\WINDOWS\system32\dodo1001.exe -> Trojan.Nilage.bcw : Cleaned with backup (quarantined).C:\Program Files\Common Files\Microsoft Shared\MSInfo\8D58A6D1.dll -> Worm.Delf.cc : Cleaned with backup (quarantined).C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP76\A0023479.dll -> Worm.Delf.cc : Cleaned with backup (quarantined).C:\System Volume Information\_restore{DDC8882E-7DD9-4504-83F3-4191CFCD0EFD}\RP76\A0024307.dll -> Worm.Delf.cc : Cleaned with backup (quarantined).::Report end

Relevance 100%
Preferred Solution: Really Bad Trojan And Virus, Win32, Smitfraud & More Keep Coming Back (

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Really Bad Trojan And Virus, Win32, Smitfraud & More Keep Coming Back (

Welcome to the BleepingComputer HijackThis Logs and Analysis forum sadpuppy My name is Richie and i'll be helping you to fix your problems.Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.You should copy/print the following because you need to be in Safe Mode from here on.Reboot your computer into SAFE MODE" using the F8 method. To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".Scan with DrWeb-CureIt as follows:* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.* Once the short scan has finished, Click Options > Change settings* Choose the "Scan tab" and UNcheck "Heuristic analysis"* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.* When done, a message will be displayed at the bottom advising if any viruses were found.* Click "Yes to all" if it asks if you want to cure/move the file.* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable". (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.* Save the DrWeb.csv report to your desktop.* Exit Dr.Web Cureit when done.* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)--------------------------------------------------------------Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.Also post a new Hijackthis log.

11 more replies
Relevance 98.81%

Hello,I recently downloaded the smitfraud and win32.agent.at trojan (probably from music downloads) and i cant seem to shake it from my computer...this is what I have tried so far:I ran AVG, Spybot, and registrar lite in safe mode with full system scans. then i tried deleting the psapianalyzer registry entry that is associated with win32.agent.at but it has returned.now when i go into safemode and try and run smitfraud my keyboard is unresponsive. The numlock light is on but when i press the key nothing happens.Ok, now i just ran the hijackthis log and here it is:Logfile of HijackThis v1.99.1Scan saved at 5:26:54 PM, on 5/30/2007Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:... Read more

Answer:Smitfraud & Win32.agent.at Keep On Coming Back

Welcome to the BleepingComputer HijackThis Logs and Analysis forum TurtleLike Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.[/url]***************************Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan ... Read more

3 more replies
Relevance 88.15%

I have a trojan virus that won't go away. It keeps getting discovered by Superantispyware, AVG, and now Avast. The programs say it was removed but there are always multiple files that were not able to be scanned because they are "password protected". Everytime I run a scan the virus is there again.

I had virtumonde a year ago and you guys were so helpful. Hoping you can help again because I'm not sure what to do now! Thanks in advance.

Michelle

editing...now noticing upon start up that "My Documents" window opens on its own, then computer clocks for awhile before regular applications start up

More replies
Relevance 87.33%

For the past 4 days, Microsoft Security Essentials detected and removed the Win32/Alureon.CT trojan at exactly 9pm each day. The only previous detected item before these was on 7/30/2010: an Exploit:HTML/iframeRef.gen in a firefox profiles folder.My computer is running normally and I haven't experienced anything suspicious yet.I ran a Malwarebytes scan and nothing was detected.I googled around and found out that this was a rootkit which would be difficult to removeI ran Kaspersky's TDSS rootkit removing tool and it detected and quarantined C:\Windows\system32\Drivers\sptd.sys Then I found this site I followed your preparation guide but I couldn't run GMER because it gives me the error "C:\Windows\system32\config\system: The system cannot find the file specified" when I open it.Should I start backing up my files now? Would moving files from the C: drive to a different partition on the same drive be sufficient, or should I invest in an external HD? What shouldn't I do until this gets fixed? Anyways, here is the DDS log:DDS (Ver_10-03-17.01) - NTFSX64 Run by Tom at 22:02:23.26 on Fri 08/06/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4063.2578 [GMT -5:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.... Read more

Answer:Trojan:WIN32/Alureon.CT keeps coming back

Hello,You may backup your personal files and documents to offline media; just do consider them suspect until any rootkit or malware issues are resolved.Other than that, do not make changes or additions (hardware or software) without checking here first.Do not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Set Windows to show all files and all folders. Set Folder options to show all hidden files and folders:Click the Start button , click Control Panel, click Appearance an... Read more

9 more replies
Relevance 87.33%

System:  Windows 7 Ultimate 64 bit
Real-Time Anti-Virus:  Microsoft Security Essentials (MSE)
 
Recently (perhaps within the past 2 weeks) I noticed MSE finding the trojan dorv.c!rfn.  I have tried a number of different things to remove this and it keeps coming back.  The following info is included with the detection:
 
The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
process:pid:5876,ProcessStart:130871811473164914
Get more information about this item online.
 
Despite MSE listing Quarantined as the "Action Taken" nothing shows under the Quarantined items view under History.  The detected item only shows in the "All detected items" view.
 
The following is a summary of what has occurred and actions I've taken.  The first scans with a given product resulted in some PUP findings and other "low level" possible threats.  These were removed and have not since returned.  The system has been fully scanned several times.  Some with a fresh install from a "clean" thumb drive.
 
Full scan with MSE booted normally.  Nothing found
Full scan with Malware Bytes booted normally.  Nothing found.
Full scan with MSE booted safe mode.  Nothing found
Full sc... Read more

Answer:Trojan:Win32/Dorv.C!rfn Keeps coming back.

My apologies for the double post.  I received a timeout error on my browser.
 
Please delete one of the threads.
 
Also, in this post, I have attached the two txt files requested.

74 more replies
Relevance 86.1%

Avg detects win32/pepatch and trojan but keeps coming back, Ive scanned and deleted these infections 3 times now but every few days they come back. what are these viruses and how can i fix them?
 

Answer:Avg detects win32/pepatch and trojan but keeps coming back

Closing duplicate to: http://forums.techguy.org/malware-r...s/605877-why-cant-i-get-help.html#post4984818

Please do not post duplicates, your thread will get looked at as soon as the chance arises.
 

1 more replies
Relevance 84.46%

please help,i have dell d620 running on windows xp, i noticed around 2 weeks ago it was acting a bit strange, running slow etc and sending dodgy emails, i had avast installed and it never oicked up anythin, i could nt system restore , so i reinstalled windows to see if that would clear it,but it never, i new it was a virus so i downloaded emsisoft anti malware and it found virus.win32nimnul!ik i have done several scans and each time i have put it in quarantine but it gets removed from quaranteen,ive also deleted it several times but it keeps coming back, im by no means an expert with computers so any help would be greatly appriecated ,many thanks

More replies
Relevance 84.46%

Referred from here: http://www.bleepingcomputer.com/forums/t/273580/please-help-vista-virus-cannot-seem-to-get-rid-of-it/ ~ OBI have gotten rid of most of my annoying problems but this (trojan.win32.tdss.aalc (v)) keeps sporadically showing up in my Vipre scans. Also Vipre consistently stops (tdlclk.dss) from opening. Here are my DDS and RootRepal logsThank you very much in advance.

Answer:tdlclk.dll, trojan.win32.tdss.aalc, rootkit keeps coming back

I just ran a full system scan and this came up as well.

Trojan.Win32.generic!BT

23 more replies
Relevance 84.46%

Hi,

I have a problem with my infected computer lately. Everytime i open Iexplorer or Firefox my anti-virus detect a malware named Trojan.win32.monder.cqcs and then give me MSIVXdccskyaawctjgsbmflfrmcwhxaymqtnm.dll

I'm not able to run windows update or other comonly used software like windows live messenger or winamp and when i put a CD/DVD in my computer it automaticly reboots... so i cannot format and start all over again. I really need help.

Hijackthis won't run either i don't know what to do... Thanks for your help
 

Answer:Trojan.Win32.monder.cqcs Removal help... it keeps coming back all the time

I managed to run hijackthis by renaming the .exe file.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:36:49, on 2009-08-04
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Bell\Services de sécurité Internet de Bell\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bell\Services de sécurité Internet de Bell\rps.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Bell\Internet Service Advisor\SSA.exe
C:\Program Files\BellCanada\McciTrayApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\MétéoMédia\MétéoÉclair\WeatherEye.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Gestionnaire de sauvegarde du Coffre-fort personnel\VaultClientSRV.exe
C:\Program Files\Gestionnaire de sauvegarde du Coffre-fort personnel\VaultClientUpgrade.exe
C:\Program Files\Bell\Services de sécurité Internet de Bell\SafeConnect\Bin\SanaAgent.exe
C:... Read more

1 more replies
Relevance 84.05%

Yesterday Microsoft Security Essentials alerted that 3 trojans had been found (WinNT/Alureon.S, Win32/Alureon.EP and Win32/Alureon.CO). It said it fixed it and required me to restart to clean the computer. I restart, and then i got alerted again saying the same 3 trojans were there. This kept on happening each time I do the scanand restart.
 
DSS Log
.
DDS (Ver_2011-06-03.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_25
Run by ****** at 15:32:46 on 2011-06-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1216 [GMT 10:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\oraclexe\app\oracle\product\10.2.0\server\bin\ORACLE.EXE
C:\oraclexe\app\oracle\product\10.2.0\server\BIN\tnslsnr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wire... Read more

Answer:WinNT/Alureon.S, Win32/Alureon.EP and Win32/AlureonCO Trojan keeps coming back

Good evening. Download aswMBR.exe from here and save it to your Desktop. Double click the tool to run it. Click the Scan button to, well, start the scan - obvious really! Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log. On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any. You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

43 more replies
Relevance 83.23%

Hi Guys,after few days clean they came back, i didnt surf much web, only few anime sites which i have been using for years.i noticed little lag this morning. and then windows firewall ask me to accept Internet Explorer. (which now i never use IE anymore)i accidentally accept and then Task Manager was filled with those trojan exe again. i quickly cut the net and did a System Restore which RichieUK helped me with.i just did a scan with DrWebCureIt and found alot of nasty.I also need help on programs to help me keep safe. something that i can 24hour protection i have read Provention but still not 100% sure which one my previous thread: http://www.bleepingcomputer.com/forums/t/103388/really-bad-trojan-and-virus-win32-smitfraud-more-keep-coming-back/Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:16:10 PM, on 13/08/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Nero\Nero 7\InCD\InCDsrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\RunDLL32.exeC:\Program Files\Nero\Nero 7\InCD\InCD.exe... Read more

Answer:Really Bad Trojan And Virus, Win32, Smitfraud & More (part 2)

Hello sadpuppy and welcome to the BC HijackThis forum. I see no signs of viruses or malware in the log. It is clean. Performing a system restore might have taken care of whatever issues were occurring.Just to be on the safe side, let's do one other scan and see if anything shows up.Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.Note: You must be logged on to the system with an account that has Administrator privileges to run this program.Close ALL OTHER PROGRAMS.Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.Do not change any other settings.Now click the Run Scan button on the toolbar.Let it run unhindered until it finishes.When the scan is complete Notepad will open with the report file loaded in it.Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.Cheers.OT

1 more replies
Relevance 80.77%

I use Avast 4.8 to check my system and try first a "move to virus chest" when I was notified I had a virus. When I "move the virus to the chest" it just keeps coming back as a new virus almost immediately wit the virus warning. Then I tried the "repair" option in Avast, but it always said an error has occured... File name was: C:\System Volume Information\ _restore{7F7BE6F8-0D6A-488B-ABD ... Note Malware name: Win32: Trojan-gen(other)... I ran HijackThis and here is the log....



Please walk me through as I'm a novice on this computer stuff,,, thanks in advance...



Geof



Logfile of HijackThis v1.99.1

Scan saved at 8:38:24 PM, on 11/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps... Read more

Answer:Trojan virus keeps coming back!

11 more replies
Relevance 80.77%

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 12:34:15 AM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

i really appreciate any help!
 

Answer:trojan virus keeps coming back!

7 more replies
Relevance 80.77%

Hi,

I have an amazingly annoying problem which keeps coming back (even after windows format), I keep getting errors which wont allow me to start,open,delete,install files. Just messes up the whole system.
The errors are:
When I want to install program - Nothing happens OR Internal Error: Failed to expand shell folder constant "userappdata"
When I want to start program - Nothing happens OR mpr.dll is missing OR netutils.dll is missing
If I want to delete a program - "An error occurred while trying to uninstall program. It may have already been uninstalled"
Startup programs won't start - netutils.dll is missing OR mpr.dll is missing

I did a fresh install on my SSD, everything was working great but after couple of days it came back.
What's going on here?

Answer:Virus/Trojan keeps coming back?

Sounds like a bad installation. Where did you get your Windows 7 installation media from?

7 more replies
Relevance 79.54%

Hi, new here. I'm posting because my computer started getting hit with random pop-ups, again, mostly whenever I'd run Mozilla Firefox. I ran Malwarebytes and found about 13 infections of the Trojan.Vundo.h virus. I was able to remove most of the files after the scan and some files after rebooting, however, I'm still concerned there might be some trace of the virus left getting through a backdoor of some sort.
DDS (Ver_09-09-29.01) - NTFSx86
Run by Marc Ravelo at 12:36:15.10 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.218 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1356 [VPS 091009-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin... Read more

Answer:Trojan.Vundo virus - keeps coming back

Hello JSpayde,I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove one of these. AVG Anti-Virus Free or avast! antivirus. ******************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ****************** Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at ... Read more

2 more replies
Relevance 79.54%

Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Swee... Read more

Answer:Trojan/Virus W32/IRCBot-xx Keeps Coming Back

6 more replies
Relevance 79.54%

Hi.I'm new here, but i hope somebody can help me.I got a trojan virus called "Trojan.Agent.Gen" or "Trojan.Agent.cn" by malwarebytes antimalware.It creates a file called svchost.exe in appdata\local\temp directory and everytime i stop it with malwarebytes antimalware it comes back again after restarting my computer.I provide some screenshots below, but the malwarebytes antimalware is in Norwegian language, but you can clearly see the Trojan name.PS: I'm using windows 7 home premium.

Answer:Trojan virus keeps coming back after removal

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

21 more replies
Relevance 79.54%

Avira first alerted me to this problem on 11/23. I had been getting loud annoying pop-up ads when I was browsing youtube, and then saw Avira found EXP/JS.Expack.AZ, EXP/Pidief.dme, and TR/Alureon.A.78. I googled it and found your website and followed the instructions and MBR check said nothing was found so I thought I had gotten rid of it. Avira did scans from 11/23 through 12/4 and no viruses/unwanted programs were found even though I was still having some intermittent problems with annoying pop up ads. Then on 12/5, I got a new Avira warning saying it found two unwanted programs, including TR/Alureon.A.74 and TR/Alureon AYQ Trojan. So I don't know if I got rid of it and it came back, or if it never went away, but I am ready to cry Uncle and humbly request for help! I really don't know how I have gotten this because all I do is browse the internet. Thank you so much for your help. It is greatly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.10.2
Run by Meredith at 9:44:50 on 2012-12-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.1264 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
... Read more

Answer:Trojan Alureon A Virus Keeps Coming Back :(

Hello merri23, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

20 more replies
Relevance 77.9%

Even after I quarantine all of those bad files that the antivirus and Antispyware recommend, and reboot and then when I ran a scan again soon after, the programs will still find it again  I have follow the instruction about what to do before posting HJT log. So here they areSUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 06/18/2008 at 01:16 AMApplication Version : 4.15.1000Core Rules Database Version : 3469Trace Rules Database Version: 1460Scan type       : Complete ScanTotal Scan Time : 00:40:30Memory items scanned      : 167Memory threats detected   : 0Registry items scanned    : 5879Registry threats detected : 0File items scanned        : 42311File threats detected     : 6Adware.Tracking Cookie   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][1].txt   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt   C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt---------------------------------------------------------------------Malwarebytes' log next post

Answer:virus/trojan keep coming back after been deleted by Nod32 & Spybot

QuoteAfter close  Malwarebytes' Anti-Malware, I receive this from spybotwhat it mean?

14 more replies
Relevance 77.9%

Any help would be fantastic removing

trojan.BAT.regger.b

Zonealarm cannot get rid of it.

Kind regards

Robert.
 

Answer:Help needed I Have A Virus - Keeps Coming Back On Re-booting - trojan.BAT.regger.b

16 more replies
Relevance 77.49%

I have tried SmitFraudFix & ComboFix & VundoFix. I have Avast, AVG & SpyBot installed.

VundoFix found nothing
I've attached the ComboFix log and the HiJackThis log.

I used SmitFraudFix and it appears to work, no more pop ups but the viruses still shows up when I run SpyBot and some WindowsUpdaters type virus shows up in addition.

Please help!
 

Answer:Smitfraud & Virtumonde keeps coming back

I am also getting this warning ...
 

1 more replies
Relevance 77.49%

Here's my hijackthis log fileLogfile of Trend Micro HijackThis v2.0.2Scan saved at 3:12:48 PM, on 8/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Hijackthis\HijackThis.exeR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: (no name) - AutorunsDisabled - (no file)O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dllO2 - BHO: (no name) - {53707962-6F74... Read more

Answer:Smitfraud-c And Virtumonde Keeps Coming Back

Welcome to the BleepingComputer HijackThis Logs and Analysis forum tolits My name is Richie and i'll be helping you to fix your problems.Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will be running and removing files.* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.-----------------------------------------------------------------------------------------Download C... Read more

1 more replies
Relevance 76.26%

HiI keep getting popups from winfixer, errorsafe, etc. the problem started when i got a virus off a friend through MSN messenger. whenever i run spybot i keep getting 2 infections from Smitfraud. C- Toolbar 888. i go to clean them up but they alway just reappear later on.they are:HKEY_USERS\S-1-5-21-296184782-1460583320-1896164715-1003\Software\Microsoft\alddAnd another that is similar but with Araf15 at the end.Here is my HJ log profile. Logfile of HijackThis v1.99.1Scan saved at 10:21:53 AM, on 30/04/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Canon\CAL\CALMAIN.exeC:\windows\system\hpsysdrv.exeC:\WINDOWS\System32\hphmon05.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXEC:\Program Files\NetComm\NB2&#... Read more

Answer:Smitfraud-c. Toolbar 888 Infection Keeps Coming Back Up

Welcome to the BleepingComputer HijackThis Logs and Analysis forum 2leftfeet22 Please download Combofix and save to the desktop:http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exeNote: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window whilst it's running. That may cause the program to freeze/hang. *********************************Please go to: C:\Program Files\HijackThis\HijackThis.exeRight click on Hijackthis.exe and select 'Rename', rename it to abc.batDouble click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.Also post the C:\ComboFix.txt

9 more replies
Relevance 76.26%

need help, tryed everthing i could . ad-ware ( will find when it stops my task manager from opening up ) spybot ( finds both kernels8 and smitfraud-c and fixes them ) and sometimes when my zonealarm stops a program ( name sometimes changes but now its
~E05090A0.tmp and ~DF9144.tmp will show up in temp folder ) i goto the systems32 folder and delete the kernels8.exe file . After i delete the file i run everything ad-ware,spypot, McAfee and even download yesterday prevx1 and ran that AND ALL COMES UP OK BUT the next day ( today ) when i start computer back up it shows up again not right away but when that tmp file gets stoped by zonealarm i look and there it is kernels8.exe and i delete it again and this time ad-ware didn't unlock my task manager so i had to boot to safe mode and do it there with ad-ware .
It looks like it's getting better so i need some help before i can't use this computer all the programs ( ad-ware se , spybot, McAfee, prevx1 ) can't find anything after i get rid of it but i think it will be back again tomorrow
thanks
 

Answer:Solved: kernels8.exe smitfraud-c keep coming back every day

9 more replies
Relevance 75.44%

Hi,

When I started getting popups a few days back I ran a scan using Spybot. It detected Smitfraud-C.Toolbar888 and was able to remove it successfully. Also, AVG Anti-Spyware detected Adware.Virtumonde and deleted it. Even then the popups wouldn't stop so I scanned again using Spybot & it found the same malware again!! AVG also detects the same adware after every system startup. This is really frustating!! Please help!

Here's my HJT log:
----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:32:52 PM, on 5/23/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\xampp\apache\bin\apache.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\xampp\apache\bin\apache.exe
D:\WINDOWS\Explorer.EXE
D:\xampp\mysql\bin\mysqld-nt.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Java\jre1.6.0\bin... Read more

Answer:Solved: Malware (Smitfraud-C.Toolbar888) keeps coming back

14 more replies
Relevance 72.57%

After start the laptop, (hidden) host.exe is consuming a lot of resources until crash. I can see and kill it with procesexplorer from Sysinternals.
I can't activate Windows Firewall, Malwarebytes show an error at coomputer start up and more...

When I start GMER it shows an error, it is attached.

Here the logs of DDS and GMER:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_23
Run by sebastian at 16:41:18 on 2012-03-19
Microsoft Windows 7 Enterprise 6.1.7601.1.1252.54.1033.18.2925.1107 [GMT -3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\FBAgent.exe
C:\Program Files\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.ex... Read more

Answer:trojan-Dropper.win32.injector.ciwr | trojan.win32.agent2.faav | Virus.Win32.ZAccess.q

Hello sebamobile, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.

14 more replies
Relevance 70.52%

Hello, its been a while since i had to come back here, I received great help last time so I decided to come back .

I now have a new problem... whenever I run spybot I keep getting result for win32.pornpopup, I would delete it but it always comes back the next day or the day after. I'm not too sure what that does but im sure I wont like it.
What's weird is that I also have it on my laptop which I can guarantee never even came close to a porn website since I use it exclusively for school.

So I was hoping somebody would help me get rid of this thing forever!
Here's the HJT log from my desktop
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:58:30 PM, on 18/07/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Razer\Salmosa\razerhid.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Razer\Salmosa\razertra.exe
C:\Program Files (x86)\Razer\Salmosa\razerofa.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Se... Read more

Answer:Win32.pornpopup keeps coming back!

16 more replies
Relevance 70.52%

Win32:TratBHO [Trj] keeps coming back avast keeps finding it , but i cant get shut .

Answer:Win32:TratBHO [Trj] how keeps coming back

Switch off system restoreScan with Avast and let it delete the virus.switch system restore back onrescn with Avast to check the virus is gone.

2 more replies
Relevance 70.52%

any ideas every few days it pops back. How to get rid of it for good.
Basically a win*.tmp file shows up in the windows temp folder and is also in task manager processes.
Also the registry has a entry in ...... microsoft/current version/run for spoolsvv.exe
And comdlj32.dll is the infected file in system32 folder.
Needless to say i remove them all.
I have avast running and it shows it to be clean but a few days later it pops back in. A few times a slight variant has shown up basically a variant of 32small just the last 3 letters are diff like CWI,MO,CQF etc.

Can someone point me in the direction of getting rid of it.

Thanks a ton in advance.
I want to use a complete format as the last option.


Thanks A Ton to all you people in advance.
 

Answer:Win32:Small-CQM keeps coming back

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.





When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
CounterSpy
AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
Bitdefender - from step 6
Panda Scan - from step 6
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two mess... Read more

1 more replies
Relevance 70.52%

AVG active scanner spots Win32:Winshow [Trj] and moves it to chest/removes it --but the trojan keeps coming back. It seems that it comes back through internet browser automatically redirecting itself to "enter-search" web-page. At least always after this redirection AVG popsup with Win32:Winshow [Trj] alert.Also Ad-aware recognizes two files for removal but is apparently unable to remove the files due the files being used. Manual deletion fails for apparent same reason.The folders arec:/program files/ActivationManagerc:/program files/ADSTechnology.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:36:54, on 25.2.2008Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exeC:\Program Files\Launch Manager\LManager.exeC:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exeC:\Program Files\Apoint2K\Apoint.exeC:\Windows\System32\rundll32.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Windows\RtHDVC... Read more

Answer:Win32:winshow [trj] Keeps Coming Back

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.When posting your logs please post them directly into the reply. Do not attach them.Also make sure you have already followed the steps outlined below:Preparation Guide For Use Before Posting A Hijackthis LogThank you for your patience.

1 more replies
Relevance 69.7%

My computer is infected with Win32.TDSS.rtk. Spybot and Malwarebytes' Anti-Malware both detect and remove it (MalwareBytes calls it "Rootkit.trace"), but then it re-appears on subsequent scans. I think it regenerates itself when ever the computer boots or re-boots. AVG Free never detects it. The hidden file C:\WINNT\System32\UACcfyxfymsntyqjxt.dll is referenced in the scans and I suspect there are several other components that are more deeply hidden.

A good deal of internet research on this rootkit took me to this fine forum to ask for help. I have used good info found while browsing this forum to rid the machine of other pesky malware, but this one is beyond my capabilities. I'd appreciate any assistance.

Here's my DDS log file:


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 15:57:37.87 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1465 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINNT\Explorer.EXE
svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXP... Read more

Answer:Win32.TDSS.rtk infection keeps coming back

Hello Salar,You have more going on here than just the rootkit.I need for you to go offline completely and disable ALL your protective programs after you download ComboFix, but before you run it. Sometimes those programs interfere with it, and we don't want that! Tea Timer especially needs to be disabled.This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.Please do this:1. Download HijackThis? here:http://www.trendsecure.com/portal/en-US/th.../hijackthis.php2. Click 'Do a System Scan and Save log'.The HJT log will open in notepad.Thanks,tea

19 more replies
Relevance 69.7%

So, it seems I have been infected with the above, kind of annoying since i just formeted like two weeks ago. any way, I have tried running SpyBot S&D and it keeps finding them and removing but they keep coming back. at some times it will say the system is clean but 10 mins later another scan will show them again. I also have the "Reader_s" entry that keeps coming back but right now I'm having spybot block it.
After reading around a little i saw that normally the first advice in these cases was to try SDFix, so I downloaded it and followed the instructions and will post the log it gave me along with the HijackThis log.
Thanks in the advance for helpers.

SDFix Report:

SDFix: Version 1.240
Run by Or Gindes on Mon 05/04/2009 at 04:59 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\Documents and Settings\Or Gindes\Desktop\SDFix

Checking Services :

Name :
protect
restore

Path :
System32\drivers\protect.sys
\??\C:\WINDOWS\system32\drivers\restore.sys

protect - Deleted
restore - Deleted

Restoring Default Security Values
Restoring Default Hosts File

Rebooting
Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32\3.tmp - Deleted
C:\WINDOWS\system32\4.tmp - Deleted
C:\WINDOWS\system32\6.tmp - Deleted
C:\WINDOWS\system32\7.tmp - Deleted
C:\WINDOWS\system32\9.tmp - Deleted
C:\WINDOWS\system32\A.tmp - Deleted
C:\WINDOWS\system32\B.tmp - Deleted
C:\WINDOWS\system32\2.tmp - Deleted
C:\WINDOWS\system32... Read more

Answer:Virtumonde and Win32.delf.cu that keeps coming back

16 more replies
Relevance 69.29%

Whenever I restart and log on, MSE informs me that I'm infected with Worm:Win32/Ainslot.A, then proceeds to remove it. I scanned in safemode with Malwarebytes and it detects and deletes the following:


Quote:




Registry Keys Detected: 1
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
Files Detected: 2
C:\Users\Sean\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Sean\AppData\Roaming\conhost.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.




Scanned twice, exact same results. Looking forward to your guidance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Sean at 12:07:50 on 2012-04-29
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.8169.6357 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k Lo... Read more

Answer:[SOLVED] Worm:Win32/Ainslot.A Keeps Coming Back

Hello ninjasilver, welcome to TSF.

We need a little more info before we begin.

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator) At this time, select No when prompted to download the Avast database.
Click ScanUpon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

==================

Download TDSSKiller.exe and save it to your desktopExecute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

11 more replies
Relevance 69.29%

Hi,I have been grappling with malwares/viruses for some 3 days now. Some 3-4 days back, I got a spyware infection and used MalwareBytes to remove it. Only to find that everytime I do a search in google and click any result it redirects me to a different site altogether (earlier I noticed in the IE status bar while redirecting it used to go to site abcjump.com now it is going to clickcheck.ru). I tried using several tools including MBAM, spybot, super anti-spyware. All of them found several infections (vundo, backdoor, keylogger etc.) and cured them but nothing worked for this google redirect.After analyzing, I realized if process ctfmon.exe is killed then for sometime the google redirect stops. So, I uninstalled MS office features that use ctfmon.exe using the method specified on microsoft site. But the thing continued. Then my regedit and task manager got disabled as well. After using CA etrust pest patrol, I was able to get the task manager back. I also ran combofix and kaspersky online scanner (deleted the files that it pointed other than explorer.exe).Now, after running MBAM and etrust pestpatrol again, I still have the google redirect problem though it has reduced and does not happen on each click. I also notice that in C:\SYSROOT\temp\ folder there is a file Perflib_Perfdata_774.dat and in C:\SYSROOT\temp\hsperfdata_SYSTEM there is a file named 636I am unable to delete both of these files. Earlier there were 2 other files by the similar nam... Read more

Answer:Google redirect - Win32.TDSS.rtk keeps coming back

Hello pinkpanther 8183,It has been more than 2 weeks since your initial post. Please advise if you have the same issues, or if you have resolved them, or if you are getting help elsewhere.Advise us if this is your thread at TSG forums http://forums.techguy.org/malware-removal-...-redirects.htmlIf you wish to get guided help here, please do the followingYou will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!These steps are for this member only. If you are a casual observer & not this OP, do NOT try this on your system! If at any point, if you have a question or problem, STOP & make a post to the forum.Also, do not run or start any other programs while these utilities and tools are in use!Please do NOT run any other tools on your own or do any fixes other than what is listed here, or if directed by a forum moderator or forum admin.Close all browsers and all other programs that you have started. NOTE: Combofix is a specialized tool and must only be used with the guidance of a trained helper ! Never run it by yourself !1. Set Windows to show all files and all folders. On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed. "CHECK" (turn on) Display the contents of system folders. Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders. Next, un-check Hide exte... Read more

1 more replies
Relevance 69.29%

been at this a few days i could'nt find any thing that works
Spybot keeps coming up the Win32.agent.pz
MalwareBytes comes up with Malware.trace,
Both come back the second i do anything internety.
I have ulso use used ad-aware and SDfix And have Combofix logs. All are fully updated.
I had Virtumonde but cleared
dss log:
DDS (Ver_09-05-14.01) - NTFSx86
Run by mike at 10:32:34.68 on 01/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.995 [GMT 1:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\AVG\AVG8\avgwd... Read more

Answer:Win32.agent.pz/Malware.trace keep coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 68.47%

Hi as the topic says trojan.agent.gen and svchost.exe is constantly detected by malware bytes and my other malware scanners after every restart, it's affecting my computer performance badly, especially my graphics card (it runs at 96%+ gpu load making games unplayable) I can stop that issue from happening by reinstalling my video drivers, after i install them i get the message svchost.exe has stopped working from windows, so i click on the option to close it, and my gpu load goes back to normal. Some malware/spyware scanners can remove them, but like i said once i restart my pc they just re-install themselves and i'm back at square 1.. I've tried literally Everything to remove them but they just laugh at any attempt at permanent removal. If someone can help me out here I would be hugely gratefull. thanks.
By the way if you need me to post any new information about the problem please let me know.

 dds.txt   27.64KB
  3 downloads
 attach.txt   17.77KB
  0 downloads

Answer:trojan.agent.gen keeps coming back after removal/Quarantine. Svchost.exe Trojan.

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.If you're not sure, or if something unexpected happens, do NOT continue!Stop and ask!In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!If I instruct you to downloada specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because th... Read more

18 more replies
Relevance 68.47%

Greetings folks,

I'm at the end on the line for my attempts to fix my PC, so I logged into here to find some help.

Ive run vundofix - states that its successful in removal after reboot (new scan doesn't show it)

MS Mal Software removal tool to pull the trojan, but they both keep returning after I launch Explorer 7. Running XP Pro - the following is my log, anybody see something that could be an issue?

Thanks in advance for any help!!
 

Answer:Solved: Hijackthis log - Win32/Rbot.gen!A and Vundo keep coming back

6 more replies
Relevance 68.47%

Sorry, I posted this in the wrong forum last night. I couldn't keep the browser open and in focus long enough to read the proper procedure. I should have used Firefox.Here are the logfiles requested. Thanks in advance.... BillAll hard drives...------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Friday, June 06, 2008 09:24:44 Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 6/06/2008 Kaspersky Anti-Virus database records: 833547-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: A:\ C:\ D:\ E:\ F:\Scan Statistics: Total number of scanned objects: 99388 Number of viruses found: 8 Number of infected objects: 16 Number of suspicious objects: 0 Duration of the scan process: 01:58:51Infected Object Name / Virus Name / Last ActionC:\Documents and Settings\admin\Cookies\index.dat Object is locked skippedC:\Documents and Settings\admin\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skippedC:\Documents and Settings\admin\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skippedC: ... Read more

Answer:Multiple; Smitfraud, Trojan-downloader.win32.

Hello Wjniemi and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed... Read more

7 more replies
Relevance 67.65%

 
I get popup adds and my Norton 360 is constantly quarantining files and asking for a restart.
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-10-2016
Ran by jabbe_000 (administrator) on STEPHENS (17-10-2016 18:42:36)
Running from C:\Users\jabbe_000\Downloads
Loaded Profiles: jabbe_000 (Available Profiles: jabbe_000)
Platform: Microsoft Windows 10 Home Version 1607 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files\Backblaze\bzserv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(NTI Corporation) C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
(Symantec Corporation) C:\Program Files\Norton 360\Engine\22.7.1.32\N360.exe
(Symantec Corporation) C:\Program Files\Norton 360\En... Read more

More replies
Relevance 67.65%

Hello.

First I would like to say hello.

I have read these guidelines

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

For now I need to say, that I didn't do the DDS and GMER logs.

From what I had deep in my memory I assumed, that you will need a ComboFix log and HiJackThis log. I have those ready to post. (Now I know ComboFix is used if everything else fails)

If you would need me to do those DDS and GMER logs. I will gladly do it tomorrow.

So back to my problem.

I'm fixing a computer of my friend. Firstly I scanned his hard drive in my own PC and deleted or disinfected the infected files (I also have a log from Kaspersky). There were couple of Trojans, trojan downloaders and also one Virus.

The next thing I have done is put the HDD back into his PC and boot the OS. Oh, it is Win XP Home SP3 32-bit.

I've browsed the running services via Administrative Tools in Control Panel. I've browsed startup objects with MSConfig, also I've deleted some registry entries (that were suspicious to me).

Internet Explorer seemed to be infected, but it could pretty well be the effect of multiple Toolbars installed for IE. (WinOptimizer toolbar, AVG antivirus toolbar). I managed to uninstall AVG free antivirus 2011 with a uninstall tool from AVG website (Add & Remove Programs entry was corrupt).

Also I uninstalled Kaspersky Internet Security 2011. (I couldn't download instructions from the website, even if the connection was... Read more

Answer:Virus and Trojan Infections Virus.Win32.Nimnul.a Trojan.Win32.Lebag.agi

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Relevance 66.42%

I have had this trojan virus for weeks now, i have done everything possible to get rid of it. i have googled like crazy, ran avg, avast, kaspersky, spybot, spydoctor, and many more. done in safe mode as well as normal.
i am so close to reformatting, but i really don't want to. can someone please help.

most of them seem to be system32 files, and weird .dll files.

symptoms include: lagging of computer. random IE pages will load, when i do not use IE i use firefox mozilla. and randomly avg free will pop up and say trojan found. and the trojan will automatically turn off my avg free or firewall and i am forced to turn them back on myself.


if more information is needed, let me know.


here is my DDS log.



DDS (Ver_09-05-14.01) - FAT32x86
Run by Cody Crulz at 15:57:28.18 on Wed 20/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.235 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spy Emergency *enabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {FDFE477F-8FE7-4B17-A05C-9D1F9EB603CB}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\... Read more

Answer:Trojan keeps coming back!!!

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

... Read more

8 more replies
Relevance 66.42%

Hi, everyone. I have something Malwarebytes calls Trojan.BHO that I can't seem to get rid of. Malwarebytes apparently gets it but it always ends up reappearing after a couple of reboots.

I think it first showed up on the 14th of February during a routine checkup. It wasn't until after I tried to get rid of it that I started having problems.

For wathever reason it wouldn't allow me to launch either Firefox or Chrome - in fact, the folders where they were installed were off-limits to all users, regardless of their admistrator status. I could temporarily gain control of the folders by running Malwarebytes and have since uninstalled both.

I can still run IE, but -

1. Whenever I try to open a link on a new tab, it will ALSO open a new window. Yes, I checked the settings, and it's definitely the trojan since this behaviour goes away - temporarily - after I run Malwarebytes.

2. The Trojan also shows up as a toolbar add-on for IE ("jscript proxy auto-configuration"). It claims to be by "(unverified) Microsfot Corporation" and the option to disable it is greyed-out. The only way to get rid of it is to run Malwarebytes but, again, it comes back after a couple of reboots.

3. It doesn't do anything else that's noticeable. There's nothing on my toolbar, no pop-ups, no redirecting, etc.

If it matters, I have tried running Malwarebytes under safe mode after disabling system restore (that was following someone els... Read more

Answer:Trojan.BHO keeps coming back

Hi and welcome.

Re run Hitman Pro and have it delete everything it finds.

Delete these:

C:\Program Files (x86)\GUM4751.tmp
C:\Program Files (x86)\GUT4752.tmp


Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Attach JRT.txt to your next message.



Re run Malware Bytes and attach the new log.

Now explain how things are.
 

3 more replies
Relevance 66.42%

Hi. My problem seems similar to what others have posted, but I know that each system is unique.It seems like I am infected with some sort of malware. I was phished, but my norton symantec caught the trojan. However, now every two or three days the trojan comes back, only there are more and more of the infection. I tried a number of malware removal progams, which frequently find a problem. However, it has not solved the fact the trojan returns again in greater number in two or three days.Thanks.Below is my DDS file:DDS (Ver_2012-10-19.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16421Run by XXXXXXX at 15:56:52 on 2012-10-31Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.6118 [GMT -4:00].AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Program Files (x86)\Common Files\Comodo\launcher_service.exeC:\Windows\... Read more

Answer:Trojan keeps coming back

Interestingly, I just ran rkill.exe and the problem returned. So, a number of "tmp" files were created in my users/MYNAME/AppData/Local/Temp folder.

The rkill log was:
Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/31/2012 09:50:47 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\XXXXXXX\Desktop\rkill\rkill-10-31-2012-09-51-01.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

* gpsvc =&g... Read more

34 more replies
Relevance 66.42%

Hi all,I have been suffering from a problem which is driving me crazy. For a while now, Symantic alerts me that it found a Trojan Horse and a virus W32.IRCBOT. It Quarantines them but never delete them. I usually go and delete them manually. Once I restart my computer the viruses come back again.I have tried online scanner (F-secure) it found several viruses and renamed them without deleting them. This did not solve the problem. I also ran it in safe mode, but still Symantic always finds it again.I noticed that when am not connected to the internet, through a wire or any way, symantic does not prompt me about the viruses after I delete them fro quarantine.Below is my Hijackthis logg.----------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:32:45 AM, on 1/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exeC:\Program Files\... Read more

Answer:Trojan Keeps coming back

Problem solved using Malewarebytes anti-malware.

2 more replies
Relevance 66.42%

here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1823
Windows 5.1.2600 Service Pack 2

3/5/2009 9:18:09 PM
mbam-log-2009-03-05 (21-18-09).txt

Scan type: Quick Scan
Objects scanned: 65386
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\meI6qj75.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Answer:trojan keeps coming back!

Please print out and follow these instructions: "How to use SDFix". When using this tool, you must use the Administrator's account or an account with "Administrative rights"Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.Please copy and paste the contents of Report.txt in your next reply.Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

10 more replies
Relevance 66.42%

Hello, everyone. After running Spybot, Ad-Aware, Norton Anti-Virus Corporate Edition, The Cleaner, and other anti-virus program, a virus keeps coming back on my computer. I've updated all my anti-virus software, but the ads keep coming, loading links and programs (mostly toolbars like Lycos SideSearch, Hotbar, SuperBar, and Wubar) into Internet Explorer and on my desktop. I've followed a great deal of instruction from members of this board, but it keeps coming back. I have posted my Hijack This! log below, so hopefully someone can figure it out. I do not know the name of this virus/trojan/worm, so I cannot pinpoint it down and find info. on it elsewhere. This morning when turning on my computer, There were over eight new icons on my desktop, most of which seemed to be from the same company. Titles like "casino online", "travel", and "card games" were beneath the icons, and I believe the host name (according to ad-aware) was Wubar or something fo the sort. To anyone who can help figure out how to get rid of this pest, please let me know. Thank you.

Logfile of HijackThis v1.97.2
Scan saved at 10:00:27 PM, on 9/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sp... Read more

Answer:Trojan that keeps coming back....

6 more replies
Relevance 66.42%

Trojan horse downloader Generic13.BVUR keeps reappearing after deleting it in avg..Please find attached files as requested. Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: AMD Athlon(tm) II X2 215 Processor, AMD64 Family 16 Model 6 Stepping 2
Processor Count: 2
RAM: 3839 Mb
Graphics Card: ATI Radeon HD 3200 Graphics, 256 Mb
Hard Drives: C: Total - 595439 MB, Free - 508533 MB;
Motherboard: Dell Inc., 0F896N
Antivirus: AVG Internet Security 2014, Updated and Enabled

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: BrowserJavaVersion: 10.51.2
Run by Wells at 11:36:29 on 2014-02-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2048 [GMT -8:00]
.
AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Enabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\... Read more

Answer:Trojan keeps coming back.

16 more replies
Relevance 66.42%

This is the 3rd time in maybe 3 weeks I've seen this.

My AVG anti virus scan comes up (though I don't have it scheduled to scan at a certain time) and starts running, showing in a small box, changes and threats"

It has CHANGE

C\WINDOWS\SYSTEM32\KERNAL32.dll
and also the same with

user.dll
shell32.dll
ntoskml.exe

and: TROJAN HORSE GENERIC_CEQ in MY DOCUMENTS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT IE5\030MDFWH\MOVIE(1).qtl

Usually I either delete the temp files and/or wait for the AVG to finish and get rid of it.

But, I notice it's doing it again, now. I'm not sure if this is the exact same changes and trojan name as the previous times, but I rememer there were changes, and a trojan and it was in the TEMP files.

I get movies from Netflix and play them on the computer, but I've been doing this for 1 1/2 years and this (trojan) just started a few weeks ago. That's the only connection I can think of to "movie". I have dialup and have a hard time watching things on YouTube so don't do that much. I did try and download a free movie from a site that was passed around, but that was 2-3 weeks ago, and after seeing how big it was, and figuring it would take 2-3 months to ever download it (if I could leave the internet on, without getting knocked offline that long) I gave up.

Since this is in the temp files it will get dumped when I clear these, or AVG will take it out, but I'm wondering why it comes back in the fi... Read more

More replies
Relevance 66.42%

i use windows XP home edition, mozilla to browse

about a month ago someone else was using my laptop and a bunch of infections were detected by the free version of AVG. i removed all the selected infections then ran malwarebytes which detected some more things and removed them. after rebooting and running malwarebytes again my laptop seemed clean. however, every time i have run malwarebytes since then (about 3 times), there will be no objects detected. BUT, AVG will pop up and say there are infections on my computer. so today, suddenly a bunch of internet popups show up on my laptop and AVG also shows up with a bunch of infections. i'll list some of the trojans that have been detected by AVG.

Trojan horse Pakes.DDT
Virus found Win32/Heur
Trojan horse Downloader.Zlob_r.EX
Trojan horse SHeur2.YNO
Trojan horse Small.BHD
Trojan horse Pakes.DDT
Trojan horse SHeur2.ZZF
(then there were a bunch of tracking cookies detected by AVG)
Trojan horse Agent2.DZZ
Trojan horse Generic13.ADTY
Trojan horse Agent2.EJA
Trojan horse Downloader.Generic8.AHTY

Answer:trojan that keeps coming back?

Run scans with Super Antispyware free and MalwareBytes AntiMalware free.Links to download and instructions in link below.Be sure to update both programs after downloading, installing and before scanning.http://www.bleepingcomputer.com/forums/ind...t&p=1087935Follow the instructions and post the logs in your next reply.Note that Super Antispyware scan is best run in safe mode per instructions.

16 more replies
Relevance 66.42%

Last night I managed to remove an Adware Virtumundo problem using HijackThis,VundoFix, CleanUp! and an online scan.
I am now continually receiving a message from McAfee that a Trojan named "Exploit-ObscuredHtml" has been cleaned and deleted. The message has popped up several times, each with the same trojan virus name. Please help me get rid of it for good!

also here is my lates HJT report

Logfile of HijackThis v1.99.1
Scan saved at 4:56:54 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA... Read more

Answer:Trojan Keeps Coming Back

16 more replies
Relevance 66.42%

I've been working on a user's laptop (Win XP SP3) that wouldn't boot, even into safe mode. I ran a windows repair from a Win SP SP3 installation CD, which allowed me to at least get into safe mode. There I found several trojans and viruses, including (these are Symantec names) Trojan.FakeAV!gen29, W32.Harakit, Trojan.Gen, Trojan.FakeAV. After cleaning, Malwarebytes found registry entries for Hijack.FolderOptions and Trojan.Agent. Finally satisfied that the system was clean, I restored the drivers and downloaded and installed all the Windows updates. Both processes required several reboots. I then returned the laptop to the user. Unfortunately, I made the mistake of not running final scans of the system first. But there had been no symptoms during the system restoration, so I was lulled into what was obviously a false sense of security.

Immediately after booting the system the next day, he got an alert from Symantec AV about two infected files: DWH9F.tmp and DWH1E.tmp, both in his profile's Local Settings\Temp folder. They were identified only as "Trojans" - no specifics. He was not yet connected to the internet and had no external devices attached. Laptop back to me. Malwarebytes found two infected registry items: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) and HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent).

I'm conc... Read more

Answer:Trojan(s?) Keep Coming Back

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

2 more replies
Relevance 66.42%

Hi,

I have run an AVG scan several times and it keeps finding a Trojan virus. I also get warnings of infected files from time to time. They are usually in the Temporary Internet Files, System Volume Information, or System32 folders. Some of the names is finds are "Virus found Lop", Trojan Horse Generic10.SY, Trojan Horse Generic10.AEV.

I tried Super Anti Spyware and HJT but the Trojan keeps coming back. I have posted my HJT log below. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:15 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoi... Read more

More replies
Relevance 66.42%

I get this every night have put it in virus vault in AVG, turned off system restore ran Malwarebytes and removed it and it has come back 3 nights in a row.. This is what reads in vault, Trojan horse Download.Generic9.YHX Path: WINDOWS\system32\sshnas.dll. Ran hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:35 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Suzanne Wells\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Progra... Read more

More replies
Relevance 66.42%

Hey everyone, I'm new here but not to viruses. My weakness however happens to be dealing with Trojans...and this one is no exception! I've run every anti-spyware/malware/trojan program you can think of (Most of which won't update) and only Malwarebytes finds the Trojan...but when I remove the registry keys they are back within seconds.

Here is the MB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/21/2010 10:56:25 PM
mbam-log-2010-04-21 (22-56-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 150405
Time elapsed: 10 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.166.105 93.188.161.105 1.2.3.4 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f6294753-90ce-45bb-a75c-e1c2e170fd1d}\DhcpNameServer (Trojan.DNSCh... Read more

Answer:Trojan - Just keeps coming back.

Welcome to Major Geeks!

The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

If the above does not fix your problem, continue on with ALL of the below. Please note not to post any logs inline with your message like you did with the Malwarebytes log.


Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide



and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us w... Read more

8 more replies
Relevance 66.42%

I have had this trojan virus for weeks now, i have done everything possible to get rid of it. i have googled like crazy, ran avg, avast, kaspersky, spybot, spydoctor, and many more. i am so close to reformatting, but i really don't want to. can someone please help.

i will post a hijackthis log file, as soon as someone responds to this.

please help!!!!

Answer:Trojan keeps coming back, help!!

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------

1 more replies
Relevance 66.42%

Hello,
Yesterday my computer started acting up. It said that the Windows firewall was turned off (even though I didn't turn it off) and now it's saying automatic updates has been turned off (even though it's turned on). I've scanned the computer with ad-aware, AVG and my Norton antivirus. I've removed trojans at least three times. However, random IE windows keep popping up with fake antivirus dialog boxes. I'm not sure what else to do. Below is the HJT log. Thank in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:05 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost... Read more

More replies
Relevance 66.42%

So my problem is,  3 same trojans keep coming back after I remove them with Malwarebytes. I have tried 6 times with MBAM to remove the trojans, but they just come back. Also I do not know if this is related to the Trojans, but for some odd reason, my P2P program utorrent does not work anymore. I try to execute it, but nothing happens. So I tried to uninstall it, but it wouldn't let me and I ended up just deleting the actual folder with all the files. Another program I have trouble with is a game client file (.exe) I downloaded it off the correct site and I'm pretty sure it's clean but just like the utorrent problem, when I try to execute it, nothing happens. It just stand there. help would be appreciated. Other info: I run on Windows XP professional and I currently don't have an anti virus and I doubt I can get any in the near future with this computer, as this device is essentially ancient. The computer would be slow at incomprehensible speeds, so that is why I don't have an anti virus. MBAMQuoteMalwarebytes' Anti-Malware 1.44Database version: 3747Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.21802/19/2010 8:49:32 PMmbam-log-2010-02-19 (20-49-32).txtScan type: Quick ScanObjects scanned: 124567Time elapsed: 9 minute(s), 29 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:C:... Read more

Answer:trojan keeps coming back.

uggh there seems to be another problem now. my computer is running slower then usual. Could this be the effect of the svchost.exe trojan?

3 more replies
Relevance 66.42%

Ok I have ran Ewido, Cleanup, and Killbox and the trojan changed it named on the second log.

PLEASE HELP.... Hijack this file:
Logfile of HijackThis v1.99.1
Scan saved at 8:03:30 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\iPod\bin\iPodService.exe... Read more

Answer:Trojan keeps coming back

7 more replies
Relevance 65.6%

hi i'm new at this, please help. i can't get rid of trojan vondu my norton is forever popping up and telling me it has been detected . i downloaded the removal tool but when i run it it doesn't pick it . i;m also getting millions of popups
 

Answer:trojan vondu keeps coming back

14 more replies
Relevance 65.6%

Good Evening from Scotland

I am having a bit of a nightmare with the above and wonder if you could help. This started about two or three weeks ago - probably as a result of another user being on messenger / facebook and the likes.

I have been running AVG (free) 9 but it did not see it coming !

First signs of problem was when I clicked on a Google search result and was regularly redirected. I was eventually sent to a page which said my security had been bazooka'd by someone and gave me an email address to contact. I should have taken details but didn't.

I eventually downloaded Microsoft Security Essentials (MSE) and it found the trojan when I start the computer. It either suspends or removes it and then asks for a computer restart to complete the process. If I use the internet at this point it seems ok with no redirect but I am not sure what is happening in the background and the processor/fan seems to be working in overdrive.

On restart the trojan is back - MSE finds it and suspends or removes it and asks for a restart and we are back on the merry-go-round.

I regularly get an error message on restart saying MSE could not complete the process.

I followed all of your instructions in the Windows XP Cleaning Procedure Section. Before running anything I disconnected from the internet (unplugged from wireless box) but I did not run the programmes from safe mode - just normal.

Everything went fairly well until I started using ComboFix. It o... Read more

Answer:Trojan:DOSAlureon.A Keeps Coming Back

Final log attached

thanks

Davy
 

7 more replies
Relevance 65.6%

When opening IE an AVG resident shield window opens saying that it has detected a virus. The virus is: Trojan horse Startpage. 16.BDThe homepage has been hijacked with a searchpage. I've tried deleting, healing and moving to vault but the file se.dll keeps coming back. Tried Spybot s&d and Adaware both without success. Also a popup window appears:Error loading C:\WINDOWS\TEMP\se.dll

Answer:Trojan horse that keeps coming back

Try a² click here

8 more replies
Relevance 65.6%

I've been running Malwarebytes Anti-Malware and every time I press "remove selected" the entries return upon reboot. I've reset my router and tried again, and it's all very exhausting. Here are my MBAM and Hijack This logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/29/2008 6:26:02 PM
mbam-log-2008-12-29 (18-26-01).txt

Scan type: Quick Scan
Objects scanned: 53231
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 14
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.106 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9e03f8a5-21dd-4568-bf12-531fa1975c83}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.106 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9e03f8a5-21dd-4568-bf12-531fa1975c83}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.... Read more

Answer:Trojan.DNSchanger keeps coming back

Nevermind, problem solved.
 

1 more replies
Relevance 65.6%

Hi,

I got this Trojan Lootseek. It keeps coming back every now and then. Norton deletes it but apparently not completely.

I followed the READ & RUN ME FIRST post. Here are the attachments.

Thanks,
Fab
 

Answer:Need Help : Trojan.Lootseek keeps coming back 1

Need Help : Trojan.Lootseek keeps coming back 2

Here are the last 2 attachments...

Fab
 

22 more replies
Relevance 65.6%

AVG keeps finding trojans, and they keep coming back.

system32\routing.exe system32\perfs.exe system32\indt.sys

downloader generic6 clicker.ksu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:52 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Fil... Read more

More replies
Relevance 65.6%

Hi Guys,

My pc was infected by a few viruses, including netsky...have cleaned it, running symantec enterprise v11 and system restore is off. Each time the machine boots up it picks up irc.trojan and symantec quarantines it. What could be the cause ?

Need help reading this log - if you see any discrepancies please advise...

Logfile of HijackThis v1.98.2
Scan saved at 19:14:14, on 2008/10/14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Pr... Read more

Answer:trojan keeps coming back onto machine

Hello and Welcome, ranz. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------



Quote:




system restore is off




Please re-enable System Restore now. Contrary to information on Symantec's pages, turning off System Restore while infected is NOT a good idea. Those of us in the malware removal community agree on this. An infected restore point is better than none to fall back on should things go wrong. Purging old, possibly infected System Restore points and setting a new, clean one after malware removal is the preferred procedure.



If you still require assistance with this issue, and since it's been several days since your original log was posted, please do this:
Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] butt... Read more

5 more replies
Relevance 65.6%

I am in need of help as despite running every online scan I can find this AGProtect keeps coming back. Below are my logs from the dds.scr file and I will run a Kaspersky scan right away and post those logs when it is complete (likely tomorrow though). Can someone please help me get rid of this and if possible let me know their thoughts on the how dangerous they think this trojan is/was. Symantec doesn't seem to think it is a big deal but they also just say run a scan to remove it which I know is not true.
DDS (Ver_09-06-26.01) - NTFSx86
Run by rgraham at 15:00:26.76 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.266 [GMT -6:00]
============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Progr... Read more

Answer:AGProtect trojan keeps coming back

I finally got SuperAntivirus to run and it looks as though this is finally gone. I have restarted a few times and it has not come back. I am going to turn my system restore back on and hopefully this is behind me now.

I would still appreciate it if anyone had a look at my logs if they could let me know if there is anything else they think I should clean as well as let me know how bad they think the AGProtect malware is.

Thanks

3 more replies
Relevance 65.6%

I've got a very irritating Trojan Horse on my computer. I don't even know how the virus got on my computer. I've got no idea where it's coming from. My Norton scanner keeps deleting the Trojan, but the Trojan keeps getting back. My Norton is making about 2100 quarantined items a day, from the same virus. It seems like it's stuck in Norton itself. Tried deleting all temp files, cookies and stuff, turned system restore off, seems to have worked for a few hours, but now the virus is back. Got no idea how it keeps returning while i deleted it. Can anyone help me?
 

Answer:Trojan Horse Keeps Coming Back.

11 more replies
Relevance 65.6%

I keep deleting it, but it comes back. I think it's been unloading a lot of spy ware because when I use ad-aware, hijackthis, spybot, cwshredder, and a ton of other programs, they keep coming back. This is so frustrating, why doesn't it delete.
 

Answer:Trojan that keeps coming back..msgked.exe

8 more replies
Relevance 65.6%

Hi, been having this problem for a few days now. I have done safemode virus scan, spyware scan both in safemode. Registry fix too. The virus is stopped by zonealarm but once it didn't stop it and my programs say empty from the start menu, desktop background changed, browser redirects. Have changed all my passwords but it still keeps coming back. Usually says trojan downloader js iframe just now when i got the email to activate my account here i got this one Trojan-Downloader.JS.Agent.fyk was found in C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\UYFOKBJ8\index[3].htm on 5/28/2011 10:50:00 (quarantined in zonealarm.) Here is the hijack this file. Thank you so much for any help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:53:29 AM, on 5/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connec... Read more

Answer:trojan downloader keeps coming back

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

2 more replies
Relevance 65.6%

Hi guys,i tried googling for answers and remove them but the browsela trojan alt.exe C:\WINDOWS\adsldpbf.dll1 keeps coming back, pls help me... i appreciate ur help... thanks man


Logfile of HijackThis v1.99.1
Scan saved at 3:36:58 AM, on 1/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.e... Read more

Answer:browsela trojan, alt.exe keep coming back

11 more replies
Relevance 65.6%

Hello,I've been trying to get rid of this trojan for the longest time now and have been out of luck. I've run ATF Cleaner, Malwarebytes, & Combofix both in safe mode and in normal mode, with MWB & ComboFix continuously deleting a file in programdata called api-ms-win-core-localregistry-l1-1-032.dll only to see it pop up and quarantined again. My Avast anti-virus will often times pop up and alert me that it has blocked Trojan.Tracur as it is trying to activate or something. I've been very reluctant to go on any site (except this one) that may require a password since this bad boy showed up. Luckily, I haven't encountered any type of Google re-direct or anything like I've read from some of the Tracur posts here and my computer seems to function like normal other than the avast and malwarebytes alerts. Please see my DDS log and attachments below..DDS (Ver_2011-06-23.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20Run by Administrator at 23:51:45 on 2011-08-22Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.14326.12058 [GMT -7:00].AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:&#... Read more

Answer:Trojan.Tracur keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415728 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 65.6%

hi there,

i'm trying to find out why the heck my taskmanager won't open (even clicking on tskmngr.exe doesn't do anything). found a couple of trojans on my computer when i ran a scan with avast. oops! i think i deleted them, but i can't be sure. hijackthis showed this ridiculous "msupdate", which is said to be dangerous, or is it? i don't know. i think it's best if i post my log file. please help me clean my computer, i'll be eternally grateful for all your help and advice thanks

Logfile of HijackThis v1.99.0
Scan saved at 21:28:32, on 13.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Programme\Alwil Software\Avast4\aswUpdSv.exe
E:\Programme\Alwil Software\Avast4\ashServ.exe
D:\NORTON~2\GHOSTS~2.EXE
D:\Daemon-Tools\daemon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QuickTime\2\qttask.exe
D:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\MsUpdate\MsUpdate.exe
C:\WINDOWS\System32\scvhost.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programme\Web\Webshots\webshots.scr
E:\Programme\Alwil Software\Avast4\ashW... Read more

Answer:Solved: Trojan keeps coming back

16 more replies
Relevance 65.6%

Hello,
I was recently browsing the internet and all of a sudden a green icon mimicking the windows update shield appeared on the system tray. It claimed that I was infected and a fake anti-virus program ran called Antivir Pro. I didn't click on its links to an obviously dodgy website but it infected me anyway. It changed my proxys so that I could not use my browsers so I fix those so I could research what was going on.

Before I figured out about the proxys I turned on my netbook and that almost got infected too! The same situation with the fake shield but as soon as it happened I shut it down, and since scanning it, it has been fine.

My PC however is not. I restarted it after the virus infected and in normal mode the virus would not allow any .exes to execute. Therefore I could not run Malware Bytes which I found would get rid of it. Therefore I logged into safe mode ran Malware Bytes full scan and it got rid of a trojan called Fakespypro. Went back into normal mode and scanned fully again and it found some more things. After that everything was ok until the next day.

The next day I ran Microsoft Security Essentials, and did a full scan however as soon as it discovered the trojan fakespypro the virus came back AGAIN! It is almost as if because it found it, it triggered it again. My friend said it must be hiding somewhere so he suggested deleting entries in my system restore by turning it off and on then rescanning etc. I rescanned with Malware Bytes and sinc... Read more

Answer:Trojan: Fakespypro keeps coming back!

72 Hour Bump

12 more replies
Relevance 65.6%

Hi,
I deleted few files in safe mode, but now every time i log to internet 2 thing happen, first explorer start a page 'freeweb' and after Norton detect trojan lowzone ( 2 times) and delete it. But when i start internet again the same pattern happen...there is my HJT log, please tell me what do to to erase once for all that trojan...(a step by step procedure cos i'm not that great with computer)
Thanks/Merci

Logfile of HijackThis v1.99.1
Scan saved at 10:35:28, on 2005-05-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ASSIST~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\Logitech.exe
C:\WINDOWS\System32\vhau.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Fichi... Read more

Answer:trojan lowzone keeps coming back

9 more replies
Relevance 65.6%

I dl'd the dss.scr but it would not run! Something to do with the virus I think! However, I do have a hijackthis log and the rootrepeal logs...Background... Running DrWebcureit in safe mode tells me I have Trojan.pws.panda.122 in RAM and it gets rid of it (second run confirms it) A full system scan detects no virus. Re-boot to safe mode re-run DrWeb and virus is back in memory...Another feature...Task Manager and Registry Tools are disabled. Using RRT demo I can re-enable them for a second before they are disabled again.Logs....Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:19:58, on 08/10/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\... Read more

Answer:Trojan.pws.panda.122 - keeps coming back!

Hello,We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Then please post back here with the following: log.txt info.txtThanks

2 more replies
Relevance 65.6%

I've had no luck getting rid of this trojan. I've tried to delete it using Symantec AntiVirus 10.2.0.276. Symantec says that the delete has been successful, but then the trojan reappears the next time I boot the computer.Since the first time I tried to delete it, I've been receiving these messages on start up:Run DLLError loading C:\Users\MyName\AppData\Local\dcdexDal.dllThe specified module could not be found.andMicrosoft WindowsLanWhoIs Setup has stopped workingWindows can check online for a solution to the problem.--> Check online for a solution and close the program--> Close the programA few minutes after start up, I get a message that Symantec QuickScan has found Trojan.Zefarch and taken Partial action on it.I've also tried to get rid of it by following the steps listed here, but I was only able to find and delete the registry file that page describes as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "%Windir%\[RANDOM CHARACTERS].dll",e" and none of the others the page refers to. Doing this doesn't seem to have made any difference, and the file I deleted is back in the registry.A side issue here is that I'd of course like to back-up my data to external hard disc before I try any other fixes, but I'm afraid of transferring the trojan to my storage device as well. How can I avoid that?Any help ... Read more

Answer:Trojan.Zefarch keeps coming back

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
Do not d... Read more

22 more replies
Relevance 65.6%

Hi all,
I would appreciate any help in removing two Trojan Agents. I got them while trying to watch a streaming video.

I have used the following to get rid of this: Malwarebyte's Anti-Malware, Super Anti Spyware. and Symantec AV. I ran the scans in safe mode with system restore disabled, but the Trojan keeps coming back in the same place after it is deleted by MBAM.

II have Windows XP SP3.

Thanks you.

Mytrom

Answer:Trojan Agent keeps coming back.

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails. Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

8 more replies
Relevance 65.6%

My Malwarebytes continuously detects a c:\windows\svchost.exe as a trojan threat and quarantines it but it keeps coming back. I've seen that help that others have received on this forum with the same issue and was wondering if someone here would be gracious enough to help me out. I start a virtual college class this week and need to get this taken care of asap.

I have run SuperAntispyware, Malwarebytes, AVG, AWDCleaner and Rogue killer while at work today. All said they did their job except Rogue Killer... limited internet access. Got "ZERO ACCESS" cue form RK. Malwarebytes continually detects "C:\Windows\svchost.exe"

I did a drive search under "my computer" and have come up with several svchost.exe incidents. Only 1 or 2 of which are actually in System32. Not sure if simply deleting the others would help or cause more trouble.

Thanks very much in advance to anyone willing to help

Burk
 

More replies
Relevance 65.6%

Hi, I've noticed for a while that every time I scan my computer with AVG Anti Spyware, a treat called Trojan.Delf.Ndu appears. No matter how Many times I delete it it keeps showing up at the same place. C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

Once I delete it it deletes my firefox.exe so I have to reinstall firefox over and over again but it keeps coming back to the same place. Also, when I scan with Trend Micro it tells me new threats have been detected and to please scan again after I scan my computer. I was letting this go untill a few minutes ago when I plugged my flash drive in and a blue screen showed up! Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:50 AM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\... Read more

Answer:Solved: Trojan Keeps Coming Back!

13 more replies
Relevance 65.6%

I have tried running malwarebytes, in safemode and normal mode. MB sees it and removes it and request a reboot. However, it keeps coming back. I will post a hj report in the morning
 

More replies
Relevance 65.6%

I have Symantec CE, Adaware, Spybot S&D all installed on a new WinXP Pro machine. I have ran everything from safe mode and it just keeps coming back. Here is my log file. ANy advide would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:05 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1150209668\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{2C446710-08A2-1033-0116-060901050001}\Update.exe
C:\WINDOWS\system32\ctfmon.ex... Read more

Answer:downloader.trojan keeps coming back

I'd like you to rename HijackThis.exe to GRich.exe. Navigate to C:\Documents and Settings\GRichburg.NETRICKS\My Documents\Business\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in GRich.exe
Press Enter.

Post a new log with this renamed executable.

1 more replies
Relevance 65.6%

Hello everyone I'm new here and have been having a bit of a problem. I've been trying to get rid of this trojan that keeps popping up the last few days.Trojan.Win32.Monder.gen, and today I had this pop up:
virus Net-Worm.Win32.Bobic.ff. Anyways I'm running Kaspersky Anti-Virus 7.0 and tried to run in safe mode scan but takes an incredible amount of time accomplishing 3% overnight! So I end up canceling it in the morning. The win32.monder.gen trojan keeps returning daily about 2 or 3 times with Kaspersky claiming its detected but cannot be disinfected, so I delete every time but it comes back. What can I do? . Also I had read a little piece somewhere if I'm not mistaken that this trojan might be heavy Adware. The reason I ask is because my sister wants to pay some bills and is asking me if it's okay to put payment info on there right now, is it safe to purchase anything on my PC right now? Thank you for your time, any help would be greatly appreciated

Answer:Trojan Problem Keeps Coming Back

As a precaution I wouldn't purchase anything on that machine until it was clean.Run a full system scan with Malwarebytes' Anti-Malware in Normal Mode (Instructions).

14 more replies
Relevance 65.6%

So I've recently gotten this trojan and tried many different ways to remove it. I use spybot S&D, AVG 9.0, MBytes and AD-Aware. I've tried running all of them in safe mode and AVG keeps finding it each time I restart my computer I don't know what to do Please help. This is my AVG Safe Mode log

AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 9.0.663, engine 9.0.695
Virus Database: Version 270.14.50/2481 2009-11-04

C:\boot\bcd Locked file. Not tested.
C:\boot\BCD.LOG Locked file. Not tested.
C:\Documents and Settings\ Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\ProgramData\Desktop\ Locked file. Not tested.
C:\ProgramData\Documents\ Locked file. Not tested.
C:\ProgramData\Favorites\ Locked file. Not tested.
C:\ProgramData\Lavasoft\Ad-Aware\MiniMessage\3 Locked file. Not tested.
C:\ProgramData\Templates\ Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\Users\Default\AppData\Local\History\ Locked file. Not tested.
C:\Users\Default\Documents\My Music\ Locked file. Not tested.
C:\Users\Default\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Default\Documents\My Videos\ Locked file. Not tested.
C: ... Read more

Answer:tdlwsp.dll Trojan keeps coming back!

In normal mode:Update mbam and run a FULL scanPlease post the resultsThen runWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.----------------------------------Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to HighAlso try: right-click on rootrepeal.exe and rename it to tatertot.scr

1 more replies
Relevance 65.6%

I've tried most things I can think of to clean this thing off here, but it keeps coming back after a day or 2. The user is having no problems on the computer except for the virus tries to add an autorun command at windows startup and the AV keeps taking the file away. So there is a file not found error or two at startup.I've tried the usual malwarebytes scan, regular SEP scans, and ESET OnlineScan.Also gmer is blue screening the computer so I've not been able to get a clean run, but I have a partial log.And yeah, I ran combofix a while ago too... I really hate relying on the helpers here to fix things. (When is the training program going to have some free slots?)Thanks in advance DDS (Ver_10-03-17.01) - NTFSx86 Run by dustin at 12:26:18.81 on Tue 09/07/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1298 [GMT -7:00]AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exesvchost.exesvchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Java\jre6\bi... Read more

Answer:Trojan.Zefarch keeps coming back

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

15 more replies
Relevance 65.6%

I have run Adware Se, Spybot and Webroot Websweeper in both safe and normal mode. Everytime I see virtumonde keep coming up. PLEASE HELP! How do I get rid of it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:58 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program File... Read more

More replies
Relevance 65.6%

I run Malware bytes on my computer periodically. The last week I have been afflicted with the Trojan. Goldun.

Here is my Malwarebytes report.

Can anyone please Help?

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5256

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/6/2010 5:29:55 PM
mbam-log-2010-12-06 (17-29-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 75733
Time elapsed: 52 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\network associates\BOPDATA\_date-20101206_time-161556656_enterceptexceptions.dat (Trojan.Goldun) -> Quarantined and deleted successfully.
 

More replies
Relevance 65.6%

OS is Win XP Home with SP3 and McAfee identifies and quarantines Vundo!grb but it keeps coming back. McAfee shows original locations as C:\WINDOWS\system32. File names are random with .dll or .tmp extentions. I'm experiencing pop ups that usually advertise some type of virus scan software and have had the computer freeze a couple of times in the last three days. I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it?
Here is the DDS.txt copy:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bob Swanson at 9:14:21.45 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2884 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmo... Read more

Answer:Vundo!grb trojan keeps coming back

Hello and welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------


Quote:




I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it




That can always be a possibility but there are many different ways you can get infected now a days. P2P is just one of many different ways sadly

---------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

19 more replies
Relevance 65.6%

Hello, I have a persistent trojan called "Trojan.Downloader-Gen/Inst2.Process" embedded in a file called sdhjdsf.exe in the Windows folder. When Windows boots up, AVG instantly recognises the trojan and prompts me for an action to take. Whatever action I take, either Heal, Move to Vault, or manually deleting the file myself from the Windows folder, the file comes back the next time I boot up. I have checked the "Run" keys of the Windows Registry to see if something suspicious if set to boot up with Windows but they are all recognisable as safe processes. In fact there is no mention of this filename anywhere in the registry. There is also nothing in the Startup folder of the Start Menu.

I'm guessing that when Windows boots, a process is run that recreates this file and places it back in the Windows folder. But where could this be coming from? Is there another part of the registry that I need to check for this? Please help.

Cheers.

P.S. Does anyone know what is there purpose of folders called IME in the Windows folder and also in the System32 folder? Why does Windows need processes from these folders to run each time Windows boots?
 

Answer:Trojan keeps coming back after removal

Welcome to TSG

Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.
 

3 more replies
Relevance 65.6%

I have had three Trojan.BHO items showing up in Malwarebytes scan. Even after deleting the malware several times, they return. I've read a lot of posts on several blogs about ways to REALLY delete the malware and the most hopeful said to run Hijack This. But after running the program, I get a warning to have some expert help reading the log file to determine which files to delete. Can you help with this? Here's the log.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:19:27 PM, on 10/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\Ra... Read more

Answer:Trojan.BHOs keep coming back

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Relevance 65.6%

norton antivirus keeps saying a have trojan lowzone.. have run lavasoft, spybot, cclean. at least now the stupid freeweb popup has stopped coming back.. LOL
this is what I got after running TD3

Scan Control Dumped @ 13:39:02 13-07-05
Positive identification: Adware.Sahat.ag
File: c:\windows\system32\pg5bscto.exe

Positive identification: TrojanClicker.Win32.Small.dw
File: c:\msdcom.exe
so what should I do next??
 

Answer:trojan lowzone keeps coming back

Hi and welcome to TSG,

I have split you off into a thread of your own.

Please do this. Click here to download HijackThis.

Close all open windows and open HijackThis. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to Notepad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
 

1 more replies
Relevance 65.6%

Hello,
I'm new here and all out of options. I apparently have this Trjan.Virtumonde on my PC that keeps coming back even after it seems to have been caught and disposed of by my Spyware from PC Tools because Trend Micro's Internet Suite couldn't seem to locate anything. I also can't enable/start my Automatic Updates. In addition I've tried VundoFix and VirtumundoBegone which didn't work either. Below is the log from Trend's HijackThis I just ran. Please help me out to get rid of this awful virus....I'm almost at the point to can this PC and just buy a new one.

Thanks,
David Lohouse

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:44:28, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\V... Read more

Answer:Trojan Virtumonde keeps coming back

Okay, I seemed to have solved this problem myself. First, I got rid of Trend Micro's Internet Suite since it did nothing to protect or rid me of this virus. Then I purchased PC Tools Spyware/Antivirus, Firewall, and Desktop Maestro (which includes registry cleaner). Total cost ran me just over $100 but much cheaper than buying a new PC. I disconnected the PC from the Internet and ran PC Tool's Spyware Doctor. It caught everything and deleted it. Then I ran it's registry cleaner and wow...was I surprised to find over 600 problems which it fixed by either deleting or repairing just by the click of a button. I rebooted with connection to the Internet and have no more issues....their firewall is awesome by the way, not letting anything suspicious in or out without your consent. Way to go PC Tools as I was already searching for a new PC on payday if I couldn't repair this issue.
 

1 more replies