Computer Support Forum

persistent malware - ran MBAM, PC Tools, SpyBot, still there

Question: persistent malware - ran MBAM, PC Tools, SpyBot, still there

My computer got a nasty little bug on it.

I believe it was one of those fake antivirus trojans. I had one before and Malware Bytes took it right off, but it couldn't do it this time. The malware keeps reloading on the system regardless of what I use.

I've used PC Tools Spyware Doctor (which I paid for and it has done nothing of note); Spybot and MBAM. The program keeps redirecting my browser to google-redirect.com or something like that and giving me tons of ads.

This is the log that I got after the most recent MBAM attempt.

I've removed and rebooted, with this and spybot, but the result is the same each time.

Please help.

Thank you.

Malwarebytes' Anti-Malware 1.36
Database version: 2084
Windows 5.1.2600 Service Pack 3

5/6/2009 7:14:22 PM
mbam-log-2009-05-06 (19-14-22).txt

Scan type: Quick Scan
Objects scanned: 86122
Time elapsed: 5 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\Peter Kim\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Kim\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Kim\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Peter Kim\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

Relevance 100%
Preferred Solution: persistent malware - ran MBAM, PC Tools, SpyBot, still there

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: persistent malware - ran MBAM, PC Tools, SpyBot, still there

i have the same issue please help. Except I only have Usernit

3 more replies
Relevance 79.13%

I have scanned with AVG with the latest updates. On top of that insidious google redirect I get random pop ups even when I don't already have IE or Firefox running. Also getting sounds in the background like I'm clicking on a link, surfing the net when I'm not. And SYSTEM in task manager is hogging a ton of memory.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 11:52:42 PM, on 8/7/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exeC:\... Read more

Answer:persistent malware undetected by virus scans and malware removal tools

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OT... Read more

2 more replies
Relevance 75.44%

I somehow picked up a nasty piece of "ransom-ware."This afternoon I ran Ad-Aware (the free version) and it complained that it found a trojan. The file it identified was the executable of "Free Hi-Q Recorder," a free program I installed almost a year ago and have not run in at least 6 months. I was suspicious so I exited without removing or quarantining the program.I then ran MB Anti-Malware. The first thing I did was check for updates -- one was found. While downloading it I got an alert from Spybot S&D that a value was being changed. I assumed (probably incorrectly) that this was MBAM and I okayed it. I then started MBAM.Avast! immediately began reporting viruses and, while MBAM was running, reports that too many identical emails were being sent. I manually stopped each one. I got a "license" form for something similar to Superantivirus 2008," Firefox windows opened and tried to connect to the Superantivirus site and another site for something like "SuperiorAntiVirus 2008," etc. (Firefox blocked those sites.)When MBAM finally stopped it found many (maybe 20+) infected files. I "fixed" them all. I then ran Spybot and got rid of all the threats it found. I ran CCleaner and dumped my temp files, etc.I then ran MBAM again. It found a few more trojans, etc. I fixed them and it warned me to run MBAM again in "Safe mode" to make sure I cleaned them all. I did. Then I ran MBAM and it came up cle... Read more

Answer:Malware surviving MBAM and Spybot

Okay, I read some additional posts and saw that I should permit changes to values after I run MBAM -- I did that and I seem to be clean.Firefox seemed to be hijacked -- my first selection whenever I ran a Google search sent me to a shopping site. I solved that by clearing all my cookies.I still have the red shield in the tray, and I'm wondering if it's a valid Windows alert. I went in through:Start >> Control Panel >> Security CenterAnd it appears that the Windows firewall is down. I'm on a small network of family computers behind a router. My wife uses her business computer behind that router and I believe she has a firewall set up, but her business computer is critical and she's in charge of security settings for our network. I'll check with her. In the meantime, since I never had this warning before, I assume I had it running before (it's been years since I set this up) and I suppose I can set it up to run at minimum settings. Whatever virus this was, it disabled the Windows Security Center and I assume that's when the firewall went down.Anyway, I'd still appreciate any comments or advice I can get. I'm already adhering to all the safe internetting principles I've read about. I'd appreciate any advice.Thanks.

24 more replies
Relevance 72.98%

This topic is tied to the following post: http://www.bleepingcomputer.com/forums/t/304226/unable-to-update-mbam-spybots-d-or-avg/I have malware on my machine that prevents me from updating any of my security apps (MBAM, SpybotS&D, AVG). If I do scans with them in both regular and safe mode I receive no results.Steps i've already taken with the help of a moderator includes: - running fixexe.reg - running TFC - running rkill - running SuperAntiSpyware - re-running MBAM (to no avail)Now I have run Defogger, DDS, and GMER and will post the results per the guidelines and attach the appropriate files:DDS.txtDDS (Ver_10-03-17.01) - NTFSx86 Run by Duong at 20:43:34.07 on Mon 03/22/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_05Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1270 [GMT -8:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) coloro:#E567177FW: ZoneAlarm Firewall *enabled* coloro:#E567176FW: NVIDIA Firewall *disabled* coloro:#E567175============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Juniper Networks\Common Files\dsNcService.exeC:\Program Files\NVIDIA Corporation\... Read more

Answer:Malware preventing security apps updates (i.e. MBAM, Spybot, AVG)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

27 more replies
Relevance 72.98%

Hello. im really tired trying to clean this redirect. I really need help.Logfile of random's system information tool 1.06 (written by random/random)Run by Familia at 2009-05-31 05:36:04Microsoft? Windows Vista? Home Premium  System drive C: has 151 GB (32%) free of 477 GBTotal RAM: 2046 MB (63% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5.36.18, on 31/05/2009Platform: Windows Vista  (WinNT 6.00.1904)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Windows\system32\taskeng.exeC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Windows\system32\SearchProtocolHost.exeC:\Windows\system32\SearchFilterHost.exeC:\Windows\System32\mobsync.exeC:\Users\Familia\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GEE5IBP0\RSIT[1].exeC:\Program Files\trend micro\Familia.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = PreserveR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet ... Read more

Answer:malware smartbizsearch-com help- DNS change, pop up, spybot & mbam doesnt work

info.txt logfile of random's system information tool 1.06 2009-05-31 05:36:20======Uninstall list======-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exeAdobe Flash Player 9 ActiveX-->MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}Adobe Reader 9.1 - Italiano-->MsiExec.exe /I{AC76BA86-7AD7-1040-7B44-A91000000001}AdunanzA-->"C:\Program Files\eMule AdunanzA\Disinstallazione eMule AdunanzA.exe"Assistente per l'accesso a Windows Live-->MsiExec.exe /I{DC7B9AB3-2635-45AA-957D-90FDE7CD51D7}Autodesk DWF Viewer 7-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALLCanon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.iniCanon MP160-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0010Centro gestione dispositivi Windows Mobile-->MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exef... Read more

3 more replies
Relevance 69.7%

Hi, apologies If I have not done this correctly.... First post.

I am unable to run Combofix in Safe Mode or Unsafe, Spybot and Malwarebytes, I can click the .exe shortcuts but nothing happens. I realised I had a problem when my google started redirecting to other sites then just crashing or going to blank screens. See my scan below, and attached unfortunatley unable to run any other screeners etc as I cant get them to startup.

Not sure how complex this problem is but it would allowme to login or register to your site on the problem pc, when I clicked agree to terms it came up you didn't agree etc. Then when I registered on the other comp I still could'nt and can't login on the problem pc....

Thanks in advance for any support
Kevin
DDS (Ver_09-02-01.01) - NTFSx86
Run by kev at 16:52:41.02 on 22/02/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.536 [GMT 0:00]
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
============== Running Processes ===============
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EX... Read more

Answer:Unable to Run any Malware removal tools Combofix Spybot etc

My Combofix log after running, I got this running after changing the name.

ComboFix 09-02-21.01 - kev 2009-02-23 22:15:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.701 [GMT 0:00]
Running from: c:\documents and settings\kev\Desktop\ComboFix1.exe
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\_006126_.tmp.dll
c:\windows\system32\_006127_.tmp.dll
c:\windows\system32\_006128_.tmp.dll
c:\windows\system32\_006129_.tmp.dll
c:\windows\system32\_006135_.tmp.dll
c:\windows\system32\_006136_.tmp.dll
c:\windows\system32\_006137_.tmp.dll
c:\windows\system32\_006138_.tmp.dll
c:\windows\system32\_006139_.tmp.dll
c:\windows\system32\_006141_.tmp.dll
c:\windows\system32\_006142_.tmp.dll
c:\windows\system32\_006145_.tmp.dll
c:\windows\system32\_006146_.tmp.dll
c:\windows\system32\_006148_.tmp.dll
c:\windows\system32\_006149_.tmp.dll
c:\windows\system32\_006150_.tmp.dll
c:\windows\system32\_006152_.tmp.dll
c:\windows\system32\_006155_.tmp.dll
c:\windows\system32\_006156_.tmp.dll
c:\windows\system32\_006160_.tmp.dll
c:\windows\system32\_006161_.tmp.dll
c:\windows\system32\_006163_.tmp.dll
c:\windows\system32\_006166_.tmp.dll
c:\windows\system32\_006168_.tmp.dll
c:\windows\system32\_006169_.tmp.dll
c:\windows\system32\_006170_.tmp.dll
c:\windows\system32... Read more

3 more replies
Relevance 67.24%

I'm having difficulty figuring out this persistent malware. I think it's likely that there are multiple issues.

I'm running Windows Vista.

The malware started off with "google redirect" symptoms, and disabling my Symantec software

Shortly following, I could no longer access the web. However, the malware itself would create an internet explorer popup every 5-10 minutes (not my default browser) that would go to "search sites" (none that I recognized....) and search for lewd topics. Running the taskmanager would show multiple instances of iexplore.exe running on my machine (one for each popup). The popups would have to be eliminated one by one using the task manager.

Trying to run a system restore, I discovered all restore points had been deleted.

I installed AVG antivirus and got it to run once which seemed to help the problem. However, upon restart, all issues were back and I could no longer run avg. Windows defender constantly pops up that a new trojan is attacking my machine.

At this point, I unplugged my internet connection and started using another machine. I had left my problematic computer alone for about a month.

Upon turning it on last night, each time I logged on, it gave me a warning that "Windows had encountered a critical error and will restart in one minute" and would restart. I tried running cmd (in that one minute) to intercept it, but the task manager would freeze if I tried to run it from there and explorer wo... Read more

More replies
Relevance 57.81%

Ok, please bare with me as I'm not a tech guy, but I am learning.I use AVAST on my PC. I have Spybot S & D and in is installed and running as is MBAM. I can't open the interface on the latter 2. I've uninstalled and re-installed to no avail. Spybot has popped up these things and I'm not sure if I should allow the change. The 1st when I deny, the 2nd one pops up and then I deny it the 1st one comes back and just keeps that up. Looks like without allowing, they won't go away. Avast has notified me that it has found something suspicious and say it's been identified as a "False Positive" and it has found other things. Without being able to open the interface on SB S& D and MBAM I can't scan with those. I don't know what to do now, can somebody please give me guidance?-LBThis is the result of my latest scan with AVASTAlso as of late I've been gettin "Rediect" when using Google and trying to copy pics form my Photobucket account.

Answer:AVAST, Spybot S & D, MBAM ???

I'm still learning about computers too but it would appear that you have an infected registry. I know from my experience here at BC that I would not be able to help you with it but the guys here are more than willing, just be patient. The registry is a very touchy area to go poking around in(if in fact that's your problem) and I wouldn't recommend trying to fix it on your own. It also could be that you're posting this in an area not designed for 'help threads'. Mod. edit. When topics are misposted, we move them to the proper forum, as I am doing now. Moving to AII. ~ OBSorry I couldn't be more help but I hope you get your problem fixed soon.

3 more replies
Relevance 57.81%

Hi everyone, thanks in advance for helping me out. I just started downloading torrents, and in under 24 hours, my security programs stopped working, as well as all download agents. I click on them but nothing happens. Trying to rename any of the files doesn't work, as access is denied to them (including mbam.exe, unfortunately). I've tried to do all of these things in safe mode, to no avail.Here's my DDS, which is also attached:DDS (Ver_09-07-30.01) - NTFSx86 Run by Hal at 1:08:49.48 on Wed 09/23/2009Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.608 [GMT -5:00]AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\OpenOffice.org 3\program\soffice.exeC:\Program Files\OpenOffice.org 3\program\soffice.binC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\WINDOWS\explorer.exeC:\Documents and Settings\Hal\Local Settings\Application Data\... Read more

Answer:Can't run/rename my Mbam, SpyBot, etc.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 57.81%

I'm new here, and I apologize if I do not have this question in the correct forum.

I recently had the "Antivirus Security" spyware on my computer, and possibly more, but followed the recommendations given on this site for removal of said problem. It appears that I did get the Antivirus Security removed, but now, something has happened somehow that will not permit me to run Spybot Search and Destroy or Malwarebytes Anti-Malware again. A window pops up that reads:

"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

Does anyone have any suggestions on how I can fix this and run Spybot and MBAM?

forgot to mention that if I perform a search on google, it will pull up a list of suggestions, with legitimate sites, but when I select one from the list, I am redirected to a different site, usually to one that appears as an advertisement.

Answer:Spybot and MBAM appear to be blocked

Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described. Please download Win32kDiag.exe by AD and save it to your desktop.alternate download 1alternate download 2This tool will create a diagnostic report for me to review.Double-click on Win32kDiag.exe to run and let it finish. When it states Finished! Press any key to exit..., press any key on your keyboard to close the program. A file called Win32kDiag.txt should be created on your Desktop.Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.Then go to > Run..., and copy and paste this command into the open box: cmdpress OK.At the command prompt C:\>, copy and paste the following command and press Enter:DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txtA file called log.txt should be created on your Desktop and open in Notepad.Copy and paste the contents of that file in your next reply.-- Vista users can refer to these instructions to open a command prompt.

3 more replies
Relevance 57.4%

Hello:

I keep getting popup ads from media.adrevolver.com, casaledia.com and oinadserve.com even after I sweep with Ad-Aware and Spybot. Do you have any suggestions? Thanks.

Seth
 

Answer:Persistent Popups despite AdAware & Spybot

16 more replies
Relevance 57.4%

Hi,
I somehow picked up a system tools 2011 infection and can currently only operate my computer in safe mode. I have run the rkill process and then updated and ran Malwarebytes. It removed 4 infected files, but upon restarting my computer I found it was still infected. I went back to safe mode, ran rkill again, ran Malwarbytes again (found no infected files), downloaded and ran Spybot (removed 5 infected files) and restarted in normal mode. The infection is still there. Can anyone help? I'm definitely not a tech person so don't know the correct terminology for everything, but I do follow directions well.. Thanks!

Answer:system tools 2011 infection, can't remove w/mbam

An update - I've been performing the steps in the preparation guide and my computer keeps crashing at the end of the GMER scan, once just freezing completely and once with a "windows has encountered an error and must shut down". I did restart my computer in normal mode - the malware pop-ups appear to be gone and I appear to have full function. However, the System Tools program still shows up on the All Programs list from the start menu. Is it truly gone or still lurking somewhere and how do I remove it from my programs list? Thanks in advance for any assistance!

4 more replies
Relevance 57.4%

I can interpret everything but the MG Tools. I nearly pass out just looking at the file report. Someone got a hold of my debit card information & I was just checking PC health. I don't use it to buy anything nefarious, but people (yeah, more than one) were making online purchases. I've cancelled the card obviously & all the stuff u need to do, fraud reports etc. Also know that I never type in any sensitive information; even my name is copied & pasted where buying something!
 

Answer:If Tdskiller, Mbam, Hitman Pro & Roguekiller Are Clean, Do I Need Mg Tools?

If you want me to check thoroughly for malware then I suggest you upload ALL of the requested logs.
 

1 more replies
Relevance 56.99%

This is happening on my laptop. The links on google are being redirected to completely random websites. I am unable to run spybot. I can't even run it in safe mode. Every anti spyware site I try to visit are shown as unable to connect. Any help?
 

Answer:Links are redirected, can't run spybot, can't run mbam

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:15 PM, on 4/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Java\jre1.6... Read more

1 more replies
Relevance 56.99%

Gooday, I've been redirected here from the Windows NT/2000/XP forum because I have many major issues with my Windows XP Édition Familiale OS. I can't obtain any logs, so I'm posting any problems I've encountered the last few days. Here's the original thread for reference: http://forums.techguy.org/windows-nt-2000-xp/848054-solved-windows-xp-2.html

Issues:
Spybot S&D: Appears in system tray, but the program itself won't open.

Nero Express: Won't detect any CD/DVD drives(and I have two)

System Restoration: I can open it, choose a restoration date, and click next...but at the last page clicking next doesn't do anything. Sometimes it does work, but as the restauration is done and the OS reboots, I get an error message saying the computer could not be restored to the chosen date.

ActiveX: I don't know what's going on with this, but as I tried bitdefender.com's free online scan and such, it can't find the version of activex it needs to operate.

Any security program gets an error message while trying to load definition updates.

I booted in safe mode and restoration acted in the same manner... Spybot inaccessible also

Then from when I asked for help:

I installed Malwarebytes anti-malware, but the program won't open from desktop nor from the start menu

My Windows XP disc only lets me do a new install and I get an error message saying my windows is more recent than the one on the disc (because of SP2 I guess... Read more

Answer:Spybot HJT MBAM blocked no BurnRights etc

16 more replies
Relevance 56.58%

Update= some success in fighting this attack- results posted on malwarebytes forum.

Thanks!

Answer:Infected- Can't run MBAM, HJT, Root Repeal or any potental tools/fixes

Here is what I could get from RootRepeal, hope it gets me started towards fixing this:ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2009/09/04 19:33Program Version: Version 1.3.5.0Windows Version: Windows XP SP3==================================================Drivers-------------------Name: ABP480N5.SYSImage Path: ABP480N5.SYSAddress: 0xF7904000 Size: 23552 File Visible: - Signed: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xF750D000 Size: 187776 File Visible: - Signed: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2066048 File Visible: - Signed: -Status: -Name: adpu160m.sysImage Path: adpu160m.sysAddress: 0xF7494000 Size: 101888 File Visible: - Signed: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xF2F42000 Size: 138496 File Visible: - Signed: -Status: -Name: agp440.sysImage Path: agp440.sysAddress: 0xF773C000 Size: 42368 File Visible: - Signed: -Status: -Name: agpCPQ.sysImage Path: agpCPQ.sysAddress: 0xF776C000 Size: 44928 File Visible: - Signed: -Status: -Name: aha154x.sysImage Path: aha154x.sysAddress: 0xF7A54000 Size: 12800 File Visible: - Signed: -Status: -Name: aic78u2.sysImage Path: aic78u2.sysAddress: 0xF769C000 Size: 55168 File Visible: - Signed: -Status: -Name: aic78xx.sysImage Path: aic78xx.sysAddress: 0xF766C000 Size: 56960 File Visible: - Signed: -Status: -Name: ALCXWDM.SYSImage Path: C:\WINDOWS�... Read more

3 more replies
Relevance 56.58%

I have some kind of malware that is redirecting me to ad sites and has placed a google desktop icon on the lower right hand section of my screen. I first tried running mbam and it is blocked. I also tried spybot and it is blocked as well. I have McAfee Total Protection which I ran in safe mode with networking. It came up with nothing. So I have downloaded rkill now but I still can't open mbam to do a malware scan. I still can't open spybot. Is there another way to bring up mbam? Do I need to download rkill again since I have rebooted?

Answer:Can't open mbam or spybot after downloading rkill

Ok, so for starters, have you actually run rkill? If not, I would go ahead and do that as it should stop the virus from stopping you from running mbam. If you still can't run mbam, I would try running it in safe mode. I would do a full scan inside of safe mode, that way it can atleast detect and remove some of the virus' files required for running.

2 more replies
Relevance 56.58%

The computer in question was originally infected wth a department of justice ransomware. the computer was locked subject to a payment of $300 per moneypak.
i was unable to enter through safemode, but was able to get in with safemode with networking when i downloaded mbam and ran it.
 
I was able to get in normally at that point so i ran mbam again and downloaded avg free
 
since then every scan with mbam still comes up with infections and avg pops up repeatedly with trojan horse threats.
 
I then ran malwarebytes again, removed threats, downloaded spybot, ran it, removed threats, ran avg still found threats, removed them, then next restart encountered a windows\system32\command.com parameter incorrect error
ctrl+alt+dlt end explore.exe process, opened spybot and unchecked the spybotdeleteing from startup log and parameters were fixed
 
i am still infected and continue to scan with mbam
 
just now i ran dds here are the reports from that those are all the logs i have at the moment.
pls help!

Answer:Ransomware surviving mbam, spybot, and avg several times

also on start up i am getting a rundll error

5 more replies
Relevance 56.58%

try this again... I had taken an hour and a half to rite out these problems i was having and Firefox crashed before i could post it!!!

So, as I was saying, I've been having a problem with Firefox for a week and a half now with it redirecting to other sites. It always goes to the correct site on the forth try; and works every time if I use the address bar, (I never liked bookmarks or other ways to track / navigate the web).

I was looking at the download history for windows update because I have had to download the Malicious Software Removal tool 9 times in the last 10 days, (somtetimes twice a day).

This prompted me to start a clean-up process i have done for years, which includes leaving Win. Defender and AVG open before there schedualed tests (so the results will be displayed the next morn.), (of which they found nothing)...

Next would be Spybot Search and Destroy : everything was working fine, (would load fine, check for updates, I checked the start up list, immunize the system and check System Internals without incident) but if I try to run a full scan it will for about two seconds and then close the program, (I tried a few times)...

The Defrag I use still works, as well as Disk Cleanup and CCleaner.
Should i get another program (such as ad aware or the like?)

If I reboot my computer Live Messenger will automatically strart (but not sign in) yesterday (sept 22nd) i woke up to about ten error mess. onscreen (all the same) : <Windows Live Communications P... Read more

Answer:redirects 3 times; spybot / mbam not working???

6 more replies
Relevance 56.58%

DDS.txt is at bottom of post

I have the following problems:
background replaced by active desktop warning or the following

"Warning
Dangerous spyware
many viruses were found on your computer such as : Trojan horse,
PassCapture, etc.
you personal information can fall into "third hands"
please check up the computer with a special software
thank"
taskbar icons such as wireless, sound, and battery indicators missing
a red x shows up in this same taskbar with a balloon coming out that says:

"Warning! Security report
Your computer is infected! It is recommended to start spyware cleaner tool"
receive "Invalid floating point operation" or program simply closes itself
when trying to open up legitimate spyware cleaners such as spybot adaware and malwarebytes
desktop icons replaced by icons with same image but that all link to <http://lsp-test-nax.ind.in/land/eurl/?code=15>
this page pops up randomly: <http://antivirusxp-pro2009.com/?code=0000049>
my documents opens by itself
a process call msmpeng.exe eats up alot of my processor
windows explorer keeps crashing
and finally...
every 4 hours or so a message shows up telling me that the generic host process for win32 is not working properly
and the computer forces shut down within a minute (unless i don't hit ok on the message window)

DDS (Ver_09-02-01.01) - NTFSx86
Run by langefbd at 15:02:53.17 on Wed 02/11/2009
Internet Explorer: 7.0.5730.11
M... Read more

Answer:spybot/mbam/adaware disbaled by spyware

Hello langefbd,Sorry for the delay. We have many logs backed up. If you still need help then proceed.Have you been playing with Registry Cleaners? Because Registry Cleaners can break Windows. The following is referring to Eusing Free Registry Cleaner . Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:Registry tools can cause irreparable damage to your Operating SystemRegistry tools can, as a result of the above, render your pc to be inoperable. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java SE Runtime Environment (JRE) 6 Update 12.
You want the 32-bit version, not the 64 bit version :!: Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 12". Click the "Download" button to the right. At the Select Platform and Language for your download drop down box
Select Windows and Mult-Language, then press Continue Selecting Windows give you the 32 bit version. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation, Multi-language jre-6u12-windows-i586.exe and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel... Read more

16 more replies
Relevance 56.58%

I am infected with Safety Center. I dl and installed MBAM, it will run for 2 seconds then close. I also tried to run it in safe mode. I was able to locate some of the files in the registry and removed them.

Answer:Safety Center Virus-Cannot run mbam or spybot

We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

10 more replies
Relevance 56.58%

I've got a tough one for you.   It's a hijacker of some sort, it blocks me from accessing sites like AVG, superantispyware.com, spybot, etc.  It also won't let me run Spybot, SAS, MBAM, etc... when I try to run them the computer just processes for a few minutes, and nothing happens, even when I try in Safe Mode.  Other than that, I've run everything as close as possible to the instructions in the sticky post at the top of this forum.  I can run AVG and have updated it manually by downloading the defs on my uninfected laptop, and did the same for Adaware, but both scans came out clean. My HJT log is attached.  The "DBRas" and "Confidence Online" entries are for getting onto my work's network from home.  I've tried updating HJT to the latest version, and it does not work... it just processes for a minute and does not continue.I'm running Windows XP Pro, Version 5.1 (Build 2600.xpsp_sp3_gdr.080814-1236 : Service Pack 3)It's a homebuilt machine, Pentium 4, 3.2Ghz, 1.00 GB of RAMI've had no hardware problems, and first noticed this problem about two weeks ago.  Edit:  AVG reports that I have an adware.secondthought infection.  I'm going to try removing it by using the instructions at www.safer-networking.com/removeadwaresecondthought.php  I doubt this is my only problem but we'll see.  Edit #2:  no luck.  Still there.Thanks for your help!... Read more

Answer:Tough Hijacker - can't run Spybot, SAS, or MBAM, and HJT log looks clean

I have been having the same problem. I went to the Spybot site and cannot navigate anywhere there. Wanted to E-mail Spybot about the problem, but when I try to click to go to the contact E-mail, get a failed connection notification.

1 more replies
Relevance 55.76%

Hello.I have previously asked about this in another thread so background is in there - http://www.bleepingcomputer.com/forums/ind...p;#entry1221094Briefly, I am getting redirected when using Google. It performs the search okay, but about 30-50% of the time when I click on a link instead of taking me to the correct page it will go somewhere different, an advertising page or a different search page. I can usually click the back button and retry the link and it will take me to the correct page then.Also sometimes, maybe 10% or less of the time, when I click a link I get a popup message that says updates to my 'web media player' need to be installed (it does not mention a specific program or brand). I close the popup and get a blank white screen with a message saying Web Media Player Updating and a series of file names flash up to indicate they are downloading.I have not installed any new 'web media players' recently and can only assume this is something I do not want downloading.Every time it happens I just close the page. I don't know where it downloads to so I don't know how to check what has happened.I had a few other issues (mentioned in the other thread) but they all seem to have stopped recently.Yesterday on one occasion my computer shut itself down and rebooted totally unprompted. I had a problem with it doing that about 6 months ago, it went through a phase of rebooting randomly, and eventually windows became corrupted. I thought at the time it was my hard drive packing ... Read more

Answer:Google redirect problem which isn't found by Spybot / MBAM

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

2 more replies
Relevance 55.76%

Came home from my honeymoon the other day to find my house sitter managed to get something on my computer, been banging my head off my desk trying to fix it by means I would have used in the past.... except I'm unable to. Whatever this is, shuts down every program I try to use to clean the system after a few seconds of scanning and then changes the permission on the executable "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item" so I'm unable to launch it again. I've tried renaming the executables, and sometimes they will run again, only to be shut down and locked again.

Firefox is constantly being hijacked as well, usually when I'm trying to search for something on google, and I click the link, I get redirected to sites like btcar.com www.luckyresults.com. And when I just tried to do a search for "browser hijacked" can't run antivirus, the browser won't let me click the search button now, even after closing and restarting it. I haven't run into this problem with IE yet, but I've barely used it so far.

Not sure of how to go forward from here, I've tried everything I would have done in the past, and I'm hoping someone here will be able to offer some input and help.

Thanks for your time.

Answer:Browser hijacked, can't run MBAM, Spybot, HJT, any rootkit detection

We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.----------------------------------Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to HighAlso try: right-click on rootrepeal.exe and rename it to tatertot.scr

3 more replies
Relevance 55.76%

Thank you in advance for any help. I found a similar issue and followed the instructions in the preparation guide.1. Can't delete or update AVG (errors). AVG 8.5shows no components and I tried to uninstall and then download 9.0 but it will not install. Installer detected that there are deletion pending flags set for some services of AVG 8.0. I have restarted several times but cannot install.2. Spybot and others won't start. I re-dowloaded it and MBAM and cannot install them3. Redirects some things from Google although I can get back to it4. Security balloon pops up saying serious security issues please remove them, then windows pop up showing these names: Trojan-Downloader.Multi; Backdoor.Win32; Net-Worm.Win32; Email-Worm.Win32.NetSky.q; Trojan.win32.Agent.dcc; Net-Worm.Win32.Mytob.; Trojan-Downloader.JS.Multi.ca; Backdoor.Win32.Agent.ich; Virus Win32.Hala.a; VirusChin09.Win; VirusWin32.Hala.aClicking enable protection takes me to a Malware Defense installation that I couldn't stop, it runs an unregistered copy and goes to the site to buy it. It runs a scan showing 13 dangerous viruses.A warning popped up: Attack from 214.82.202.70: 22203; 86.206.102.222: 17963ROOTREPEAL © AD, 2007-2009==================================================Scan Start Time: 2010/01/09 09:29Program Version: Version 1.3.5.0Windows Version: Windows XP SP3==================================================Drivers-------------------Name: avgrkx86.sysImage Path: C:\WINDOWS\... Read more

Answer:Infected Virus Chin09.Win, MBAM, spybot won't start,

I have solved my problem. Thank you for all the information, by sifting through this website I was able to figure out how to get rid of the Malware Defense and restore the other programs.http://www.bleepingcomputer.com/forums/style_emoticons/default/clapping.gif

2 more replies
Relevance 55.76%

I think I have had this one for a while but it was "hibernating" or whatever. So many things it could be. It has recently shown up as spawning duplicate svchost.exe processes which are definately not mine (there were 8 at one point eating up all of my CPU) I have not had much time to hunt this thing down, although I have suspected for months I had something nasty on here hibernating.

Spybot S&D has been removing spyware, but it is the same spyware each time, like it keeps reinstalling itself. On startup it catches illegal registry write attempts. When this occurs, Malwarebytes catches an outgoing request and blocks it. A full scan using MB and S&D detects nothing even after it catches these breaches.

I found a file in an empty combofix folder called "catchme.sys" and thought "yeah I should use combofix, but what is this, some kind of mocking cracker joke?" so I downloaded combofix, ran it. I had to uninstall Windows Security and Ad-Aware - I don't understand why they run without my permission. I even shut them down in task manager and combofix still bleeped they were going. That is truly annoying, or maybe I was doing something wrong.

Well that's about all I can think of. Here is the Combofix log:
ComboFix 12-01-21.02 - Naomi 01/21/2012 21:51:01.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1304 [GMT -8:00]
Running from: c:\documents and settings\Naomi\Desktop\ComboFix.exe
AV: Microsoft Securit... Read more

More replies
Relevance 55.35%

Hello,

My computer was running slowly and my Comodo and Avast were disabled. I tried to enable them, but nothing happened.

I downloaded and ran Super Anti Spyware, MBAM, AdAware and Spybot and while they each found and deleted something, I still am unable to turn Avast back on. The computer is still very slow on start up.

Attached are the DDS and gmer logs.

Thanks!

Answer:Ran SAV, MBAM, Adaware, and Spybot, still running slow after spyware removal

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

18 more replies
Relevance 54.94%

Two new malware removal tools by PC Tools just appeared on Softpedia today.
PC Tools Threat Removal Tool 2012

Fight back against malware.
PC Tools Threat Removal Tool is a handy and reliable utility designed to scan your computer for threats and remove them.

This Threat Removal Tool is designed to fight malicious code that has been known to prevent PC Tools' antivirus software from being installed. It performs a quick system scan in order to identify and neutralize the most common malware families that block, prevent, or terminate PC Tools' security software installers.

To ensure that the malware is completely eliminated, PC Tools Threat Removal Tool deletes the infected files and the registry values added by malware.

Requirements:

ˇ Administrative rights
ˇ If you are running Windows Me/XP, turn off System Restore.

Download
PC Tools ISO Burner 2012 1.0

Get the ability to access and delete persistent malware.
Safely remove malware from your computer with PC Tools ISO Burner. This is an advanced bootable antivirus tool that provides users with the ability to access and delete persistent malware.

When malware infects a computer, it gains control of many components that are key to the system's operations, making it very difficult to remove. Malware can use some of these system components to hide itself and prevent other software from detecting and removing it.

If you can't install or run a security application in the first place, then how a... Read more

Answer:PC Tools Releases New Malware Removal Tools

Ok what files are in the zip when you download it?
All I get is pcttFixTool.dll, no exe???
 

7 more replies
Relevance 54.94%

Hi,I posted this already, but was moved to another section of the forum:http://www.bleepingcomputer.com/forums/topic252804.html#Straythe and Blade helped me. Blade told me how to successfully run RootRepeal (disconnecting from the Internet). And I was able to get a log for it to post up. After I posted up the log, I was told my system has an active rootkit on it. Then I was instructed back here to post my partial RootRepeal log and a Win32kDiag log. However, I was unable to run DDS.scr and generate logs for it because it keeps crashing (just the software keeps crashing and not my system). Moreover, I'd like to add the infection has been doing a lot of site redirections. For instance, I'll do a Google search for 'boxes' and when I click on a 'amazon.com/boxes' (just an example) link within the results, I am redirected to some non-related site. I haven't had any other problems with site redirections just through Google, since that's the only search engine I use. I can go to websites and click within a website and I will get the site of the link I clicked on. So again, just Google searches.Also, I don't know if this is due to the infection, but my system keeps freezing up. I have cleaned the inside of my PC from dust, but it keeps freezing up. So I am constantly having to restart my PC by way of the restart button on the CPU. BUT when I do, the PC won't boot up. It's not until I've pushed the restart button on the CPU multiple (and I mean multiple) times when it chooses to boot ... Read more

Answer:Infected with Rootkit / Site Redirections / MBAM, TrendMicro, SpyBot, and DDS.scr Crashes

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

3 more replies
Relevance 54.53%

Alrighty. Been having these issues with ads and popups on my Chrome for awhile, All steps have been followed meticulously from 1-7.

Before coming here I had run CCleaner and my copy of Malwarebytes. I had tried SpyHunter4 but it decided it wanted me to pay money. Nope. Sorry, I'll be reinstalling my OS (Should I be able to find my copy) but that's my absolute last ditch resort.

Ran through this guide
http://forums.majorgeeks.com/showthread.php?t=230267
Then this guide
http://forums.majorgeeks.com/showthread.php?t=139681

Here are some Screenshots of my persistent issues.

http://puu.sh/iDKjV/06a406395b.jpg
http://puu.sh/iDKkV/017668ee18.png
http://puu.sh/iDKls/6a12526ec0.png
http://puu.sh/iDKlY/a0285fcbfb.png

P.S.
I pressed on the "Manage Attachments" button and this is what popped up. I obviously Exited out of it immediately but you see how this is an issue.
http://puu.sh/iDKub/7a6ebf5e5f.png
 

Answer:Persistent Malware is Persistent.

Hi there.

Could you also attach the Malware Bytes log please?
 

13 more replies
Relevance 54.12%

I was sent here by boopme (moderator) and asked to post a RootRepeal log. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/254641/unknown-virus-disabling-security-and-hacking-firefox-ie/ ~ OB RootRepeal stops scanning when looking at C:\System Volume Information when I used the method mentioned on your front page. However, I've been able to run separate scans, except scanning "Files", that won't work.Drivers scan:ROOTREPEAL ? AD, 2007-2009==================================================Scan Start Time: 2009/09/04 16:58Program Version: Version 1.3.5.0Windows Version: Windows XP SP2==================================================Drivers-------------------Name: 1394BUS.SYSImage Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYSAddress: 0xB80B8000 Size: 53248 File Visible: - Signed: -Status: -Name: ACPI.sysImage Path: ACPI.sysAddress: 0xB7E61000 Size: 187776 File Visible: - Signed: -Status: -Name: ACPI_HALImage Path: \Driver\ACPI_HALAddress: 0x804D7000 Size: 2142208 File Visible: - Signed: -Status: -Name: AegisP.sysImage Path: C:\WINDOWS\system32\DRIVERS\AegisP.sysAddress: 0xB8458000 Size: 18720 File Visible: - Signed: -Status: -Name: afd.sysImage Path: C:\WINDOWS\System32\drivers\afd.sysAddress: 0xB46F3000 Size: 138496 File Visible: - Signed: -Status: -Name: apoc6gxa.SYSImage Path: C:\WINDOWS\System32\Drivers\apoc6gxa.SYSAddress: 0xB6AE1000 Size: 225280 File Visible: - Signed: -Status: -Name: arp1394.sysImage Path: C:\WINDOWS\system32\DRIVERS\arp1394.sysAddre... Read more

Answer:Critter preventing HijackThis/MBAM/online scans/Spybot/AVG and hijacking Firefox and IE.

Hello mononc,Let's begin....==========Step 1Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) "%userprofile%\desktop\win32kdiag.exe" -f -r into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. ==========Step 2Please do this: Click on the Start button, then click on Run... In the empty "Open:" box provided, type cmd and press EnterThis will launch a Command Prompt window (looks like DOS). Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\system32\logevent.dll C:\ /y
In the Command Prompt window, paste the copied text by right-clicking and selecting Paste. Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful. Exit the Command Prompt window.==========Step 3 Warning to others reading this thread!: The Avenger is a VERY POWERFUL program, and can easily be misused.Certain misuses of this program can prevent your system from ever starting again.For this reason, it is strongly recommended to use The Avenger on... Read more

44 more replies
Relevance 54.12%

I am running a Lenovo T61 with Windows Vista Business. Yesterday evening, my Norton 360 notified me that it was no longer working due to a problem with LiveUpdate. Norton recommended I uninstall and reinstall the program, and try to update again. I did this three times, and all three times it rendered Norton inoperable when I tried to run LiveUpdate.

Then I tried to run MBAM, which showed me an error when I tried to update its definitions:

Spybot likewise fails to update.

Also, as of this evening, I cannot connect to the internet with IE, Firefox, or Skype, though Chrome is still working fine (for now, anyhow).

At first I thought I just had a glitch with my Norton, but with so many products failing, I'm worried it's actually a virus or malware program.

I don't know if it's relevant, but I wasn't able to download DDS from the link on BleepingComputer tonight. I had the program from the last set of computer problems I worked through on the forum, so I used that to create the log below. GMER downloaded fine and ran as well.

I'd appreciate any suggestions you can give me!

Thanks,
SMH1105

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_30
Run by Stephanie at 20:00:32 on 2012-02-01
Microsoft? Windows Vista? Business 6.0.6002.2.1252.1.1033.18.3054.1469 [GMT -5:00]
.
AV: Norton 360 *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D... Read more

Answer:Norton, MBAM, and Spybot will not update/run; IE and Firefox won't connect to internet (but Chrome works)

Hello, my name is Elise and I'll assist you with this issue.

Can you please rerun DDS and post me attach.txt (no need for dds.txt)?

12 more replies
Relevance 53.71%

I recently ran Spybot - Search and Destroy, and wound up with some 116 problems. Upon fixing them, I noticed that one was Virtumonde, a problem I've had with on a previous computer. After trying to fix it by Spybot (and failing), I did exactly what I had done in my previous encounter - went to VundoFix and ran it. Came back with nothing. Thinking that it was a mistake, I looked online and found another. VirtumondeBeGone was also unsuccessful. I've looked around on this website before and saw that there was another individual with a similar problem. I followed the previous advice and used Malwarebytes Anti-Malware's File Assassin to delete the file. I ran Spybot again, and it is still there. The location is unchanged: C:\Windows\System32\rcpnet.dllPlease help!!

Answer:Spybot Detects Virtumonde - Both Spybot and Malware Can't Delete It

http://www.computerhope.com/forum/index.php/topic,46313.0.htmlgo to above post the 3 logs here an expert will see them , harryyou can also read this belowhttp://www.computerhope.com/search.htm?cx=003411668307610607965%3Ah4yba8pbdco&cof=FORID%3A9%3BNB%3A1&q=virtumonde&sa=Search#1297

8 more replies
Relevance 53.3%

I have just been playing with the SpyBot tools and was wondering what experiance folks have had with them. They look quite usefull, file shreder, registry checker, description of startup programs, etc.. Any good or just use SpyBot for searching for spy [email protected]

Answer:SpyBot Search & Destroy Tools

To be honest i have never used the tools,i just use the resident part and scan for spyware with it.

2 more replies
Relevance 52.48%

Has anybody installed the Beta Spybot S&D 1.5 yet?

New Version SpyBot-Search&Destroy.
From Majorgeeks:
Editors Note: Version 1.4 must be installed first.

Announcing betas: TeaTimer / Scan engine / Vista integration

Scanning engine
This update cannot be disabled in the download package below; it is not only used if you install TeaTimer, but by the main Spybot-S&D scanner as well. The methods available to detect malware have been more than doubled, including new ways to generically detect malware mutations.

TeaTimer
Aside from the fix of the graphical glitch so many users have been waiting for, there have been some important changes under the hood, which will reduce the number of change dialogs where the user has to decide.
TeaTimer now automatically allows any changes during the installation of other security software which follow the ASCs guideline of code-signing all files, as well as a much improved scan of the files associated with registry changes.
 

Answer:SpyBot-Search & Destroy Tools 1.5 Beta?

i downloaded it last night with no problems.
 

1 more replies
Relevance 52.48%

I keep seeing references in the magazine for changing parameters using Windows own utility for Start up etc MS Config.Sometimes the little utility by that Lin chap is quoted - which is good.However I find the easiest(because it can be seen on the whole screen) is Spybot (which comes on the PCA disk). You do however have to choose the advanced setup when installing Spybot.This utility following the path in the title, allows you to read the whole command line for start up applications and untick them rather than erase them. It's also free, and it's really convenient and it's available.Thoughts?

Answer:MSConfig vs Spybot>Tools>System Startup

Still think that MSConfig is the easiest - as it is built into most versins of Windows.Start, run, services.msc is a better option for advanced users.As for MikeLin's control panel, I like it and recommend it to those who want a bit more power than MSConfig.I don't use spybot so cannot comment fairly.

4 more replies
Relevance 52.07%

Hi folks,
I have been infected...and I would appreciate some help. MalwareBytes found a Trojan Dropper and my McAfee has been finding a virus a day (for the last 4 -5 days or so). The only reason I think it's not gone is that it made Spybot into a read only file and everytime I try to reinstall the program it stops me. It also would not allow me to run MGTools.

Additionally, in the past few hours while at work it has disabled Hijack This and SAS...it just keeps getting better!

I've attached the logs I have and am hoping that some of the experts here can help my cause. I've had my Dell Studio Hybrid for less than a year and I really don't want to sacrifice it to the Malware Gods.

Thanks in advance for any help you can provide!
~cheryl~
 

Answer:Trojan Dropper - can't be sure it's gone - causing Spybot & MG Tools issues

Welcome to Major Geeks!

You need to follow all of the instructions in the below sticky:

READ & RUN ME FIRST. Malware Removal Guide

We need the logs from SUPERAntiSpyware, Malwarebytes and MGtools. Make sure that you are following the instructions for Using MGtools with Vista. UAC must be disabled and you must reboot after disabling. Also, you must run MGtools as Administrator.

The logs you attached thus far show no problems other than the fact that you did not put ComboFix on your Desktop as is required for further instructions to work.
 

3 more replies
Relevance 51.25%

I have a default Yoog Search in my Search Engines, i try to remove it and set it as google but it would again default to Yoog. Next thing is I just cannot run 'sybot search & destroy' and doesnt let me open any anti-malware related sites. I cant download any anti malware apps. I am just stuck.
 

Answer:unable to run any anti-malware tools and also cant open any anit-malware related site

Re: unable to run any anti-malware tools and also cant open any anit-malware related

Welcome to Major Geeks!

Please try doing this first:
Yoog Removal

Then please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes ... Read more

6 more replies
Relevance 51.25%

I have a default Yoog Search in my Search Engines, i try to remove it and set it as google but it would again default to Yoog. Next thing is I just cannot run 'sybot search & destroy' and doesnt let me open any anti-malware related sites. I cant download any anti malware apps. I am just stuck. I saw a post " Win 2K hijack issue - unable to run malware apps!". I have exactly the same case on my system.

 

More replies
Relevance 51.25%

Yesterday, I had troubles with Windows live messenger where it (still) says:

"Windows Live Communications Platform has encountered a problem and needs to close. We are sorry for the inconvenience. "

although, the problem isnt about MSN. I found out that this problem was caused by having Malware on your computer. Hence, i decided to run a scan using Malwarebytes Anti-Malware (MBAM).

I noticed that my Avast was disabled and if i try enable it, it comes up with a window saying: the operation could not be completed.

My google searches also SOMETIMES get redirected to links that is clearly out of topic.
like if i google search the terms "malware wikipedia" and i click on the wikipedia link but i get redirected to some Myspace/Anz credit card crap.

Then this happened.
MBAM CRASHED after 2 mins of scanning -> tried to re-run MBAM but a window came up saying:
"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
I ran several other programs such as:
HJT -> scanned for 2 mins, then crashed (no logs were made)
SUPERAntiSpyware (SAS) -> scanned for 2 mins, then crashed
and same goes for any other programs that searched for any malware.
The only program that worked was TROJANHUNTER and came up with a couple of false positives
I also tried using Avira's Rescue CD (the one where you boot up with it and it does a scan)
A scan using Avira was also successful but failed to... Read more

Answer:Malware/Anti-virus tools wont run due to a rootkit/trojan/malware

i am having the exact same problem!
i have no clue what to do, any help would be amazing!

2 more replies
Relevance 50.84%
Question: Persistent malware

Hello, a few days ago I found some viruses via Panda Active Scan. While they weren't easy to delete, I believe had gotten them. I'd suspected a virus or malware because the CPU was always running hot/ fast with a fan speed/ noise to match. Additionally, I was getting notices from various programs saying that they needed codecs to operate (e.g. AIM6).

However, the increased fan speed/ noise and increased CPU load has returned and I'm at wit's end in trying to beat these bugs on my own.

I did read the "First Post" thread and tried to follow directions as best as possible. The DDS script turned out fine and is posted below. The other log that DDS spits out is also attached.

However, I did not have much luck with GMer and apologize for not posting the required log. It would run normally for awhile then cause my computer to lock up: the CPU usage would shoot up to 100% and stay that way. The two process that took up the most resources were Winlogon and lass or iass. I apologize for not taking better note.

I would appreciate any advice that can be given to me.

Respectfully,
JRizal

Here are the reported viruses/ malware that the last two Panda Scans indicated:

1)
W32/Xor-encoded.A c:\documents and settings\owner\local settings\temp\mpsamplesubmit\yxxo.exe.xor

Trj/CI.A c:\documents and settings\owner\local settings\application data\acxmsvpns\hpeysbh.exe

Adware/AccesMembre c:\system volume information\_restore{e0eccc2d-b6ab-4623-9c72-04534427... Read more

Answer:Persistent malware

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I need to see a gmer log in order to help you. Please try running gmer again, this time also unchecking 'Files'. Make sure no antivirus scans are scheduled during the run.

------------------------------------------------------

13 more replies
Relevance 50.84%

Hello,I have a persistent malware infection, and could use some help locating and removing it. I have followed all the removal instructions on the site, and have used updated versions of Windows Defender, Ad-Aware, Spybot, and Stinger, to no avail. I get a constant stream of popups from various sites, including Winantivirus Pro, Sysprotect Scanner, Party Poker, and various adult sites, but no detections of spyware. I had anebuler infection months ago, but thought it was removed, and don't find any of the files associated with that trojan. Here is my Hijackthis log. Any advice would be much appreciated!Logfile of HijackThis v1.99.1Scan saved at 2:50:18 PM, on 9/3/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\System32\Ati2evxx.exeC:\WINNT\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\Intel\ASF Agent\ASFAgent.exeC:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exeC:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exeC:\WINNT\system32\wwSecure.exe... Read more

Answer:Help With Persistent Malware Please

Hi shorebird508,

If you still need help please post a fresh HijackThis log using the Add Reply button and I'll be happy to look at it for you.

Thanks for your patience.

2 more replies
Relevance 50.84%
Question: Persistent Malware

I run current versions of AdAware and Spybot every couple days, but consistently get tracking cookies form Zedo, Mediaplex, Doubleclick and more. I googled 'removing Zedo' and followed the instructions. The core.sys and core.cache.dsk files weren't there to remove. It was suggested by the website to contact MajorGeeks.

Is there anyway to permanently remove these Malware items?

Thx...SJ:confused
 

Answer:Persistent Malware

Cookies are not problems! You will always have cookies unless you never open up a browser to do any surfing. Don't worry about cookies. See what I wrote in step 11 of the below link:

How to Protect yourself from malware!


For you other issue with core.cache.dsk which is malware, please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 50.84%
Question: Persistent Malware

Hi guys,
 
I have adware/malware that refuses to be vanquished despite my best efforts. I've used SuperAntiSpyware, HijackThis, Norton 360, Malwarebytes, and Kapersky, and although all of them have found 10+ serious threats and supposedly quarantined/removed them, the viruses have not disappeared, or even been diminished. I do run WinPatrol, which I think has helped stave off the worst effects of the viruses.
 
I don't have any logs because the last time I tried cleaning my PC was about a week ago, and I deleted everything out of frustration since I couldn't get anywhere.
 
What is the next step? I defer to your infinite wisdom.
 
Thank you so much for your help,

Answer:Persistent Malware

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click ... Read more

14 more replies
Relevance 50.84%
Question: Persistent Malware

Could someone give me a new perspective on repairing a malware infection? I have been working on removing a malware for 4 days now with only modest progress. It looks like I have a rootkit on top of other malware and I have been unable to completely remove it. It appeared with a malware bomb that became obvious when Win XP Recovery launched. I need to save this xp installation as it has irreplaceable programs on it. Any assistance you can provide would be greatly appreciated. Thanks in advance.

More replies
Relevance 50.84%

Hello I was directed here from my previous thread.
 
This all started when I stupidly decided to search for movies illegally online. I didn't notice any symptoms at first, but my laptop seemed unusually slow and seemed to get memory errors more often as well as internet disconnections. When I checked task manager, the process "System" was nearly taking up a gig of memory. I ran Norton, Malwarebytes and a scanner from Microsoft to no avail. After that I ran Malwarebytes' rootkit scanner, but what had infected my system prevented me from running it and corrupted the exe file somehow. When I redownloaded and ran it on safe mode it picked up 3 objects which were removed. I would list them here, but I forgot to back up the log before I reformatted my computer. The problems persisted so I ended up reinstalling windows with a bootable usb created on the infected machine.
 
Windows ran normally again at first, but the problems resurfaced shortly after. I ran the rootkit scanner again and it picked up six objects (listed here). Even after they were removed the problems still persisted: the system process again bloated up and my laptop's fan was running at an abnormally high rpm with nothing running. Further scans with AVs turned up nothing as usual. The system process mysteriously corrected its memory a few hours ago, but I'm still not sure if the malware is dealt with. I will add any additional details on request.
 
Thanks in advance.
 
FRST.txt log:
Scan result o... Read more

Answer:Persistent Malware?

Hello dave89,
 
I'm Stan and I will be helping you for this problem.
 
First of all I want to clear some things about the malware removal process:
Do not run any tools on your own. This may affect the process of removal and may cause both slowdown and additional problems.
Read carefully the steps that I suggest you to do. Any mismatch will prolong this case.
Copy any scripts carefully so they stay exactly the same with the original. Otherwise the script may not work and we will need to rerun/recreate it.
Feel free to copy all the steps in offline environment. They may be easier to read and follow in this way.
Feel free to ask any questions about the malware removal process. I'm here to help you so nothing must be hidden or misunderstood.
Share with me any problems/changes you experience while working with the current system.
Please, do not use any quotes or code boxes when you post logs.
I want to inform you that I will be able to respond in the evenings - 07:00 P.M - 11:00 P.M. (UTC + 02:00) - since I'm working during most of the daytime. If I haven't posted anything for 48 hours straight, please, feel free to send me a personal message. I will bump the topic if there is no response from you for 3 days. After 5 days of inactivity, the topic will be closed.
 
I want to inform you that I'm still in my training program so my posts must be reviewed by an instructor. This may lead to a slight delay in my answers.
 
I will need some time to review the... Read more

3 more replies
Relevance 50.84%
Question: Persistent Malware

As the title suggests, I have some ver tenacious malware on my computer somewhere. I've used Malwarebytes, Spybot, and Avast's scanners both in and out of safe mode, and I'm still experiencing very frequent browser redirects. Specifically, when I do a Google search for anything, clicking on a search result link, even a reputable site, redirects me to a random ad site. And also general slowness and crappy computer operation as a whole. I am attaching the three text files of the scan results I was instructed to save.

Answer:Persistent Malware

Also including the HijackThis report

64 more replies
Relevance 50.84%
Question: Persistent Malware

I have a Windows 7 HP Laptop that has become infected and I cannot seem to fully clean it using the usual tools.

Ran Malwarebytes and Spybot Search & Destroy and have AVG running. The initial symptoms were Google Redirect, Ping.exe was using 80% of the CPU.

Once cleaned, everything scanned fine, but then while the machine sits idle, AVG will pop up "Multiple threats detection" with the description "Exploit Blackhole Exploit Kit (type 1889)" two times and one "Exploit Phoenix Exploit Kit (type 1450)". AVG reports these healed, but they will pop up within an hour or two.

Here are the Log Files:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by owner at 20:35:09 on 2011-10-15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3999.2381 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windo... Read more

Answer:Persistent Malware

Hello Brian209,

Welcome to Bleeping computer.

Please update me on the current condition of your computer.

Also please please run DDS, copy and paste DDS.txt and attach Attach.txt without zipping.

22 more replies
Relevance 50.84%

Okay, first timer here. I have followed, to the letter, all the steps in the READ AND RUN FIRST thread.

I ran all the scans in Safe Mode, and I ran them all logged in as admin, then again as user.

The symptoms I'm experiencing are an inability to enable or use Norton AV, as well as random opening of IE windows (ads) and spontaneous sending of emails. Not from my Outlook, but the NAV "scanning outgoing email" window keeps popping up. I'm very nervous about this one. I've never had a virus that couldn't be handled with the normal arsenal. I hope someone can help.

I will attach the Hijack log, newfiles and runkey here, then the activescan and bdscan files to another post.
 

Answer:Please help with persistent malware!

Attaching online scan results, logged in as admin.
 

22 more replies
Relevance 50.84%
Question: Persistent Malware

I am having issues with malware on my computer.  At first i always got advertisements, and my homepage always changed to trovi, and ran extremely slow.  After running malwarebytes, jrt, and adware removal tool, the would fins several things to delete and the computer would be fine afterwards...... for a few minutes.  Soon after it was the same thing over again and the anti malware programs would find the same things over again.
 
I installed avira and t has realtime protection, and like every 5 minutes it would block and quarantine the same processes.
 
For some reason now avira doesn't flag anymore, but every once ina  while my homepage for chrome changes to trovi again.  I have also noticed considerable lag when using online programs (between 200 and 600 ping) when my normal ping was around 100.  Also if playing an online game, not only does t have high ping, but sometimes i just outright disconnect for maybe a second or 2, or just don't receive any data from the server for a second or 2.  I know how my computer normally operates and this is highly unusual.  Also my fps varies widely, but is always around 50-40% of what it normally is.  Task manager shows no strange programs or cpu usage.  Tried using glasswire (a program that monitors network activity), and although it shows no strange programs using the network, i do notice that the "system" will connect to ip addresses in germany and china frequently (not sure i... Read more

Answer:Persistent Malware

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).===Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit)and save it to a folder on your computer's Desktop.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first t... Read more

2 more replies
Relevance 50.84%
Question: Malware persistent

I initially got infected by the antimalware doctor. I then installed Malwarebytes to remove the malware. It was able to detect several malware and trojans and seemed to have removed them. Afterwards, I keep getting problems the svchost.exe Application host error. Proceeded to run HijackThis and found a strange entry in the registry. I was able to locate the key but was not able to remove it. Ill-advised I ran combofix. It detected a rootkit and tried to remove it. Even after doing so, still having issues with the machine. I would get random pop-ups in both iexplorer and firefox. Computer seems sluggish and with a svchost process eating 99% of the cpu sometimes. Your help is appreciated. Thanks.

More replies
Relevance 50.84%
Question: Persistent Malware

Hi,

Can't seem to get rid of 'MyWebSearchFunWebProducts' MBAM removes only to find, it re-appears after reboot. GMER,Tizer Rootkit Razor, Sophos Rootkit find zero. Also tried Dr. Web Cure It, Emsisoft emergency scanner, Norton Power Eraser, SuperAntiSpyware, Avira Rescue CD, Eset online scanner. It keeps coming back. HELP!

Thanks in Advance
Ricorocks

Answer:Persistent Malware

Hi Ricorocks, to Bleeping Computer.My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.Some things to remember while we are working together.Do not run any other tool untill instructed to do so!Please do not attach logs or put logs in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can also help.Do not run anything while running a fix.If you don't understand a step, please ask for clarification before continuing with any future steps.Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.  Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList last 10 Event Viewer Log ErrorsList Installed ProgramsList Users, Partitions and Memory sizeClick Go . Please put code boxes around ONLY this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode] Download rkill from one of the following downloads (if you are unable to download or run rkill from one download, move to the next one.)1. http://download... Read more

4 more replies
Relevance 50.84%
Question: persistent malware

Hi, I've been having some trouble with a malware that I just can't remove...

The problem is: There are, throughout several folders of both my hard drives, some .exe files (such asqzfxie.exe wnvbkg.exe), always together with other files without extension (such as khq, kht, khu); I've tried deletting them (with shift+delete) several times, but they just keep coming back with different names and different icons, and they have also appeared on my pendrive.

I've followed all the instructions on the "read me first" post but even though several malwares got removed, these files are still here. the only program that didn't work was RootRepeal, I kept getting error messages and it saves some crash logs.
Once I tried Kaspersky online scan and it identified one of them as a malware and deleted it, but they just came back again...
By the way, I used to have AVG but now I use Comodo.

In case you need, I'll attach all the logs.

Thanks in advance for your attention and help!
Nathan

ps: the crash logs from rootrepeal are like this:
ROOTREPEAL CRASH REPORT
-------------------------
Exception Code: 0xc0000005
Exception Address: 0x004cb8ab
Attempt to read from address: 0x00000004
 

Answer:persistent malware

I am not seeing any of those files in your logs. You will need to give me the exact path to these files.

Also, download and install this:
AutoEater.

Next I want you to download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:




Files to delete:
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
c:\windows\UC.PIF
c:\windows\RAR.PIF
c:\windows\PKZIP.PIF
c:\windows\PKUNZIP.PIF
c:\windows\NOCLOSE.PIF
c:\windows\LHA.PIF
c:\windows\ARJ.PIFClick to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.
-
Now run Ccleaner to clean out only temp files and nothing else!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip

Make sure you tell me how thin... Read more

6 more replies
Relevance 50.84%
Question: Persistent malware

First of all, some of my story is here; http://www.bleepingcomputer.com/forums/t/512013/windows-7-gets-a-bsod-every-time/?p=3192557
 
So as you can see, I'm having a problem with what I think is a Malware. The malware is called "rpcqt.dll", and supposedly I have removed it...But I don't think I have. My system is still kind of slow and it gets some BSOD, at least it does when I try using Unlocker and I'm very sure it is because of the malware (Might be more than one, probably).
 
So, I used RogueKiller and I got one process kill, that was LightShot, then on registry, it was Lightshot and rpcqt.dll. On a site note, when I use CCleaner to clean the registry, I seem to keep getting some "MySearchDial" files and such. Is that a malware?

Answer:Persistent malware

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Update Malwarebytes' Ant... Read more

17 more replies
Relevance 50.84%
Question: Persistent malware

About a week ago I started getting a variety of symptoms. These include frequent pop-up ads that all say "Ads by help4u", frequent redirection to sites offering to solve my security breach (eFix Pro, PC Keeper and several others), and words in text that are capitalized and underlined which pop up ads when the cursor is rolled over them. I ran full scans with Spybot S & D, AdAware, Panda Cloud Antivirus, Malwarebytes' Anti-Malware Free,SuperAntispyware Portable Scanner, Microsoft Safety Scanner, Anti-Rootkit Utility - TDSSKiller & AdwCleaner, as recommended by Firefox, to no avail. Then I followed the instructions for malware removal in MajorGeeks. I am attaching the logs as instructed. Only Firefox is infected, IE is clean so far. My OS is Windows 7 Home Premium, 64 bit and my ISP is Clear. Any help will be welcome. Thankyou.
 

Answer:Persistent malware

Please don't forget the MGlogs.zip from running MGTools.exe.
 

13 more replies
Relevance 50.84%

One of my computers has been infected recently. It hijacked my IE, and everything was redirected to go.google.com. I found some info about how to disable the "driver" that was doing this, and then ran AVG free edition, Superantispyware, and Malwarebytes. I seem to have a persistent infection. Now, my access to the internet on that computer is down. Whenever I run a browser (IE firefox chrome) it closes immediately.The only thing I have done recently was download winutilites and do a registry clean.Here is my DDS log, thanks for your help!DDS (Ver_09-01-07.01) - NTFSx86 Run by Ashu at 10:27:30.10 on Sat 01/10/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1611 [GMT -5:00]AV: AVG 7.5.552 *On-access scanning enabled* (Updated)FW: *disabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\system32\bgsvcgen.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NDAS\System\ndassvc.exeC:\WINDOWS\system32\nvsvc32.ex... Read more

Answer:Help with persistent malware

So it looks like I have managed to clean out most of the viruses, there seems to be one that still gets found, can someone help?DDS (Ver_09-01-07.01) - NTFSx86 Run by Ashu at 14:09:58.25 on Sun 01/11/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1340 [GMT -5:00]AV: AVG 7.5.552 *On-access scanning enabled* (Updated)FW: *disabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\WINDOWS\system32\bgsvcgen.exeC:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NDAS\System\ndassvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Documents and Settings\Ashu\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\Spybot - Search & Destroy ... Read more

3 more replies
Relevance 50.84%
Question: Persistent Malware

I'm in the process of helping a friend get their PC back to normal. When I first received it, the computer's internet connection was hijacked and a virus was shutting down net-related processes and playing around with antivirus programs. I was able to remove this infection manually and install Avast, which removed the rest of the infection and recognized the culprit file that I found as a virus without problems. And delete it. I uninstalled some of his outdated versions of Acrobat reader, java, etc, and updated them, and then proceeded to do secondary scane with SuperAntiSpyware and MalwareByte's Antimalware, and ASquared, all of which found more spyware/potential threats and were able to remove all but one of them successfully. The only problem remaining is what SUPERAntiSpyware identifies as "Trojan.Media-Codec/V4". Despite my attempts to remove it, SUPERAntiSpyware simply finds the same thing again after rebooting and rescanning, so I'm in need of some assistance. There do not appear to be any symptoms other than the repeated presence of the malware in SAS's scan.

Attached are the log files from the FIRST round of scans I did with each of the tools. Successive scans with SAS show all 14 elements of "Trojan.Media-Codec/V4" and nothing else. MBAM now shows a clean scan. I have only run MGTools and ComboFix once, and each was right before posting this thread.

Thanks for the help!
 

Answer:Persistent Malware

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (file missing)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting]... Read more

3 more replies
Relevance 50.84%

Hello, apologies if I posted in the wrong section.
 
A few days ago I noticed that my computer had been acting funny, I would get DNS errors while browsing, programs I normally use without any problems started crashing and leaving memory errors, and I was running out of memory frequently even without many applications open. When I checked task manager, I noticed that the process "System" was taking up nearly half a gigabyte in memory. I ran a few scans and came up with nothing, then I decided to try out malwarebytes anti-rootkit scanner. The first time I ran it, whatever it was that infected my system auto-closed it and left a memory error window. The program was corrupted when I attempted to open it again. So I installed it again in safe mode and ran it, it turned up with 4 infected files which I removed. (I would list them here, but I lost them after reformatting my computer).
 
I hoped that was the end of it, but the system process was still swelling up and the errors were still persistent so I decided to use the reset function on my computer. When my computer finished resetting it ended up with a boot error so I formatted the drive and reinstalled windows via a bootable usb. This normally would solve all my problems, but my System process is still bloating up to nearly a gigabyte and my laptop fan is going crazy even though there are no CPU/memory intensive programs running.
 
How do I go about removing this? The laptop shows no signs of infection other tha... Read more

Answer:Persistent Malware?

Hello dave89
 
High memory usage is known "issue" in Windows 10. It is feature where System uses more memory to optimize itself. It works by using free memory for it's own operations
and usually frees it when other programs require it. You can read more about it here:
 
http://superuser.com/questions/952141/windows-10-system-process-taking-massive-amounts-of-ram
 
You can also try disabling Superfetch(second post there):
 
By going into services.msc (via Win+R) and disabling Superfetch completely solves this.
 
Also, what are your CPU temperatures? You can check them for example with Open Hardware Monitor
http://openhardwaremonitor.org/

4 more replies
Relevance 50.84%

hi everyone, i hope someone can help me as well. my pc is afflicted with the findspy and balloon.wav spyware, i cant seem to remove it.

ive spybot s&d
ad-aware from lavasoft
avg virus scanner
zonealarm

i seem to of tried everything, now i dunno what to do.
i made the mistake of buying noadware, little did i know it didnt work

can anyone suggest a free remover for win 98 se, or try to remove i can try to remove it from the registry.

thanks alot
heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 6:42:13 PM, on 8/31/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Progra... Read more

Answer:Persistent malware - please help!

15 more replies
Relevance 50.84%

I seem to have caught a very annoying and persistent virus/malware that just loves fill my browser with pop ups and even creating new tabs for these ads/sites.  
Very often the pops ups say "ads by/from Jabuticaba" however I cannot find any programs/extensions/applications under that name.
After 3 days of scanning and trying to remove this infection Malware bytes reports ""PUP.Optional.BestPriceNinja.A" no matter how many times I remove it. I also have noticed "shopperz" appearing a few times.Also by using malware bytes, Hitman Pro, adwcleaner and revo uninstaller I have managed to get rid of "iminent" that was installed on my laptop which I thought could have been then source of the problem. I have attached the first of my scan logs which shows the glorious amount of infection followed by the later hitman pro log. However now the only thing that will ever show is bestpriceninja. Please help, I have been trying to get rid of this malware for days now but these pop ups/redirects just will not go away!
 
Thank you very very much!
PCAA 

Answer:Very persistent pop ups/malware

Hello PCAA I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", th... Read more

18 more replies
Relevance 50.84%

Hello everybody,

Recently my computer has acquired a malware infestation that I mostly cleaned up, with the exception of one infected item that my symantec antivirus scan detects every day, but seems unable to clean, delete, or quarantine. The filename of the item in question is tmp1AC.tmp, and it is classified as a backdoor something or other. I am not sure what exactly it might be doing, but I have noticed that my antivirus occasionally detects (and cleans or quarantines) new viruses that I think tmp1AC might be generating, and that all of a sudden there are ad panels all over the internet for 'vimax', some male enhancement thing, including sites like this one and ebay where I would not expect that kind of advertisement. Furthermore, the task manager seems to be disabled on all of my computer's accounts. I run a Dell latitude D 610 with windows xp.

Here is a hijack this log of my system

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:28 PM, on 8/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
... Read more

Answer:Need Help in Getting Rid of Persistent Malware

Update: the threat is identified by Symantec Antivirus as 'Backdoor.Tidserv!inf
 

1 more replies
Relevance 50.84%
Question: PERSISTENT Malware

Hi Everybody

My laptop is getting lots of malware files on a semi regular basis (about a week before it massively affects my laptop) and I remove them with Malwarebytes program (I kept it from a similar issue) but the malware files will just come back in a week or so- Im not going to any sites that would give it them, Does anyone know how the files are getting onto my laptop and how to stop it?

Thanks in advance
 

Answer:PERSISTENT Malware

7 more replies
Relevance 50.84%

Hi folks, this is my first post, but I have been reading up on your forum for a while trying to follow suggestions. I thought I could get this taken care of on my own, but alas, I must yield to some greater powers. Ok, I'm running Windows 2000 in which there are multiple user accounts. I've got Adelphia's Freedom anti-virus/anti-spyware/firewall running. I also have the latest Ad-aware SE. I have downloaded HJT and killbox and have been using them to battle this infection. Just when I think I've gotten rid of everything, I restart the computer, and some of them are back. I have the firewall blocking a "run a dll as an app" that tries to connect to a random IP, which comes up each time windows loads. I delete the TEMP folder after fixing the known malwares with HJT, and manually deleting some of the files with killbox in safe mode, but somehow, this file called "load.htm" keeps coming back. I've also noticed that I can't seem to shake a couple of entries in HJT--"nkni.exe" and "rjrpjk.exe". I can fix one, and the other will appear upon rescanning. I have been able to delete many of the files that this malware is creating in the system32 folder by identifying them by creation date. However, the problem has not gone away. And I have just noticed AdDestroyer and VBouncer folders in program files, but there is no listing in ad/remove programs. I recently used Find It NT-2K-XP and I think I'm very close to figuring this out, but I wanted to ... Read more

Answer:really persistent malware

Hi youngsy and Welcome!You are so right on track with this Infection!There is Fix for it also that will make it much easier for us!Download the L2MFix fromhttp://www.atribune.org/downloads/l2mfix.exeorhttp://www.downloads.subratam.org/l2mfix.exeSave the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to.

22 more replies
Relevance 50.84%

Hello,

I have a little malware problem (hclean32.exe, and Adware.LiveChat) that's refusing to go away no matter what I do. I've tried turning off system restore, going in safe mode, scanning and deleting with Norton, SpybotS&D, AdAware, and Ewidos, and I've tried deleting files manually using Killbox and RegSeeker, but it still keeps coming back. Basically, when I start up, everythings fine and dandy, and scans with these programs all show a clean system, but after a while Norton would alert me that there's the hclean32 trojan in my system32 folder, but it can't fix it. Then, it also detects Adware.Livechat (rdsndin.exe, also in system32), and removes it. And afterwards, a scan with SpyBot shows that C:\WINDOWS\balloon.wav is infected with FindSpy.A (balloon.wav is not there at startup). Can someone please help me out? I really don't know what to do. Thanks a lot in advance (I've listed a bunch of visible symptoms and attached a HJT log for your perusal).

Symptoms:

- Upon loading, some sites are being redirected to other adresses, most of them undesired pornographic sites.
- Sometimes a warning box pops up saying that Windows Firewall detects malware activity, and prompts you to fix it (pretty sure this is one of those fake alerts that direct you to rogue spyware sites).
- Norton Antivirus detects hclean32.exe, but cannot fix it. Right after it detects hclean32, it detects Adware.LiveChat too, always in that pattern and order.
- Right... Read more

Answer:Persistent malware - please help!

16 more replies
Relevance 50.84%

I ran spybot S&D and it told me i have a bot called Virtumonde. I tried to fix the problem but it told me that it couldn't do it. I looked at the details for the problem and it lists a file named pmnlm.dll. I dont know what this is but its in the sytem32 folder and i cant get rid of it and dont know if i even should. How do i get rid of this persistent bot?? Also....I have run spybot in safe mode and it still cant get rid of it.

Another issue....It seems that every time i try to get online and listen to the radio firefox has a problem and needs to close. This is not the only browser that has this issue, and its not just on one site. Any ideas what might be causing this problem???

Note: I am currently using Spybot, Adaware, Avast antivirus, AVG antivirus, and ZoneAlarm personal Firewall on my computer. I am running Windows XP Home SP2. Thank you for any help you can give me.

Answer:Persistent Malware?

Hi KaTtLaDy,Follow the instructions in the removal guide; How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo..

1 more replies
Relevance 50.84%

As per the title, I am working on a laptop belonging to my fiance's family and I cannot figure out what's wrong with it. In non-safe mode, there is no internet access at all, just "limited connectivity" to the network. I whipped out my PSP and had no issues getting on the network and putzing around. I rebooted in safe mode, and had internet, but there is something preventing the already-installed spybot from running, and also keeping me from installing other programs like Adaware. Thankfully I was able to run HijackThis and DDS and have logs. Maybe somebody here can shed some light on this, because I certainly can't figure it out.I asked if they had gone to any unusual sites lately or seen any notifications on the spybot resident (installed on the laptop at my request). I found out they were trying to watch a TV show on some site other than the network's (ABC or NBC.com or such) or some other legitimate site (like Hulu), and did get a spybot notification, but denied the change (I taught them to just deny everything). I did some hunting through the browser history and found out the site they were at was:<http://a-episodes.blogspot.com/2009/04/watch-biggest-loser-season-7-episode-15.html>They confirmed this as the site that they visited, or at least one of them, that had asked them to install something as soon as they hit the "play" button, which they subsequently denied.Also, another suspicious looking history entry, which may be unrelated but I thoug... Read more

Answer:Google redirection, no internet outside of safe mode, blocking Spybot and other AV tools

Bump.-------------Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of... Read more

9 more replies
Relevance 50.43%

Hi. I am trying to diagnose a problematic laptop for a friend. I don't know the details of what happened to cause the problems. The main problem I can detect is that the laptop is EXTREMELY slow. It seems like anything I try has a delayed response (even a simple mouse click). I followed the Malware Removal Guide, but was only able to run two of the five suggested tools as follows:

1) SUPERAntiSpyware - I ran this after manually updating the definition files on the version already installed and the scan found nothing.

2) Malwarebytes Anti-Malware - I was not able to update the definition files for the current version installed. After several attempts to uninstall this (via the Control Panel), I was able to do it via CCleaner. However, I was not able to re-install a more recent version due to problems with the Windows Installer service. After uninstalling an outdated version of Java (Update 14) via the Control Panel, I have not been able to install/uninstall any more programs.

2) combofix.exe - not compatible with 64-bit OS

3) RootRepeal - did not run on 64-bit OS

4) MGtools - did run; kept getting errors, but continued to completion

Attached are the SUPERAntiSpyware and MGTools logs:
 

Answer:Possible Malware preventing me from running malware removal tools

I am not seeing any malware in those logs. I do not know why MalwareBytes would not run, are you able to run it in safe mode? How does the PC behave when you use safe mode?

More than likely I think I will be sending you off to the software forum.

We can do this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:



O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - (no file)
O2 - BHO: (no name) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - (no file)
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - (no file)
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsM... Read more

5 more replies
Relevance 50.43%

Hi, i got infected because i was triying to run malwarebytes and it skip the part of analising the files, it ended in arount 1 minute in a full scan, and i tried to download dr web cure it, and it dont allow me, the computer seems fine, but those things are very strange, and when i was running the scan i was in safe mode...
 
thanks for the help

Answer:Malware infected, malware removal tools useless

Greetings samidelcueva and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter pro... Read more

0 more replies
Relevance 50.43%

Hi there,Can someone have a quick review of this hijackthis log and see if there is anything obvious? My pc is randomly openning IE and Firefox windows and runs very very slowly. I have avast installed as well as zone alarm and ad-aware. Have tried running malware bytes, spybot, ad-aware etc and although they find some things, the issue is still present.thanks in advanceSteveScan saved at 11:34:10 PM, on 8/5/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\PC Tools Firewall Plus\FirewallGUI.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exeC:\WINDOWS\system32\... Read more

Answer:Persistent Virus / Malware help

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

3 more replies
Relevance 50.43%

I have a malware infection that is causing phishing sites to open new tabs in google chrome and begin downloads. It is bypassing chromes usual .exe file warning and everything. I tried every malware fighter I could find with no luck. I then formatted and reinstalled windows. Next day it was back. I have two users on chrome with synced apps, bookmarks, history, etc. Every time I have logged both in. I now have a new PC built at another location. All I have installed so far is Chrome and two printer drivers from the manufactures. I set both chrome users to only sync bookmarks and saved passwords. I am now getting this same issue happening again. I am out of ideas and hoping someone might have some suggestions. 

More replies
Relevance 50.43%

I need help please, I have been battling a virus/malware problem for 2 weeks. I've used MalwareBytes, IOBit Security 360, Spybot and they all find lots of issues each time I run. I've also got McAfee running but even though I try to clean everything using these tools I find that once I strat browsing again strange things happen - the browser closes unexpectedly, or it spawns multiple instances of IE, or I get intermittent ads possing up. When I run the cleaners again they find lots of nasty stuff. I'm using XP SP3, IE8 and everything is incredibly slow.

All help / ideas much appreciated
Thanks
 

Answer:Persistent malware / virus

16 more replies
Relevance 50.43%

I am dealing with a PC that has some kind of persistent malware. It used to have Vundo and Security Toolbar 7.1 on it, which I cleaned off. The current symptoms are these bogus security warnings that pop up, with a lot of spelling errors, saying I have this or that piece of malware/virus/trojan and prompting me to download some kind of bogus fix for it.

I ran all of the recommended things - except that because I am having trouble with IE, I could not run Panda ActiveScan. Also, dss.exe stopped in mid scan and I could not close it to re-run it. Therefore, the only log I have for you is HijackThis - below.

Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:16:38 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program ... Read more

Answer:persistent malware won't leave (yet)

Oops. I failed to notice the following:

NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.

So please ignore my post on this bit of malware, as I also posted it on another forum. My apologies. I have another one that I would like to post here (my daughter's laptop is going really slow) but I am waiting to get the log file from her.......

2 more replies
Relevance 50.43%

I am having some serious malware virus problems. I keep getting ( application cant be executed. the file wmiadap.exe is infected do yuo want ot activate your antivirus) popup also another antivirus popup alert. I scan the conmputer with malwarebytes found 1 thing and ad-aware found something to so I thought I was okay, but when i got out of safe mode nothing is fixed. I used the fix.exe before the scans too. In normal mode I cant access any programs they just get over run by the virus also when IE pops up every few minutes with some porn site. the computer seems really messed up. any help would be appreciated. I did manage to install hjt and get a logfile below hope it helps. Ive scanned it 3-7 times over the last few days and sometimes it finds nothing other times it will find a trojan file, but it never leaves.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:09:32 PM, on 5/8/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.17037)
Boot mode: Safe mode
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.mic... Read more

Answer:persistent spyware malware

Any help please. Am I missing any information you guys need.
 

2 more replies
Relevance 50.43%

Hello,
I have a persistent malware infection, and could use some help locating and removing it. I have followed all the removal instructions on the site, and have used updated versions of Windows Defender, Ad-Aware, Spybot, and Stinger, to no avail. I get a constant stream of popups from various sites, including Winantivirus Pro, Sysprotect Scanner, Party Poker, and various adult sites, but no detections of spyware. I had a nebuler infection months ago, but thought it was removed, and don't find any of the files associated with that trojan. Here is my Hijackthis log. Any advice would be much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 2:50:18 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\wwSecure.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHel... Read more

Answer:Solved: Help with persistent malware please

6 more replies
Relevance 50.43%

McAfee indicates that malware is trying to send emails using my computer. First, I get an alert that says something like "an email is being sent to 5 addresses." Then McAfee ViruScan indicates something like "1 of 4 emails have been sent, 3 emails could not be sent" to different email addresses that I don't recognize. This problem appears to start when I open my browser. (I'm unsure if it happens when opening other apps, too.) Browser is usually delayed in opening for 30-60 seconds, finally opens to my google page, and then within a few minutes, McAfee alerts me of the email problem above.

Before finding your site I ran Mcafee and deleted the following viruses:
Trojan ? Spam-Mailbot
Files: three(1).exe
Bootloader.exe
Windows\system32\cqkjlxn.exe (deleted)
Windows\system32\upwjhphj.exe (deleted)


I have gone thru the steps you've recommended (1 thru 6).

Spybot finds 2 items under Troj.PrintSpool. These items seem to come back either in the same form

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ uoo9feuzbauxue6 )

and

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\uoo9feuzbauxue6

or slightly different form (i.e., the file name changes to e.g., fceydats7eeoaeor)

CounterSpy found a number of viruses but I deleted them and don't remember what they were (one of your steps says to delete quarantined files in A/V folders). When I ran CounterSpy ... Read more

Answer:Persistent malware problem

Some additional attachments for this post...
 

24 more replies
Relevance 50.43%

Hello,

I've been trying to rid myself of this one for some time. Using a combination of Malwarebytes and Sophos I've tried hard, and was able to remove it for several days, at which point it came back with a vengence. I did this DDS scan as soon as I realized it had come back, without taking any additional removal steps. Something is being left behind...

Malwarebytes finds the following: Trojan.Zlob.H, Trojan.Agent, Trojan.Vundo, Malware.Trace, Trojan.Downloader, Virus.Virut, Hijack.Regedit, Hijack.FolderOptions

I've also tried vundofix, which wasn't helpful. I've tried turning off system restore, booting into safe mode, and running all removal software. Nothing has been able to completely rid me of this.

Thanks in advance for your help, it is very much appreciated.

Below is the DDS log:
DDS (Ver_09-05-14.01) - NTFSx86
Run by Trevor Hodges at 21:41:00.20 on Mon 05/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

============== Running Processes ===============
============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://esupport.sony.com/EN/info/vaioupd/noupdates.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keywo... Read more

Answer:Malware / Virus, Very persistent!

Hello northwest_trail,I've tried turning off system restorePlease turn system restore on. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly. Are you a Java programer? Do you use Java DB or the Java Developemnt Kit in your work?If not, then uninstall these:Java DB 10.4.1.3Java™ SE Development Kit 6 Update 12Uninstall these old versions of Java, as they are malware magnets.J2SE Runtime Environment 5.0 Update 10J2SE Runtime Environment 5.0 Update 11J2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Java™ 6 Update 2Java™ SE Runtime Environment 6 Update 1Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. Please post the Malwarebytes log so I can see what is is finding.

2 more replies
Relevance 50.43%

Hi, I have been having problems with my laptop for about a month now, where my browsers keep crashing, and now won't open at all (other than IE8 64-bit, which can't run flash). I also can no longer open most programs, and hence have not attached any logs as I haven't been able to get any malware removal tools working.

I'm running windows 7 and would greatly appreciate your help.

Thanks
 

Answer:Persistent Malware problem!

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator


You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
Rkill.exe
Rkill.com
Rkill.scr
Rkill.pif
* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.

If you are having problems running Rkill, you can download iExplore.exe or eXplorer.exe, which are renamed copies of Rkill.com, and try them instead.

* If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run then try to immediately run the following.

Now download and Run exeHelper from Raktor
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to clo... Read more

19 more replies
Relevance 50.43%

Hello,
I definitely have something going on. I had a bit of a bonehead move, and apparently did not have my AVG active, but thought I did, which is how this happened. It is now active. My system is super slow and bogged down. The main symptoms of the virus/malware are: when a website loads and I click on any part of the page for the first time, another page pops up (beginning of the site name ad-advertise). This happens almost every time I load a new website. Also if I go to any sites which have shopping capability, a magnifying glass pops up in the corner of the picture and if you roll over it, an ad pops up and prevents me from clicking on anything else.

I've run all the procedures - READ ME FIRST, Pc cleaning procedure, google redirect procedure. Still having issues. I've attached my logs.

Oh, and something similar happened before, so I had bought Hitman pro because it fixed it. Prior to running the procedures, I ran Hitman in the hopes it would do the trick, and I deleted something it found. I've attached that log from a few days ago. Then i read your instructions not to delete... sorry about that, hope it didn't make anything worse. :/

Thank you so much for any help.
 

Answer:Persistent malware/pop up ads/redirection

It doesn't want to attach my log for TDSS Killer, so i'll rerun and keep trying.
thanks.
 

18 more replies
Relevance 50.43%

hi, I have been following a thread with a similar problem at this thread:
http://forums.techguy.org/malware-removal-hijackthis-logs/406823-solved-trojan-vundo-virus.html
but I'm still getting problems and I fear I have something persistent in my computer. I have run VundoFIX, Spyware Doctor, SmitfraudFIX, online Activescan and HJThis. Below are the logs from HJT and Activescan. Please advice me on next steps. Thank you

Incident Status Location

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix\SmitfraudFix\restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix.zip[SmitfraudFix/Reboot.exe]
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Carol Schill\Desktop\SmitfraudFix.zip[SmitfraudFix/restart.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cvlnsulr.dll


Logfile of HijackThis v1.99.1
Scan saved at 7:20:59 AM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2... Read more

Answer:Persistent Spyware/malware

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 

1 more replies
Relevance 50.43%

Hello,

I've run some of the free malware/spyware removers that I've found online to try to clean up this persistent redirect virus that I have, but I just can't seem to kill it. Every other link I click from a google search redirects me to some kind of link farm type page. Thanks for any help you're able to provide, I'm including the information as requested by the sticky file at the top of this forum.

Turns out I'm not able to get GMER to run without crashing. I'll keep working on it and post that attachment when I get it to work, but I'll go ahead and submit the info that I do have now.
Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:32 AM, on 8/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Sony\Reader\Data\bin\la... Read more

Answer:Redirect malware, very persistent

7 more replies
Relevance 50.43%

Greetings from Adelaide South Australia.



When installing an updated freeware application.I received this warning: [the warning seems to be coming from the installer,not my Comodo firewall or Avast anti Virus)





"Malware has been detected in C:\windows\system32\pxwma.dllClick to expand...

Advising me to remove it using an anti virus application.

I did a thorough search on start up using Avast.That found 2 root kits which I removed. The warning still came up. I then ran thorough scans with COMODO and Spybot Search and Destroy. They found nothing.The warning still comes up.

I have also tried a clean install,removing all vestiges of the old one from my system.

If I ignore the warning the application doesn't work properly.

Any suggestions on what to do would be appreciated.
 

Answer:Persistent malware warning.

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a differe... Read more

1 more replies
Relevance 50.43%

Hi Jason

See: http://www.bleepingcomputer.com/forums/topic420234.html

Combofix Log as requested:
ComboFix 11-09-23.03 - Ed 09/23/2011 17:33:22.1.4 - x64
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.5886.4448 [GMT -5:00]
Running from: c:\users\Ed\Desktop\ComboFix.exe
AV: Panda Cloud Antivirus *Disabled/Updated* {86971480-9989-6750-B122-681A86518D59}
SP: Panda Cloud Antivirus *Disabled/Updated* {3DF6F564-BFB3-68DE-8B92-5368FDD6C7E4}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files (x86)\TotalRecipeSearch_14
c:\program files (x86)\TotalRecipeSearch_14\bar\Settings\s_pid.dat
c:\program files (x86)\TotalRecipeSearch_14EI
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Default\AppData\Roaming\DPInst.exe
c:\users\Default\AppData\Roaming\gacutil.exe
c:\users\Default\AppDat... Read more

Answer:Persistent Malware, WebSearch

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/420472 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 50.43%

First signs of trouble were event logs with errors, one nonspecific "serious error" on start up, and extremely slow pc performance (CPU was always at 100% according to task manager). Then AVG found Win32/Cryptor but no longer reports that threat. I've run AVG several times and found other threats. Have not run anything like Spybot. Have not run any scans in safe mode. Below are the results from MalwareBytes. .Appreciate the help!

First priority is cleaning my machine, but I would also like to know if I could have gotten infected from an external hard drive my pc was writing to, not from, and could my memory stick infect someone elses computer?

Malwarebytes' Anti-Malware 1.44
Database version: 3584
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

1/17/2010 12:36:44 PM
mbam-log-2010-01-17 (12-36-34).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 350529
Time elapsed: 1 hour(s), 30 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DE... Read more

Answer:Persistent malware/possible rootkit?

Welcome to BC, balfiecat Link to topic in AVG Free Forums ....Win32/Cryptor and Trojan horse Downloader.Generic9.AHOJBe back to you soon.'Alien

84 more replies
Relevance 50.43%

I've had some tough days with malware the latest day.

I use three scanners: Avira AntiVir, eScan (MWAV) and HouseCall. The stuff found by HouseCall and AntiVir doesn't seem to come back, because these scanners come up clean when I scan with them again (after a computer restart). However, some stuff found by eScan keeps coming back after I restart the computer. Some of the stuff found by eScan are Possible Fujacks-type Worm, zlob Trojan-downloader, gain.gator Spyware/Adware and look2me Adware. Even though eScan says that it has removed them, at a new scan after a computer restart, it finds the two last-mentioned things again and again (and says again that it has removed them!).

Do I notice the presence of this malware? Yes. The computer makes a lot of noise like when it is preforming a heavy task for no apparent reason (probably contacting daddy and/or download new malware). It tries to unprotect spyware sites/cookies which Advanced Windows Care has listed under spyware, and thus blocked them. It tries to change my standard browser from Firefox to Internet Explorer. Norton AntiVirus doesn't seem to autostart anymore (obviously the malware doesn't know of Avira AntiVir). These are some things I've noticed for certain, there are some other "suspect" behavior, as well as there probably are things I haven't noticed.

So what can I do to get rid off this? It seems like my computer is deep in the grip of the malware, so I gotta win it back! ... Read more

Answer:Persistent malware which refuse to go away!

I forgot to add that Spy Sweeper (I have the free version, that can scan but won't remove anything) has found clientman.
 

2 more replies
Relevance 50.43%

Hello. This is my first time posting on this forum, and I'm in need of some help.

I'm currently trying to save the computer that my family uses from having to be reformatted/replaced. I've been able to elminate most problems in the past, but this one has me at a loss. I've run Spybot, Ad-Aware, and Microsoft Antispyware Beta, and they find the same Adware/Spyware repeatedly. The main malware discovered is Ezula, WebHancer, DelFin Mediaviewer, Virtual Bouncer, AdDestroyer, WinTools, and what Antispyware Beta identifies as Unclassfied.Spyware.B.

I purchased and installed Norton Antivirus 2005, but I have yet to be able to get it operational. Whenever I try to perform any functions with it, the system freezes and I am forced to reboot. Additionally, I am unable to ucessfully use online scanners. I have tried TrendMicro, Panda Active Scan, and Kaspersky online scanners. However, my system freezes while attempting to download and install the required ActiveX components. I have also downloaded he trial version of Ewido Secruity Center. When I attempt to start a scan using Ewido, my system locks down for a few seconds, and then reboots on it's own. These symptoms do not change when I boot the system into Safe Mode.

This sytem was recently infected with Aurora/Nail.exe. As far as I can tell, I was able to disable Nail.exe from running at startup by using HijackThis, but the problems that stemmed from it still persist. I have included a HijackThis Log. Th... Read more

Answer:Persistent Malware (HJT log included)

You have ewindo and Norton running - Only one AV should be running

Fix these

O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Owner\LOCALS~1\Temp\20055102141_mcappins.exe /v=3 /cleanup

O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -
 

1 more replies
Relevance 50.43%

I am running WinXP Pro, and I recently got a windows alert warning me of a spyware infection. Trusting Microsoft (fool), I followed instructions and I now have Winavxx.exe in my system32 folder.

I have tried AVG antispyware, CyberDefender, and Spyware Doctor.

The first two recognise it as a malware downloader, but can't deal with it, and it won't allow Spyware Doctor to open.

It has removed control Panel, disabled AVG antivirus, and my Keywallet form filler, and everything it DOES allow happens in geological time.

I can't afford expensive software, and a format C would cost me years of work.

Can anyone help. please.

Don T
 

Answer:Persistent Malware-Removal?

12 more replies
Relevance 50.43%

Hi,New here. I have tried many programs like AVG, avast, adaware, vundofix, combofix etc etc etc but they still don't away. So here I am... hoping you guys can help me clean my system!I currently have AVG Anti-spyware, Adaware and Avast Antivirus installed. Here's my HJT log:Logfile of HijackThis v1.99.1Scan saved at 05:22, on 07-06-23Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\Program Files\Common Files\Virtual Token\vtserver.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exeC:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exeC:\WINDOWS\System32\QCONSVC.EXEC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Analog Devic... Read more

Answer:Help With Persistent Malware Infection

Hello there and welcome to Bleeping Computer's security forum.My name is David, I will be helping you with your log today.Please download VundoFix.exe to your desktopDouble-click VundoFix.exe to run it.Click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will reboot your computer, click OK.Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

11 more replies
Relevance 50.43%

I have been trying to remove this malware from my computer for a couple days and have tried everything... THe latest scans show - Ad-aware identifies Win32.Trojan.BHO and Adware.Coupon Bar, SpyBotS&D identified Virtumonde, while Online Scan by MS OneCare could not delete Win32/Win Show.gen. Below is the current Hijack Log. Thanks in advance for any help you can provide...
Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:17 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\... Read more

Answer:Persistent Malware/Trojan

Problem persists after hours of trying to fix? Steps I recently took are below. The latest Hijack log follows the steps that I took?

Here are the steps:
1. Removed computer from network/internet
2. Went to Control Panel and Add/Remove Programs. Took no action and removed no programs.
3. Disabled real time monitoring programs
4. Ran CCleaner and ATF cleaner
5. Ran Ad-Aware
Identified 9 critical objects (1 module, 3 registry keys, 2 registry values, and 3 files) ? related to the following: Win32.Trojan.BHO and Win32.Trojandownloader.zlob. Removed all including the MRU list.
During the process explorer identified that there was an error and must close. Additionally, Dr Watson Postmortem debugger error and must close.
Computer locked and had to end application from Windows Task Manager.
6. Ran SpyBot S&D
Took a long time to load (1-2 Mins) and was using 95% of resources. Identified that Microsoft Security Center was disabled and Virtumonde. Fixed?
7. Rand Norton AntiVirus ? Full Scan
Identified Trojan Vundo
Computer restarted.
8. Ran Trojan Hunter
Performed full scan. Identified:
Trojan Exploit MS06-001.100 (2 instances)
TrojanDownloader.Tiny.227 (1 instance)
Tried to fix. 1 item could not be quarantined. Symantec turned on again and identified that it captured Trojan.vundo
Identified to reboot, however I did not at this time but decided to run AVG AntiSpyware.
9. AVG AntiSpyware
Identified Adware.Coupons
Deleted
10 Ran CCleaner
Shut ... Read more

16 more replies
Relevance 50.43%

Hello BleepingComputer personnel,
 
My name is Devlin and I have been having many issues with my HP 6z-1000 sleekbook laptop, HP h8-1050z desktop, android Galaxy S4 phone and a multitude of peripheral devices that I use between the three.  I believe I have been the focus of a socially engineered attack whereby the assailants would have had physical access to my machines at nearly any time.  After months of reinstalls, scans, research, and nearly 100% isolation from people I have come to discover a trace of information that leads me to believe the persistent nature of my problems may be a form of the TDL-4 virus.
 
For the sake of full disclosure my group of suspects includes a former digital forensics expert, a criminal who bears conviction for creating and running botnets from before he was 18 (criminal record sealed) that includes breaking laws which include FCC regulations, a former google employee, active members of the crowd-sourced HP support forums, a nationally recognized major label touring artist, owners of a nationally franchised horror-con/festival, and many others from some "other various walks of life."  I personally own a recording studio and record label through which I have worked with or befriended all of the above loosely related individuals.  I mention the previous for two reasons, one, I would like you to be informed of the level of personal involvement and technological background of those close to my issue, and two, since I... Read more

Answer:Persistent Malware - TDL-4 or similar

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/512647 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 50.43%

System is an IBM thinkpad P4 running XP Pro SP3.
Initially I thought fixing it would simply be the removal of "Security Essentials 2011". I removed it, cleaned up the hosts file, and then tried running Malware Bytes, SDS, SAS, and even AdAware. MS Security essentials gives an access denied error 0x80070005 and will not start.

I know, run HijackThis and post the log. Well, when i go to fire it up, it begins the scan and then just closes without any error message.

So the weird thing is that when I go into the folder of the tool that won't run, the program file is there, but has lost its icon and is read only in some odd state that I cannot delete or change the permission of. I am logged in as Administrator, but do not have access to these files.

Any help out there??? I am trying NOT to format this machine.

Answer:The most persistent virus/malware I have seen

I should also mention that I have even tried scanning this hard drive attached to another machine. It found a few files, but my infection remained.

2 more replies
Relevance 50.43%

My original problem was Virtumonde, identified by my Spysweeper sweeper. Multiple scans and reboots would not clear it and I began to get numerous popups offering virus removal tool s (Antivirus 2009).

I followed the Malware Removal procedure and am attaching the first three logs. After following the procedure, I have developed an additional problem. Internet Explorer launches only one out of ten times. The other nine times, a process is created in Task Manager, but no application or window.

Thanks in advance for your help.
 

Answer:Help Removing Persistent Malware

Here is the fourth log.

Thanks again.
 

6 more replies