Computer Support Forum

Severe infestation of various form of malware

Question: Severe infestation of various form of malware

Hello,

I have recently tried using a oldlatop that was given to me. The first sign of problems, was the laptop unbootable boot volume. I manage to use the recovery option in a xp installtion disk to fix it. Once i boot into the system, the computer was very very sluggish. Startup would take extremly long time. At first i merely attributed this to the bloatware and crappy processor. Then I installed various antispyware and antiviruses programs. Lo and behold,avast caught about 30 malware objects with a boot scan. Malwarebytes caught an additional 3. Superantispyware caught another 3 infections. Lastly Avira caught 2 infections. At this rate. I know that there are still malware on my laptop, which may be regenerating itself, or be stealthed. Anyway if you want these logs, feel free to ask. Thank so much for reading this and here is my hijack this log at the bottom of this post.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:07 PM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sandboxie\SbieCtrl.exe
C:\Program Files\Common Files\AOL\1134329793\ee\AOLHostManager.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\AOL\1134329793\ee\AOLServiceHost.exe
c:\program files\common files\aol\1134329793\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1134329793\ee\AOLServiceHost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop" target="_blank" class="invilink">http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157" target="_blank" class="invilink">http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896" target="_blank" class="invilink">http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://media.fastclick.net/w/safepop.cgi?cid=45634&mid=91072&sid=10199&c=34
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134329793\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145558238546
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
--
End of file - 9633 bytes

Relevance 100%
Preferred Solution: Severe infestation of various form of malware

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Severe infestation of various form of malware

6 more replies
Relevance 88.15%

Hello and thanks for the help!

I have included my HJT log (way down below) for analysis. I can see some of the malware, but before I try any of the various removal tools, I need a professional opinion on how best to proceed. But first, here is the history of the infestation and the current symptoms.

Yesterday I was using IE on my Win2k laptop and simply followed a google search result for how to tune the carburetor on my chainsaw and when I clicked, I saw a command prompt window appear which was obviously running an unauthorized executable. I immediately closed it, but I was already infected. (Just for the record, I have, until recently, always run the automatic MS update stuff, but in April, something in the update was running continuously and slowing the laptop to a crawl, so I disabled it in utter frustration with M$--with the result that I have not had an update to Win2k, IE, or MS Office since April. Also, I had a pending Java update which I hadn't installed. Anyway, any of these omissions probably made me vulnerable...)

Immediately after the infection, I started seeing unexpected popups from "Outerinfo" which was obviously included as one Adware component of the overall Malware payload. I did a quick search on Tom Coyote and found some instructions for removing Outerinfo, and did so using the Add/Remove Programs tool in the control panel. Somewhere about this time, I saw a popup that wanted me to buy some kind of malware removal tool--obviously part o... Read more

Answer:HJT log analysis needed -- Severe Malware Infestation

14 more replies
Relevance 70.93%

I have used AdAware SE, Spybot S&D, HijackThis and Norton Antivirus on a friend's laptop to reduce the number of problems to the 8 listed below:

C:\winnt\system32\elitebgc32.exe
C:\winnt\system32\elitecdu32.exe
C:\winnt\isrvs\mfiltis.dll
C:\winnt\protector_update.exe
C:\program files\netmeeting\ss\serverside.dll
C:\winnt\ssqb.exe
C:\winnt\sstb.exe
C:\winnt\ueuimeaim.dll

I'm also attaching my latest HijackThis log, in the hopes that someone can give me direction on how to make the final assault in cleaning up this laptop.

Thanks in advance,
tpdeiley
 

Answer:severe laptop infestation, but almost clean

Here is the above's HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:39 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.gateway.net
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.websearch.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.1... Read more

3 more replies
Relevance 70.11%

Hello, I am in need of some serious assistance with my home laptop. I had made the mistake of letting my friend use my laptop while I was asleep and awoke to find him restarting my machine because of a virus. Well needless to say from that point on it's been hell. I have never seen an infestation of viruses and spyware like this in my life and I cannot remove them all, I acknowledge that I need to format and start fresh.

That said, here is my problem.

My laptop no longer has an internal CD-ROM device nor has it ever had a floppy drive. I am using an external USB CD/DVD drive. That said, I cannot use my system recovery CD because it is a USB device (as far as I know)....

What options do I have to reinstall XP on my machine while wiping the current C drive?

I'm really at a loss here, so please help!
- Thanks
 

Answer:Need help with format/reinstallation of XP (due to severe virus infestation)

8 more replies
Relevance 56.17%

I am trying to help a friend clear out residual malware from their system, A while back they had an antivirus 2009 infection, they worked through it and thought they had it clean. Now they are having popup issues, as well has browser hijacks, and (a new one on me) random audio advertisments without any page being displayed. I will post my log files. Their system is a WinXP Medio Center Edition SP2. Thank you in advance.
 

Answer:Malware infestation.

and here is the MGlogs
 

15 more replies
Relevance 56.17%

Greetings,

Can you please help me get rid of this bug infestation?

The first indication of trouble was a fake "XP Antivirus 2012" issue about a month ago. I think I got rid of that using MBAM, but there are still some lingering issues. The main symptom is that web hyperlinks often get misdirected to the wrong URL. (eg: I click on a link for a microsoft page and I get an advertisement instead.)

McAfee deletes a bunch of Trojans each time I run a scan, but the symptoms persist and more Trojans return after reboot. (I can post the most recent McAfee log if you want it.)

attach.zip is attached
dds.txt is pasted below

Thanks in advance!
Scott


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Quality at 17:58:10 on 2012-01-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1439 [GMT -5:00]
.
AV: McAfee? Security-as-a-Service Anti-virus *Enabled/Updated* {8C354827-2F54-4E28-90DC-AD391E77808C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\C... Read more

Answer:Malware Infestation

Hello and welcome to TSF.

The system is still infected with what's known as ZeroAccess trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Do not change passwords or do any transactions from the infected computer until it has been cleaned.

Please read this: How Do I Handle Possible Identity Theft, Internet Fraud, and CC Fraud?

===================

Please note that more than one round may be needed to properly eradicate malware. In co-operation with the cleaning process, please: do not uninstall/install any programs unless asked to do so, to make it easier on us as it is more difficult when files/programs are appearing in/disappearing from the logs;
do not run any tools or scans other than those requested;
follow all instructions in the order they are presented;
if you have problems with or do not understand the instructions, ask before continuing;
stay with this thread until given the All Clear, as absence of symptoms does not always mean the machine is clean;
do not attach any logs/reports, etc.. unless specifically re... Read more

12 more replies
Relevance 56.17%

Ok so I was on the internet and I was looking at a video and it asked me to download a java thing. I didn't think anything of it and before I knew it I had tons of viruses. There were some trojans and one that changed my background to white with a spyware warning thing. I also get a pop up for a blue screen joke thing. Here is my Highjack this log Please help and also thanks.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:25 AM, on 8/23/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Edit by chaslang: Inline HJT log removed. READ & RUN ME sticky not followed.
 

Answer:Serious malware infestation

UPDATE: I got these 2 programs superanti and atf cleaner and went into safe mode to clean the computer and restarted it but the background still popped up and the popups where still there. So I just turned off my computer and woke up and turned on my computer and now nothing has popped up... Should I send another hijack this log?

UPDATE: A windows security alet popped up and said Trojan-spy.Win32.green.screen what do I do please please help.
 

2 more replies
Relevance 56.17%

Hi,

Been trying to get rid of something called Project 1. Not sure what to do. Computer seems ok, but still getting a few pop ups etc. Here is my most recent log from HJT. Any help much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 2:12:21 AM, on 22/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5112.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Ontrack\Fix-It\mxserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\tp4mon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\D-Link\DSL-200\dslstat.exe
C:\Program Files\D-Link\DSL-200\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Watchdog-5E\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Celia\My Documents\HJT\HijackThis.exe

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [PCSu... Read more

Answer:Malware infestation

8 more replies
Relevance 56.17%

Hi everyone, I've been having some problems on a computer that was recently given to me. The symptoms are that whenever I type in certain things while I'm using the internet, I get popups that match keywords like "spyware." I'm using Firefox 3, but these popups are from IE. My brother had the computer before me and my cousin used to use it for marathon Myspace sessions. Neither one of them took very good care of it. The first things I did to try to rid myself of this problem was to run Spybot, Adaware, and NOD32. All of these found bad stuff, but after removal the problem persisted. Adaware finds a rootkit called "win32.rootkit.agent" in a file called "smbalii" in my drivers folder. Everytime I run it and says that it is unable to remove it until system restart. Well it comes back with every scan. So I followed the steps described in this forum that I should do before running a HJT scan and then ran HJT. The scan follows this message. If anyone can help me with this, I'd be really grateful. My computer recently bit the dust after 6 years of loyal service and I'm left with this infested computer as my only means of communication. Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:40:52 PM, on 8/16/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC: ... Read more

Answer:Malware Infestation

Hello Jeff and welcome to BleepingComputer,1. * Clean your Cache and Cookies in IE:Close all instances of Outlook Express and Internet Explorer Go to Control Panel > Internet Options > General tabUnder Browsing History, click Delete. Click Delete Files, Delete cookies and Delete historyClick Close below.* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):Go to Tools > Options.Click Privacy in the menu..Click the Clear now button below.. A new window will popup what to clear.Select all and click the Clear button again.Click OK to close the Options window* Clean other Temporary files + Recycle bin Go to start > run and type: cleanmgr and click ok. Let it scan your system for files to remove. Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.Press OK to remove them.2. Please download Malwarebytes' Anti-Malware from Here or HereDoubleclick mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a... Read more

11 more replies
Relevance 56.17%

Help I am working on a friends computer. when I recieved it it wouldn't boot past the bios. when iI finally got it to boot I couldn't install anything and it keeped trying to open iexplorer which thank god was locking up the computer everytime so I had to stop the process in task manger. Also could not boot to safe mode. after running adaware 2007 and spybot. I was able to get to the internet only using seamonkey and was able to boot to safe mode. I went to your site and followed the instructions. at this time I still seem to have some problems, curser moves on it's own, still getting a porn popup. also the computer doesn't have any antivirous software installed and the computer stops to blue screen if I try to install norton.

OK I ran spybot insafe mode,counterspy would not install in safe mode,so ran AVG antispyware log included, couldn't run bitdefender or panda in safe mode due to wireless conection problems so had to run them in regular mode, ran getkey and newshow logs included. then ran hijack this as instructed.

Thanks for your time to look at thes log files and for your site.
 

Answer:Malware infestation

kilo51 said:





Help I am working on a friends computer. when I recieved it it wouldn't boot past the bios. when iI finally got it to boot I couldn't install anything and it keeped trying to open iexplorer which thank god was locking up the computer everytime so I had to stop the process in task manger. Also could not boot to safe mode. after running adaware 2007 and spybot. I was able to get to the internet only using seamonkey and was able to boot to safe mode. I went to your site and followed the instructions. at this time I still seem to have some problems, curser moves on it's own, still getting a porn popup. also the computer doesn't have any antivirous software installed and the computer stops to blue screen if I try to install norton.

OK I ran spybot insafe mode,counterspy would not install in safe mode,so ran AVG antispyware log included, couldn't run bitdefender or panda in safe mode due to wireless conection problems so had to run them in regular mode, ran getkey and newshow logs included. then ran hijack this as instructed.

Thanks for your time to look at thes log files and for your site.Click to expand...

here are the hijackthis and getrunkey logs thanks
 

5 more replies
Relevance 56.17%

I'm on my dad's computer, which is a windows 98 SE. It's got some kind of malware thing going on, I can't run ad-aware (can't update it) and can't thoroughly run spy-bot on it.

Here is the hijack log... Any advice is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:04 AM, on 11/11/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\WZ77E7\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy server:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! ... Read more

Answer:Malware infestation

Run HJT again and put a check in the following:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4AF01159-E91D-08E7-8753-60550DF47F4A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/170df7fb5fe4d76...p/RdxIE601.cab

Close all applications and browser windows before you click "fix checked".

Empty your temporary internet files, your c:\windows\temp folder, defrag the drive and try spybot in safe mode.
 

1 more replies
Relevance 56.17%

My computer is acting strange. I have a malware case that won't go away. My task manager is disabled as well. None of the software I've used have helped. Here is my HijackThis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:21:12 AM, on 1/29/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\rxjddnvj.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeF2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\rxjddnvj.exe,O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)O2 ... Read more

Answer:Malware Infestation

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

2 more replies
Relevance 56.17%

Hello, AllFirst time posting to this forum, so please forgive if there are any strange grammatical oddities... A friend of mine's 64-bit Windows 7 machine recently started exhibiting some very aggravating behavior...someof her browser page requests were getting redirected elsewhere, she could not run ANY anti-malware scanners(it would just sit there after being clicked on....), and she would get a "Windows .NET Framework" error messagewith the following example:Unhandled exception has occurred in your aplication. If you click continue, the appliaton will ignore this error and attempt to continue, if you click quit, the application will close immediately.Unknown error ( 0xfffffffe)System.Windows.Forms Assembly Version: 2.0.0.0 Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll----------------------------------------System Assembly Version: 2.0.0.0 Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) CodeBase: file:///C:/WindowsSystem.Drawing Assembly Version: 2.0.0.0 Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll----------------------------------------System.Configuration Assembly Version: 2.0.0.0 Win32 Version: 2.0.50727.4927 (NetFXspW7.050727-4900) CodeBase: file:///C:/Windows/assSystem.Xml ... Read more

Answer:POSSIBLE malware infestation?

Hello, lets see if we can get in and get a log this way.Reboot into Safe Mode with NetworkingHow To Enter Safe Mode>>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
If nothing happens or if the tool does not run, please let me know in your next replyDo not reboot your computer after running rkill as the malware programs will start again. Or if rebooting is required run it again.If you continue having problems running rkill.com, you can download iExplore.exe or eXplorer.exe, which are renamed copies of rkill.com, and try them instead.Next run Superantisypware (SAS): Download and scan with SUPERAntiSpyware Free for Home UsersDouble-click SUPERAntiSpyware.exe and use the default settings for installation.An icon will be created on your... Read more

1 more replies
Relevance 56.17%

My computer recently got infected with the "Security Protection" malware. I ran Malwarebytes, which found several things that I removed (logfile contents below). I also ran Microsoft's Malicious Removal Tool, which found nothing. I also ran SpyBot S&D, which found a few cookies, but nothing else.

After removing the items MalwareBytes found and rebooting, I now have a process that keeps loading at bootup (win4036e0.dat), which MalwareBytes keeps using IP-Block on. I get the IP-Block popup every few minutes. I've manually stopped the process which kills the MalwareBytes popups, and doesn't seem to respawn until after another bootup. So far the process has kept it's same name each time.

I just ran a HijackThis scan which I'm also posting below. I'm hoping you can help me find any lingering files that are causing this process to start running.

Thank you in advance,
jriems

+++++++++++++++++++++++++

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7610

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

8/30/2011 11:06:00 AM
mbam-log-2011-08-30 (11-06-00).txt

Scan type: Full scan (C:\|)
Objects scanned: 327055
Time elapsed: 20 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No maliciou... Read more

Answer:Malware infestation

24-hour bump...
 

3 more replies
Relevance 56.17%

edit: I remembered that it was the vundo trojan I ran into. went and downloaded procexp.exe and turned off system restore. when attempting to follow the instructions I discovered that RUNDLL32.exe DOES NOT SHOW UP IN THE LIST of processes. not sure what to do from here.

it started with my wife seeing a popup describing a finished virus scan requiring action. she clicked on it and unknowingly downloaded a nasty shotgun of malware and a few trojans. I've been working on this all day and I'm at my wits end.

there are 2 icons on my desktop that I know are fake shortcut icons that lead to webpages. one says "windows update" and the other says "help and support" when I attempt to delete them they immediately reappear.

keystrokes get lost or ignored, making typing difficult.

when I first started working on it this morning, the big problem was it opening a copy of internet explorer then spamming dozens of blank tabs that didn't link to anything... which eventually crashed my computer each time it happened

it has repeatedly attempted to link me to downloading "best seller antivirus" with links that appear as pop-ups, in my tray on the bottom right, all over the place.
also random popups for sites like "set the trend" and others

I have run macafee 3 times today, and the first two times nothing. 3rd it came up with a trojan but I did not write the name down.. my apologies.

I have had this message come up a few times:

P-07-... Read more

Answer:new malware infestation, could really use help

Just to save one of the volunteers time I thought I'd come back and let you know the issue has been resolved.

NaZ
 

1 more replies
Relevance 56.17%

I would like some help, I am running windows premium 64bit. Im positive I have some kind of malware or a large amount of malware using up my system resources. I get random crashes and can't connect to the internet. Many programs have just stopped working including my norton 360.

Please help me.
thanks in advance.
 hijackthis.log   11.6KB
  4 downloads

Answer:Need Help with malware Infestation.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply her... Read more

2 more replies
Relevance 56.17%

After posting in the "Is my computer infected" forum, I was told to post some logs here. DDS hangs when I run it, but I was able to use OTL. GMER caused the blue screen of death every time I run it. So for now I will just post the OTL log and await further instructions.Originally had the "XP Home security 2012" malware as well as zero access and attempted to remove (see explanation in previous post).DTOTL logfile created on: 1/19/2012 3:20:36 PM - Run 1OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\DT\DesktopWindows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 8.0.6001.18702)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 3.49 Gb Total Physical Memory | 2.49 Gb Available Physical Memory | 71.53% Memory free5.32 Gb Paging File | 4.10 Gb Available in Paging File | 76.91% Paging File freePaging file location(s): C:\pagefile.sys 2046 4092 [binary data] %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 148.93 Gb Total Space | 25.14 Gb Free Space | 16.88% Space Free | Partition Type: NTFSDrive P: | 678.52 Gb Total Space | 558.49 Gb Free Space | 82.31% Space Free | Partition Type: NTFS Computer Name: DT | User Name: DT | Logged in as Administrator.Boot Mode: Normal | Scan Mode: All usersCompany Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whiteli... Read more

Answer:Malware Infestation

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please DownloadTDSSKiller.zip>>> Double-click on TDSSKiller.exe to run the application.Click on the Start Scan button and wait for the scan and disinfection process to be over.If an infected file is detected, the default action will be Cure, click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it Click the "Scan" button to start scan. Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANTPlease post the contents of that log in your next reply.There shall also be a file on your desktop named MBR.d... Read more

9 more replies
Relevance 56.17%

I've had some nasty browser re-directs that I thought I had solved. But, it seems that a new one has hit (or just the old one hitting again) and it has shut down Malwarebytes and I can't reboot in safe mode.

Here is my HJT log for starters. Please help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:33 PM, on 11/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe
C:\Program Files\Dell Photo AIO Printer 966\memcard.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Iomega\Iomega Automatic Backup\ibackup.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Comm... Read more

Answer:malware infestation

16 more replies
Relevance 56.17%

Hi,

I need help with an apparent malware attack picked up while web surfing. This is actually on a friends computer, whom I am helping out.

The symptoms are that we can't run regedit, task manager, cmd window.

There is what seems a fake anti virus program now "installed". The notifications area shows a red shield icon and keeps putting up messages saying you are infected. Also, a message box appears

Kaspersky anti virus 2010 is installed and was active AFAIK. The signatures were apparently ok few days ago, but now its asking for an update. We have removed the wireless dongle to prevent any internet access for time being, and haven't update the signatures yet. Not sure if it would even work.

We did use Kaspersky from the by booting to the command line, and then running something like

avp.com scan_my_computer

there was a parameter we used to specify to disinfect, but not to automatically delete (/R1 I think). The log file of the scan showed no detected problems.

Was unable to run dds.scr or gmer with a normal startup. The windows open briefly and then close. Was able to boot into safe mode. No symptoms apparent, and was able to run dds and gmer.

Below is the output from DDS (run in safe mode), and I have attached the Attach.txt file. GMER did not produce any output (it ended with a message say "GMER did not find any modifications."), so no GMER log included.

Your help would be really appreciated!

Thanks,
PJ


DDS (Ver_10... Read more

Answer:Need help with Malware infestation

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patience with me during this time.

10 more replies
Relevance 56.17%

Please review HJT log: I have run the latest version of AAW and it removed nearly 700 entries, but I know there are more.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:37:06 AM, on 10/26/2007Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\COMMON~1\aol\ACS\acsd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Dantz\Retrospect\retrorun.exeC:\PROGRA~1\Dantz\RETROS~1\wdsvc.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\WINDOWS\wanmpsvc.exeC:\WINDOWS ... Read more

Answer:Malware Infestation

Hello and Welcome to Bleeping Computer. I am MoNsTeReNeRgY22 and I will be assisting you with your malware problem today. Please give me some time to analyze your log, and I will post back with instructions ASAP.

13 more replies
Relevance 56.17%

Hi there,

Hope one of you kind and intelligent people can help.

My laptop is virtually unusable
- massive slow down on all functions
- Windows Explorer keeps crashing
- Windows Firewall Security won't turn on
- Wireless Radios won't turn on

I have run (free versions of) AVG, Advanced SystemCare, Spybot, CCleaner and Malwarebyte's Antimalware and nothing is showing. All diagnostics show nothing wrong

many thanks in advance

Jimbob

Here's the log:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by james wilson at 13:45:46.04 on 29/04/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.44.1033.18.2814.1569 [GMT 1:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\ibmpmsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\... Read more

Answer:Malware infestation?

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

10 more replies
Relevance 56.17%

Folks GM,

A client has a PC that has the following Malware installed;

Total Security 2009

It typically hijacks browser sessions, disables task manager, AV, Malwarebytes, etc,

DDS file follows:
DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by npeople at 9:46:26.20 on Mon 09/21/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1683 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton AntiVirus *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\npeople\Loca... Read more

Answer:Malware Infestation

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Pleaseinclude a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedWhat kind of reseller are you?In... Read more

2 more replies
Relevance 56.17%

Hi! I downloaded Microworld Anti-Virus & Spyware Toolkit Utility after running DivX installer (which, according to my AV program is infected with downloader) and it detected a lot of malware on my computer, which my Avira and Lavasoft failed to detect. My laptop's kinda old and low in RAM (128) so i wasn't sure before if the machine's running slowly because of malware or because of the hardware installed.

I've tried a lot of antispywares actually - webroot and Superantispyware. They've already expired but they did not detect these infections before as well so I'm not sure if the trojans and/or viruses are new ones or false alarms.

Here are somed detections of Microworld:

Object "clocksync Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "newdotnet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken.
Object "s... Read more

Answer:malware infestation?

oh, and here's a HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:29 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\SWSetup\ACLIENT\ACLIENT.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\sy... Read more

1 more replies
Relevance 56.17%

Hey Tech Guys, I suffered from the Look2me/Zesty parasite but managed to block it and kill it. I still have Clientman/Odysseus Marketing. But I deleted everything I found, including reg values, .dll's, and folders. I manually deleted everything in Safe mode from the registry and hardrive. I'm still hijacked and cant search, get certain popups, and green underline thing. I deleted my cookies and all temp internet files. When I run a search under yahoo I get stuff from "xmlfeed.spaex.com,"
"odysseusmarketing.com," "meta.7search.com," and "abcsearch.com." Spybot and Ad-aware don't pick up on anything further. I've done everything I've found on all forums, I know nothing else. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 12:36:30 PM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.ex... Read more

Answer:Malware Infestation

I fixed certain things and went into safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 10:28:11 PM, on 6/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator.BELLA\Desktop\Spyware Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: AIM (HKLM)
O12 -... Read more

1 more replies
Relevance 55.35%

winsock vista SP1, 32 bit OS trouble

i was infested by malware, deleted some files including google desktop start up and apple bonjour start up which were identified by Autorun and my wireless has proceeded to stopped working.

when i start my laptop it takes a minute to load after i have typed my password and after that minute the screen goes black with only the cursor on the screen, then windows finally loads and says it is impossible to start the event register,
it also says winsock has failed to load.

i have tried to i run netsh winsock reset but in this case i got the following error message;
impossible to start initialization function InitHelperDll into NSHHTTP.DLL error code 11003.

if a put the mouse on the wireless icon (low right) the pop up is telling:
connection status: unknown, start of the group or dependency service has failed to start

i cannot restore the Vista operation system. I try to recover
the operating system at one point of 3 days ago but i get error messages:
system has not been restored due to an unspecified error

when i type "msinfo32" in "run" and look at components > network > protocol it says it cannot collect information as the windows management files are removed or missing

when i deleted the winsock, winsock 2 files, the startup was quick, the wireless would work but with limited connectivity and doesnt connect to the internet, i ran msinfo32 again and this time it was blank under protocol (microsoft support s... Read more

Answer:Winsock/malware infestation

does this mean even if i reload vista i will still have the same problem?!If you reload the OS it should be fineI had this problem last week after an infection. After messing with it for a week, I finally reinstalled

1 more replies
Relevance 55.35%

Antivirus 2010 was involved, when I first got a look at this computer. It is a freind's. He seems to have gotten rid of the popups, but we still gets reports of rootkits and other stuff, so here I am.I downloaded the utilities from here, put them on a thumb drive, ran them on the infested computer, saved the logs on the thumb drive, so I could post them here.DDS Logfile:DDS (Ver_09-12-01.01) - NTFSx86 Run by owner at 22:41:24.27 on Thu 03/11/2010Internet Explorer: 8.0.6001.18882Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2037.1275 [GMT -5:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\AUDIODG.EXEC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\sy... Read more

Answer:malware infestation in vista

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

12 more replies
Relevance 55.35%

Hello,

(Note: First post ever)

Am running windows 8, 64 bit and seemed to have been infected. Especially noticeable using Internet Explorer. Browser gets redirected and freezes, inviting me to call a number for the quick and easy solution to my issue.

Have run through the thorough steps prescribed in the Malware Forum and have not cleaned anything yet...am simply posting the log files resulting from scans.

Thanks in advance for assistance.

-phlash45
 

Answer:Requesting Help with Malware Infestation

Welcome to MG's. Give me a few and I will check your logs.
 

6 more replies
Relevance 55.35%

Despite my best efforts to use a firewall and PC-Cillin antivirus and website blocking software, I got something infecting my system. Every so often when browsing the web, I get a pop up window to some site (usually starts with url.cpvfeed.com) that is thankfully blocked by PC-Cillin. Internet explorer also is much slower to respond and sometimes becomes "de-activated" in Windows (the IE window is still on the screen, but the title bar is grayed out with nothing else becoming active).

I have run all the scans in the readme thread and the logs are attached. Many thanks to whoever can help me!!
 

Answer:Please help -- malware/trojan infestation!

the rest of the logs...
 

16 more replies
Relevance 55.35%

Hello!

My first post in these forums.

I registered here because I need help solving a Trojan/Malware infestation.

Although I'm no programer or tech wiz, I try to keep safe using AVG Free, AdAware AE and Spybot. I update them daily.

I don't usually make mistakes but 2 days ago, after scanning an exe file with AVG (no threat detected), I ran it and got an immediate popup of AVG's Resident Shied telling me of a Trojan infection. It was a very stupid mistake that I don't usually make. I always check for the origin of the program before executing it.

I ran full scans with all the programs and they found nothing. Only Resident Shield had warned about the threat. After checking some tech forums I downloaded MalwareBytes Anti-Malware, udated it and performed a full scan. I also instaled SpywareBlaster and SpywareGuard. Nothing anywhere.

I then went in to Safe Mode and performed the same checks again. Nothing.

The scans took hours and I thought it might be a false alarm (second mistake I know). I shut down the system and went to bed.

Yesterday I was web browing when Resident Shield warned me again with the following message:
Code:
[SIZE=2]c:\SYSTEM VOLUME INFORMATION\_restore{374C1AC1-E484-4DE2-995E-91DAD2480DD2}\RP212\A0062960.exe[/SIZE]
I browsed some tech forums and read extensivelly about a lot of utilities and was confident I could sort out the problem. I scaned the PC again with all the programs and AVG found the System Restore entries. I decided to... Read more

Answer:Trojan/Malware infestation

Help anyone?
 

1 more replies
Relevance 55.35%

Hello,

My Win2000 laptop was just infected by some malware from the following URL (whatever you do DON'T link to it)!!!

http://on-fire-news.blogspot.com/2007/10/rick-jacobs-bigfoot-video.html

I have attached a HJT log that I produced after running ComboFix (see my explanation of the sequence of events below). I have also attached the log and quarantine files produced by ComboFix when I ran it.

The video was purportedly of a bigfoot sighting, but turned out to be a porno video with a payload. Actually, I first visited it with firefox, and was prompted to load an active X plugin of some sort for firefox to view the video (I still thought it was bigfoot at this point...) which I foolishly did. Then when the video still didn't play, I switched to IE 6 and got a nice clean looking video download in an active X player of some sort. Then, just seconds before the video started to play, I saw a couple of command prompt windows flash open and closed, and then the porno video started playing, and I knew that I had been had. I immediately shut off the video and shut down IE, but the damage had been done.

I'm not sure if the malware came in the IE video, or in the "viewer" that I installed for firefox. In any case, I am now infected with something. The two symptoms I have noted so far are as follows:

1) The next time I opened IE 6, there was an attempt to either open an alternate home page, or a pop-up that was porn related, as my porn filter screamed abo... Read more

More replies
Relevance 55.35%

On an impulse, I navigated to the following site:

edited out...

Whatever you do, don't go there !

By just navigating to the site, I got a whole bunch of crap installed on my computer, and it has taken me several days to get rid of most of it.

Although both Trendmicro and AVG have both pronounced me "clean", my settings are all bunged-up. I've turned off System Restore so I can clean out the malware, so that is not an option. And I have run 2 Repair Installs and for some reason there are still problems.

Mostly what is happening is that my (WinXP) desktop is "locked" into displaying the malware's "Warning" page (which told me about the "spyware" and how to get rid of it). I got rid of the HTML page that used to be there, but now my normal WinXP desktop is replaced by a blank whiteness (like what you would get if the HTML page was deleted).

And I haven't got the ability to change the Desktop like I used to. On boot, it "flashes" my usual image, then get's "over-ridden" by something else.

Also, Task Manager used to not work, even though it was enabled in the Registry (I checked). I downloaded a tool that "forces" it to function, but I think there is still malware interfering.

The computer doesn't seem to recognize that I am the Administrator, and won't let me install software.

Also (somehow) Google's ToolBar got installed (I didn't do it).
I have a list of the malware AVG fo... Read more

Answer:Horrible Malware Infestation

Try to do as many steps you can outlined here. We need a HijackThis log from you.

You can just add that site to your HOSTS file to "blacklist" it. Uninstall Google Toolbar if you don't want it.

...moved to HijackThis Forum...

19 more replies
Relevance 55.35%

Hi there,So, I was playing utopia, a game I've played for several years, and I got some kind of a malware infestation from the website. I wish I knew what kind of infection I have, but I'm not getting any results through google searches. I keep getting pop-ups, lots of pop-ups, mostly for <hxxp://85.12.43.105> and www.zoombli.com My wireless connection also no longer works. I actually had to go back to my god awful wired connection to get online to post this. Here is my hijack this logfile, and any help would be greatly appreciated. This is the only computer my family and I have internet access for right now. My desktop's power supply went boom. :-(MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\SigmaTel\C-Major Audio\WDM\StacSV.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exeC:\Program Files\AIM6\aim6.exeC:\Program Files\AIM6\aolsoftware.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\IE... Read more

Answer:unknown malware infestation

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

2 more replies
Relevance 55.35%

Hello there,
I posted yester day, but realized I was not following the proper proceedures. My system is infected with something that redirects my search results in Yahoo or google to random pages. Also there are Viamax ads on pretty much every page I visit.
This morning I have followed these steps through step 3:
http://forums.majorgeeks.com/showthread.php?t=35407
And now onto step two here:
http://forums.majorgeeks.com/showthread.php?t=139313
SAS will not run, get the "SUPERAntiSpyware Application has encountered a problem and needs to close. We are sorry for the inconvenience." message

I have now tried to also un malwarebytes, and when I double click, nothing at all happens.

Not sure what to do next. Thank you for the help!!
Scott
 

Answer:Malware Infestation - Viamax Ads

Please remain in one thread. This current thread will be closed. See the reply in your first thread here: http://forums.majorgeeks.com/showthread.php?t=185903
 

1 more replies
Relevance 55.35%

Hey everyone --

My laptop has picked up a malware infestation recently --


I suspect the diagnostics will tell you all the required information but in short:

Running Win XP pro -- SP2 (I think)
Mozilla Firefox browser 3.0.7

My problem focus on google redirects which I covered up by using Redirect Remover 2.5.5 but of course this just covers symptoms and does not actually solve the problem.

I've also noticed pop-ups when browsing sites which should not have any pop-ups. (notably the kingdom of loathing wiki)

Ad-aware and clamwin do not detect any problems, but I have noticed that clamwin is has problems with automatic updates.

Here are the required diagnostics. Thanks in advance and please let me know what else is needed to clean this problem up.


Robert Gibson


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 20:41:34.26 on Sun 03/08/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.567 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS... Read more

Answer:Malware Infestation Help Requested!

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. ... Read more

10 more replies
Relevance 55.35%

I am having a similar issue as mentioned in http://forums.majorgeeks.com/showthread.php?t=153485.

As with this user, I cannot run a HiJack this, NAV will scan but has not been able to update since 3/14/08, and the only reason I know I have a problem is due to processor overload and information provided to me from Panda Scan (attached).

Most of the issues Panda found were resolved, but I have residual attacks in my SYS32 folder that I am having difficulties removing.

Could you assist, please? I may have more than one system affected by this, as it appears we received it from a customer file through email...

Thanks,
Ayara

Additional notes: We use CCleaner, Windows Cleanup, Registry Booster, Registry Mechanic, and Ad-Aware here, and all of those "appear" to have done as much as they can.
 

Answer:Bagle / Malware Infestation

Hi Ayara,
Welcome to Major Geeks!

Please do as much of the READ & RUN ME FIRST as possible and let me know how this goes. It may be necessary to run some of the scans with the computer disconnected from the internet so you can disable any antivirus and antispyware software for the duration of the scans. Then be sure they are reenabled. If something doesn't work, make a note of it and continue. We need to see the logs.

abri
 

16 more replies
Relevance 55.35%

My computer has numerous problems since this morning. Unfortunately i do not know what happened when my PC got infected, my nephew was on it and now it is infected. Only thing file wise, were shockwave slim installers on desktop that were not previously there..

First signs were fake Antispyware poping up saying I was infected and referred me CoreGuard Antivirus 2009. It tried to download and install but I Crt+Alt+Deleted before it could finish. Ran Mcafee Security center a few times and that seems to have gone away for the time being. I also have cases of Msiexec files runnning all over in my TaskManager processes. So I deleted all traces of Msiexec files(hopefully that wasnt a mistake =S) and now there not there anymore. It's having problems opening up and running certain programs, such as Spy Bot Search & Destroy, Ad-ware remover 2009, Spysweeper, Spywaredoctor, etc. So i could not do all the scans in the malware forum rules. SuperAntispyware keeps encountering a problem and needs to close as soon as i click it. Malwarebytes Anti-Mulware stops prematurely in between installation. Double clicked on combofix and nothing happened. Also when I click on new links in search engines it redirects me to otherwebsites, in both firefox and Internet Explore. System restore doesn't do anything when i click on a restore date then click, "Next". Usually I am able to fix the problem myself but all my tactics have been exhausted. This is the first time I ever need... Read more

Answer:Recent Malware infestation

Msiexec.exe is a program that interprets packages and installs products.Click to expand...

I suggest you reinstall the Windows Installer Package.

I am not seeing any problems in your MGLogs.

(Though I do suggest you also remove C:\Program Files\Coreguard Antivirus 2009).
 

1 more replies
Relevance 55.35%

My cousin sent me a zip archive holding an .src file. As soon as i opened it, I realized that my anti virus program, Kaspersky Anti-virus was acting up and kept posting warnings that a virus was detected. However, it could never remove it. After doing several sweeps with spysweeper, spybot, and ad-aware, i realized that the malware was recurring and kept popping up soon after i restarted the computer. This has been frustrating. I trusted my cousin, but I guess I can't be too sure after this. I ask for the HJT staff's assistance in helping me restore my computer to a more stable state. Thank you.------HiJackThis Log fileLogfile of HijackThis v1.99.1Scan saved at 12:02:19 PM, on 6/23/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\Program Files\Kerio\Personal Firewall 4\... Read more

Answer:Malware Infestation - Can't Remove

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OKWhen Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.Once it's done scanning, click the Remove L2M button.You will receive a Done Scanning message, click OK.When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.Your computer will then shutdown.Turn your computer back on.Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.If you receive a message from your firewall about this program accessing the internet please allow it.If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

12 more replies
Relevance 55.35%

Hi, Have a system that is in bad shape, no firewall or antivirus was installed. Have ran Norton, AVG, Bitdefender, spybot, ad-aware amd removed over 200 entries of malware. Still can not get rid of Win32.Elkern, Smitfraud-C.CoreServices, and Virtumonde.

Any help will be most appreciated, here is the HiJackThis File.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:10 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitDefender\BitDefender 2008\vsser... Read more

Answer:Major Malware infestation

16 more replies
Relevance 55.35%

i have malware programs i cant seem to get rid of
cpu usage 100%

heres hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 10:16:02 PM, on 10/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\AirLink101\WLAN Monitor\WLANmon.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\IEEE 802.11g USB Wireless LAN\Wireless LAN\WlanUtil.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Fool\Desktop\Launcher.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\taskmgr.exe
c:\program files\aim6\anotify.exe
C:\Documents and Settings\Fool\Deskt... Read more

Answer:cpu usage 100% plus malware infestation

also theres this program that covers my background turning it into this clickable background... it looks real ****** b/c it squares all icons and around icons u can see my background in back
if i put my cursor all the way up it brings up a hidden bar with a down arrow that opens a menu and i can close it
 

2 more replies
Relevance 55.35%

It happened again! Grr.. you gals ans guys were a great help last time so I'm comin back.
I'm geting pop up warnings from the task bar re spyware infection, a pop up from what looks very much like a windows security notice, my desktop background has been replaced with all blue that also has a spyware warning and also a pop up web site for spyware removal.Here is the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:41 AM, on 3/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1151846037\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\system32\mgmrwmrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Multimedia Card... Read more

Answer:Solved: Malware infestation?

9 more replies
Relevance 55.35%

Alright this isn't urgent serious news as im using the computer that has been or was infested not sure yet that is why im posting these logs for a more expert opinion.

my friend gave me his Acer aspire One notebook to look at it said there were some serious issues with it so i gave it a shot.

Before i ran the READ & RUN procedure i run a AVG scan and it picked up 9 infections.... so i quarantined and cleaned or deleted them and then i ran Mbam but it was Mbam.exe instead of renaming it to Mb.exe, granted i hadn't read the READ & RUN just was doing some regular virus scans, it picked up 10 infections ran the cleaner on that deleted but since i found this many i wanted to be sure so i ran the READ & RUN procedure, also great tools for malware i've used these steps and programs for many computers its great but i still don't know how to read them :/ but thats why you guys have such a great forum. Anyways i'd appreciate if someone could look over these logs to check for formalites?

Greg

View attachment mbam-log-2012-03-10 (13-15-49).txt



View attachment combofix.txt



View attachment SUPERAntiSpyware Scan Log - 03-12-2012 - 18-03-37.log



View attachment MGlogs.zip
 

Answer:Malware, Trojan Infestation

Here Is The RootRepael logs i couldn't get it to run so i just continued on with the rest of it i didn't try safe mode if need be i will

Greg

View attachment RRlog.txt
 

4 more replies
Relevance 55.35%

So my partner's daughter was on the computer yesterday, and today we come in to see several browsers open (overnight? not sure) and some "powerscan" program open on the desktop. (THis computer runs Windows XP). I immediately ran ad-aware and the first three times the computer would shut down while running it. I figured that out, finally got it to run all the way through and pitch some crap. Ran spybot, and it pitched some more crap. I have run them both a total of 2 full times.

We still can't get on the internet as it stands right now. I did notice something called dsphkjc (or something like that) in the startup programs and one that had a blank area where it should have a name. Not very promising.

Anyways, here is the hijack log for this particular computer:

Logfile of HijackThis v1.99.0
Scan saved at 5:53:32 AM, on 1/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\dfphjc.exe
C:\Progr... Read more

Answer:malware/spyware infestation

9 more replies
Relevance 55.35%

Computer running slow, redirects, pop-ups. Ran Malwarebytes and it helped, but still not right.

Any help is appreciated.

Hijack this Log below.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:25:49 PM, on 8/22/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.17239)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\LeapFrog\LeapFrog Connect\Monitor.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Belkin\Router Setup and Monitor\BelkinSetup.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 5.4\Support\DynamicLinkSupport\dynamiclink\CS6\dynamiclinkmanager.exe
C:\Program Files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_70.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACGW&l=0409&m=dx4300&r=173605109406... Read more

Answer:Virus and malware infestation

16 more replies
Relevance 55.35%

Hello,

Thanks for any help you can provide. On Friday, Dec 12 at/around 14:20 US ET we began experiencing many pop-ups while running Internet Explorer. The pop-ups appear to point to bogus security applications like "Antivirus 360". Other pop-ups appear for videos, music, and security applications.

I have also captured some disturbing information from my Norton Internet Security Logs (Intrusion Prevention):

12/12/2008 6:35:42 PM,Intrusion: HTTP Fake Scan Webpage.,"Intrusion: HTTP Fake Scan Webpage. Intruder: SONY2(4720). Risk Level: High. Protocol: TCP. Attacked IP: 67.205.75.14. Attacked Port: http(80)."

12/12/2008 6:01:52 PM,Intrusion: HTTP Trojan Vundo Activity.,"Intrusion: HTTP Trojan Vundo Activity. Intruder: 89.188.16.46(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: SONY2. Attacked Port: 4297."

12/12/2008 5:53:35 PM,Intrusion: HTTP Trojan Vundo Activity.,"Intrusion: HTTP Trojan Vundo Activity. Intruder: 62.4.83.205(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: SONY2. Attacked Port: 4181."

12/12/2008 2:52:02 PM,Intrusion: HTTP Trojan Vundo Activity.,"Intrusion: HTTP Trojan Vundo Activity. Intruder: 89.188.16.46(http(80)). Risk Level: High. Protocol: TCP. Attacked IP: SONY2. Attacked Port: 2030."

12/12/2008 2:49:29 PM,Intrusion: HTTP Misleading Application Detection.,"Intrusion: HTTP Misleading Application Detection. Intruder: 77.245.61.80(http... Read more

Answer:Many Pop-ups - Vundo Malware Infestation?

Howdy there doc1586

Thank you for your patience. I will be helping you deal with the issues raised in your log from this point onwards

Before we start jumping into things, here is a quick basic note which I mention to everyone. The fix which I have provided for you is for this computer only, it should not be used on any other computer. Each fix is tailor made for the specific task in hand. If for some reason you have system restore disabled, then please re-enable it before proceeding, an infected restore is better than none. Please read through the fix first and set enough time aside to complete the task in one session. If there is anything you feel needs clarification then please ask - do not guess! Please copy and paste any requested logs into replies rather than add as attachments, this makes it easier for analysis.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

If this is a computer from a work place then please advise your IT department of the concerning issues before commencing past this point.

Please follow these directions in the order they are set out for you.

We will begin with ComboFix.exe. Please visit this webpage for download... Read more

9 more replies
Relevance 55.35%

Hi all,sorry to post ANOTHER log but im really worried! My main problem is pop ups in firefox and spy bot keeps telling me every few seconds that "nekgfqvdjy" is trying to change values on my systtem and occasionally tries to change my homepage. Ive followed the advice in the guide thread and also scanned with Avast and checked that ghostwall is up and running. I'm very worried, this happened before and I had to replace the hard drive. It may have been coincidence but i'm still worried it could happen againHere is the Hijack this log, Many thanks in advanceLogfile of Trend Micro HijackThis v2.0.2Scan saved at 21:26, on 2007-09-25Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\1XConfig.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashSer... Read more

Answer:Spyware/malware Infestation?

Hello shelleybird, I am SifuMike and I will be helping you. You will need to use Internet Explorer for this scan. Disable your antivirus program and go here to run BitDefender Online Scan. Click on I Agree. Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer. NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.******************Download and install AVG Anti-Spyware v7.5.After download, double click on the file to launch the install process. Choose a language, click "OK" and then click "Next".Read the "License Agreement" and click "I Agree".Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".After setup completes, click "Finish" to start the progra... Read more

2 more replies
Relevance 55.35%

Hello all, first post here. Not but a day ago I was browsing the web for some information and durring my browse encountered this self-proclaimed anti-spyware scanner, which automatically loaded itself onto screen. Assumingly self installed hitchhiker, it appears under Programs and in Tooltray as AntiSpywareMaster; winvsnet.exe bearing the same icon/image under C:\Documents and Settings\MyName\Local Settings\Temp.

The exe file under Temp folder was deleted and havn't been seen again since. I have not been able to locate the source of this problem.

Since it has appeared in my system, thing's have gotten slower and popups claiming warnings of viruses and such continue. I believe it all relates to this fake anti-spyware, so I've been trying to be extra cautious of what shows up and what to trust.

I saw some other threads here give log files of their registry and whatnot. I just downloaded HijackThis 2.0.2 and scanned my registry for a logfile.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\AntiSpywareMaster\asm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberL... Read more

Answer:Malware infestation problem, help

The bite space on my HDD seems to have gotten less used up and more free. I can only hope this thing imposing to be a popup-virus scanner isn't the cause of losing data.
 

1 more replies
Relevance 55.35%

Hello,

I have gotten my PC system (Win XP Pro) infested with teh IE Defender malware trojan. I have tried many times to do the automated and manual removal process found on the net to remove this but it is not going away. This iscludes using the reg update for the registry.

I am constantly getting an error pop-up window in IE Explorer browser (7.0) that says "System Error!" Your computer is infested with an unknown trojan. It's dangerous for your system. Click OK to download the antispyware program to clean your system!"

I would be most grateful for any help!

I have attached my HijackThis log file as an attachment to this message.

Answer:Ie Defender Malware Infestation

Hello troeser,NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Also delete C:\rapport.txt Please download SmitfraudFix Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htmYou should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following :Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry key... Read more

2 more replies
Relevance 54.94%

I came across this message in a readme.txt file. It was in D:\PerfLogs\System\Diagnostics\20110905-0001 along with other files such as "UAC Settings", "User Accounts", "BIOS", "AntiVirusProduct", "AntiSpywareProduct", "FirewallProduct", "Startup Programs", "Startup Settings", "Processes", etc. It sounded really suspicious to me.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<!--This file is automatically generated.-->
<DataCladFileStore>
<Message>This directory is being used as an AutoBackup File Store. MODIFYING OR DELETING ANYTHING IN HERE WILL CAUSE IRREPARABLE DAMAGE TO YOUR BACKUPS. DON'T DO IT!</Message>
<Version>2.5.0.0</Version>
<BuildVersion>4.60.0.7916</BuildVersion>
<BuildType>sgm</BuildType>
<eSellerID>STR4043462256</eSellerID>
<ProductType>autobackup</ProductType>
<Lang>en-US</Lang>
<OwnerToken>D95BFF1B08BBE08FE33702A48633B346</OwnerToken>
<EncryptionKey />
</DataCladFileStore>

At the time I posted this thread, I was running a rootkit scan with Spybot, so I was unable to run the AdwCleaner, FRST, and aswMBR scan logs and attach them, but I will run them as soon as Spybot finishes.
 

Answer:Malware infestation causing CPU to run at 100% continually.

Hi, when you finish, follow this topic and attach requested reports --> http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/
 

40 more replies
Relevance 54.94%

Please can you help?My neighbours computer has been infected, it all started when he was browsing theNet. A popup opened and AVG picked up a Trojan horse Collected.AF, it could not be healed, deleted e.t.c and files were copied to the local settings\temp folder. I deleted the temp folder contents, and noticed a new program had been installed called Powerscan, this was removed using Add/Remove programs. The PC was restarted and a powerscan program started up after closing and uninstallation Iran AVG (no virus found), Spybot S+D (found various malware Inc Powerscan andISearchTech), Ad-Aware (found similar problems), these were all removed successfully. I ran these programs again after restarting and no problems were found.However now when connecting to the internet the browser opens up a web page called corn on the cob and again AVG picks up the same Trojan, I end the task and disconnect but the network connection window opens either saying that pwnage.xtremepower.info. or competone.com wants to connect. This persistsafter selecting cancel until you restart the PC.I have updated all above security sotware and tried spyware blaster and winpatroland a system restore (this cannot be done).Looking at the running processes I noticed the l9ol.exe and tried ending the process, this allowed me to connect to the internet without the corn on the cob installer window opening, but upon disconnecting the network connection window opens either saying that pwnage.xtremepower.info. ... Read more

Answer:Trojan,Powerscan,malware infestation

Hello Biofriendly and welcome to the BC forums. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.Step #1Download CCleaner and install it but do not run it yet.Step #2Start in Safe Mode Using the F8 method:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.Use the arrow keys to select the Safe Mode menu item.Press the Enter key.Step #3Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmO4 - HKLM\..\Run: [Microsoft Desktop Manager] msdesk32.exeO4 - HKLM\..\Run: [REGRUN] C:\l9ol.exeO4 - HKLM\..\RunServices: [Microsoft Desktop Manager] msdesk32.exeI question this item for a Wanadoo dialup connection. It appears that you have BT broadband so if this is no longer needed you can check it also. Even if you still use Wanadoo this does not have to startup at bootup, you can still remove this and start it as needed:O4 - Global Startup: Wanadoo Connection Kit.lnk = C:\wanadoo\wanadooconnectionkit\atdialler1.exeNow close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.Step #4We need to make sure all hidden files are showing... Read more

13 more replies
Relevance 54.94%

My 'puter has been crashing randomly - suspiciously as I access applications that try to battle malware (apps like Ad-aware, Spybot, Ccleaner, Firefox, etc.) What blows my mind is that it even does it in safe mode when i am not connected to the internet.

I went to the read me first and did everything up until boot in safe mode then run ccleaner then spybot. I can get through ccleaner in safe mode, but then as soon as I open spybot - system crashes and restarts. When I was able to run spybot earlier I noticed smitfraud, TIBS, and a handful of other nastiness. Also, when the system reboots, a Microsoft Windows dialog box opens up and says

"The system has recovered from a serious error. A log has ben created..tell microsoft, etc." Also has a "Click here" To see what data this error report contains and when I do - it shows:

BCCCOde: 1000008e BCP1: C0000005 BCP2: 804EC2B6 BCP3: F94104A4 BCP4: 00000000 OSVer:5_1_2600 SP:2_0 Product 768_1

Below that, error report contents include:
C:\DOCUME~1\JAY~1.VAI\LOCALS~1\Temp\\WER6a0c.dir00\Mini061507-01.dmp
C:\DOCUME~1\JAY~1.VAI\LOCALS~1\Temp\\WER6a0c.dir00\sysdata.xml

Please advise - i am at wits end and ready to throw the computer out the window (seriously)

Lastly - here is HJT log if it is helpful to view:
Logfile of HijackThis v1.99.0
Scan saved at 11:28:17 PM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running pro... Read more

Answer:Malware Infestation - a real challenge here

Welcome to Major Geeks!

Please attempt to complete the parts of the READ ME than ask for the below logs:

GetRunKey
ShowNew
HijackThis - make sure it is installed and renamed as requested. This is very important.
Attach these logs if you can. It is best to get the logs from normal boot mode but if you cannot do that then get them from safe mode.
 

23 more replies
Relevance 54.94%

I recently tried to download a download accelerator (bad idea I know) from basically a torrent website, I didn't pay 100% attention to the third party files and included was unniSale adware/malware.
 
I have not found it in my internet explorer but it has manifested itself into google chrome and although I can remove extension and negate it a bit, the program keeps popping up opening more and more dialogue boxes. 
 
I am asking for help and understand the turn around time might be a little longer than most people like, I do have to depart on a business trip where I will not have internet access in a little under a week so hopefully I will have time to enact the fixes that are provided. 
 
I have already run FRST and attached the txt files FRST and addition and will post them in a reply <> as well.
 
Thank you in advance!

Answer:UnnisAle adware/malware infestation

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
Ran by Wes (administrator) on GAMECOCK on 27-01-2015 07:17:39
Running from C:\Users\Wes\Desktop
Loaded Profiles: Wes (Available profiles: Wes)
Platform: Windows 8.1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(HP) C:\Program Files (x86)\HP SimplePass\TrueSuiteService.exe
(IDT, Inc.) C:\Program Files\IDT\WDM\stacsv64.exe
(Hewlett-Packard Company) C:\Windows\System32\hpservice.exe
(ActivIdentity) C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
(ActivIdentity) C:\Program Files\ActivIdentity\ActivClient\acevents.exe
(Apple Inc.) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Microsoft Corporation) C:\Windows\System32\dasHost.exe
(ZTE Corporation) C:\Program Files\Pre-Paid Telstra WIFI 4G\DeviceMonitor_x64.exe
(Fitbit, Inc.) C:\Program Files (x86)\Fitbit Connect\FitbitConnectService.exe
(Hewlett-Packard Devel... Read more

7 more replies
Relevance 54.94%

I have never had such a problem. I was surfing when suddenly yesterday got many pop ups. Then, my desktop icons and taskbar started disappearing. They would go off and a "media" control bar (which I never saw before) popped up on the taskbar, then all the icons would reappear and keep disappearing. When I try to boot in safe mode, I still can't get a desktop to function. I have to open programs through taskmanager.

I have run Adaware Pro many times, and it has found multiple malwares including Small. But, not when I try to delete it, I get a blue screen of death which says something like: "The Windows Logon Process system process terminated unexpectedly with a status of (machine code). The system has been shut down."

I have also run spybot serach and destroy which got rid of a few things. Norton AV was useless. Windows malware tool detected nothing.

This is the best site I have found-- please let me know what I should do next!

Thanks,
Q

Answer:I Have Malware Infestation-- Sudden Onset

Hello and welcome Quakrt, let's start hereDownload Attribune's ATF Cleaner and then SUPERAntiSpyware, Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to start Windows in Safe ModeDouble-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or the Opera browser click on that browser at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with SUPEROpen from the desktop icon or the program Files listOn the left, make sure you check C:\Fixed Drive.Perform a Complete scan. After scan,Verify they are all checked.Click OK on the summary screen to quarantine all found items.If asked if you want to reboot, click "Yes" and reboot normally.To retrieve the removal information after reboot, launch SUPERAntispyware again.Click Preferences, then click the Statistics/Logs tab.Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.If there are se... Read more

11 more replies
Relevance 54.94%

Hello cryptodan,
Still having start up problem in Normal mode but things seem to be changing. The following is a scan report from MalwareBytes run last night.

Following the Malware log will be two log files from Superant Quick scans.
Between the two Quick scans I attempted to do a Complete scan but the system stopped and re-booted itself.

Now there are times when the Normal start up sequence seems to get further along in the process. The computer still boots OK in Safe Mode.

HERE IS THE MALWARE LOG: :

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/26/2012 at 07:19 AM

Application Version : 5.0.1146

Core Rules Database Version : 8514
Trace Rules Database Version: 6326

Scan type : Quick Scan
Total Scan Time : 00:05:09

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 286
Memory threats detected : 0
Registry items scanned : 30191
Registry threats detected : 0
File items scanned : 8062
File threats detected : 17

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\03RJDZRB.txt [ /atdmt.com ]
C:\Documents and Settings\Administrator\Cookies\B3M7FUFV.txt [ /ad.wsod.com ]
C:\Documents and Settings\Administrator\Cookies\ZYGU65Y0.txt [ /ads.pubmatic.com ]
C:\Documents and Settings\Administrator\Cookies\D17YCEO4.txt [ /adxpose.com ]
C:\... Read more

Answer:Start up problem after malware infestation

Good morning cryptodan if you are out there today.

Just a followup to my last post with the malware scan logs.

The computer is now starting normally! There seemed to be an increasing progression of how far it would during bootup. Then one time yesterday it booted up in Normal mode and announced that Windows had recovered from potentially serious problems and would I like to send a/the report(s) to Microsoft. Yes, I said! - The computer has been starting normally since. Could it be that Windows fixed itself??

Thanks for your help. For now things look OK.

Are there any history/log files that we can look at to get a handle on what happened?

Mike

34 more replies
Relevance 54.94%

Greetings. I went to the READ ME FIRST post and followed the instructions to the best of my ability, however every single thing I do on my computer (I'm running Vista) tells me that it's unexecutable and is infected. I actually can't even get into my Control Panel to see what installed itself on my computer, but I'm assuming there must have been something?

Basically, everything I do -- open Control Panel, open IE, open Firefox, open CCleaner, open uTorrent -- prompts me to scan with and pay for malware/spyware protection through something called antispywareprog.com and it's the only website I can access. No other programs open and I simply get a Windows Security Alert balloon that pops up from the "green shield with a checkmark on it" in my toolbar.

I'm assuming I'll need to run some scans in safe mode or something? I'm currently accessing the web via my MacBook.

Can anyone please help? Thank you very kindly.
-Steve
 

Answer:Probable Malware/Spyware infestation

If you really cannot run anything at all in normal boot mode nor in safe boot mode, you will have to use another PC to make the OTLPE boot CD mentioned in message # 17 of the below thread and see if you can complete a scan with it and get us the log.

http://forums.majorgeeks.com/showthread.php?t=214161&highlight=OTLPE
 

29 more replies
Relevance 54.94%

Hello,
 
Running Windows 10
Had pop ups and in-browser ads from Page Record.
Uninstalled Page Record using "Add/Remove Apps"
Saw lots of ads from "CloudScout" as well.
Have lots of pop ups from something that generates ads saying "It seems you have computer problems. Call us to fix. 1-855-525-4632." Lots of variations thereof.
Ran CleanUp! It remove 600mb, still have this problem.
Not sure what to do, please help.

Answer:Windows 10 - Huge Ad/Malware Infestation

Ok, Just ran AdWCleaner, still have the CloudScout pop ups. Here's the Log.
 
# AdwCleaner v4.208 - Logfile created 13/08/2015 at 18:26:07
# Updated 09/07/2015 by Xplode
# Database : 2015-08-12.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : xxx
# Running from : xxx\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 

***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\Browser
Folder Deleted : C:\ProgramData\CrimeWatch
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs One System Care
Folder Deleted : C:\Program Files (x86)\SearchProtect
Folder Deleted : C:\Program Files (x86)\TNT2
Folder Deleted : C:\Program Files (x86)\CloudScout Parental Control
Folder Deleted : C:\Program Files (x86)\OneSystemCare
Folder Deleted : C:\Users\HUSTON\AppData\Local\SearchProtect
Folder Deleted : C:\Users\HUSTON\AppData\Local\TNT2
Folder Deleted : C:\Users\HUSTON\AppData\Local\CrimeWatch
Folder Deleted : C:\Users\HUSTON\AppData\Roaming\One System Care
File Deleted : C:\END
File Deleted : C:\Users\Public\Desktop\Launch One System Care.lnk
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
File Deleted : C:\Users\HUSTON\AppData\Roaming\Mozilla\Firefox\Profiles\jhs6q0cz.default\invalidprefs.js
File Deleted : C:\Users\HUSTON\AppData\Roaming\Mozilla\Firefox\Profiles\jhs6q0cz.default\user.js
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\yahoo.xml
 
***... Read more

5 more replies
Relevance 54.94%

I am working from another computer at the moment, so no logs available at the moment.
 

Answer:FFF5ee.com / 95.215.1.57 Malware Infestation Help Needed

Attached is the most recent scan log from MWB.
 

9 more replies
Relevance 54.94%

Hi. Thanks in advance for the help. I want to warn you by saying that I am not real proficient when it comes to acronyms, computer-jargon, etc. So, please bear that in mind, OK?

My CPU (I know that acronym) is/was infected with the Malware 2008 bug (or whatever it's called). After looking at some of your forums here, I decided that, due to my lack of expertise/knowledge, it would be easier to just rebuild the thing and reinstall XP. Before I did that I wanted to back up a few files. When I tried to do so, however, I noticed that all my USB ports had "disappeared". So, I decided to contact the forum and explain my problem.

To prep my unit, I downloaded HijackThis and I downloaded and used "Malwarebytes' Anti-Malware" . It discovered 28 infections, removed them , but then I was asked (I am reasonably sure by that program) to reboot so it could rid my system of six or seven remaining infections. After doing so, however, I got a system 21a error and Windows won't load.....

What should I do now? I would still like to back-up a few things, but if I am looking at a huge, involved process, I may just want to start over now and reload the XP...thoughts? Ideas?

P.S. I am on my lap top at work....

Thanks again. I appreciate any help or advice you can give me......
 

Answer:Malware infestation and c000021a error.....

Restore the computer to the Last known good configuration

If the previous steps in this article do not resolve the problem, start the computer by using the last known good configuration. To start the computer by using the last known good configuration, follow these steps:Note Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.
1.Click Start, and then click Shut Down.
2.Click Restart, and then click OK.
3.Press F8 at the indicated time:
?For an x86-based computer: When a screen of text appears and then disappears , press F8. (The screen of text may include a memory test, lines about the BIOS, and other lines.) There may also be a prompt that tells you when to press F8.
?For an Itanium architecture-based computer: After you make your selection from the boot menu, press F8. There may be a prompt that tells you when to press F8.
4.Use the arrow keys to select Last Known Good Configuration, and then press ENTER.

NUM LOCK must be off before the arrow keys on the numeric keypad will function.

5.Use the arrow keys to highlight an operating system, and then press ENTER.

Notes
?Choosing the Last Known Good Configuration startup option provides a way to recover from problems such as a newly added driver that may be incorrect for your hardware. However, it does not solve problems that are caused by corrupted or missing drivers ... Read more

9 more replies
Relevance 54.94%

Hi!About 3 days ago my PC was hijacked by Malware Wipe and SpyAxe virus. At first I got spurious security alerts telling me to download Malware Wipe, then SpyAxe, then Spy Trooper, all at a cost! I realised they were spoof messages so ran my usual antivirus software, Ad-Aware, Spybot and AVG but these haven't got rid of the problems. I have also now tried Bit Defender as suggested on this site and also have done a HJT log which you will find below.Other problems are that there are 2 users on this PC, my wife and I. I think the original virus attacked her settings and she cannot now get access to the internet. I can still get internet access on my settings but sometimes lose the connection and there are some sites that show a spoof "This page cannot be displayed" message telling me to download Spy Trooper software.Can you please help? I am becoming demented here!!Logfile of HijackThis v1.99.1Scan saved at 22:38:45, on 03/01/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC: ... Read more

Answer:Malware Wipe And Spyaxe Infestation

Hi,

I have now performed a total restore of my PC so my original problems have been solved, at least for the time being!!

Please close this topic.

Topcat

2 more replies
Relevance 54.94%

Just recently started having issues with comp. random freezes/crashes etc. I'm running a Dell Dimension 9100, windows XP, SP3 Home edition. Pentium 4 CPU 3 GHz, 4 GB of Ram, Radeon x600 video card. Here are the logs, any assistance is always appreciated. Could not get the GMER program to finish, after 5 hours of scanning the computer froze, so I do not have that log. Sorry

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:43 PM, on 8/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7... Read more

More replies
Relevance 54.94%

Below is my file. I began following the steps on another post in this forum **System Integrity Scan Wizard at http://forums.techguy.org/malware-r...0384-solved-system-integrity-scan-wizard.html ** and found that my processes and registries are different. I have an idea of some of the ones to get rid of, but I would rather get one of you experts to point out all of them. This thing sucks, it is popping up stuff in my browser now and new pop ups on the screen. I have been running CleanUp, Ewido, AdAware, McAfee to no avail. PLease help. In excahnge I will donate some time to the programming forums.

Thanks

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:14:09 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\m... Read more

Answer:Analyze my Hijackthis log - malware infestation

I have all of my eggs in one basket. I hope you guys lend a hand.

I ran smitFraudFix and CleanUp again in safe mode. restarted it and it looks better, since I have not received anymore fake security pop ups. the log looks cleaner, but I can't tell.

Here is the new log after that.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:15:35 PM, on 4/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Downloads\bin\ScrumworksService.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
c:\Program Files\Microsoft SQL Server\90\Shared\... Read more

2 more replies
Relevance 54.94%

Computer has suddenly become much slower after a couple of downloads. Computer now lagging when running multimedia and taking much longer to load icon graphics when opening folders. Thank you.

.
DDS (Ver_11-03-05.01) - NTFS_AMD64
Run by Administrator at 4:59:04.22 on Thu 03/10/2011
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6143.4232 [GMT -8:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}
AV: Trend Micro Internet Security *Enabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Internet Security *Enabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Lavasoft Ad-Watch Live! *Enabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k Network... Read more

Answer:Computer much slower. MALWARE INFESTATION

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

21 more replies
Relevance 54.12%

I recently had someone else using my computer who somehow ran an undesirable executable causing an infestation on my computer. I've spent the past couple days removing what I could and think I've done a pretty thorough job however; I'm not as versed in the removal of spyware/malware/ or viruses as I would like to be and was hoping someone could take a look at my most recent Hijackthis logfile and let me know what (if anything) I've missed.

Logfile of HijackThis v1.99.1
Scan saved at 4:54:30 PM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no n... Read more

Answer:help with removal of recent spyware/malware infestation.

Post hijack logs from normal mode
NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

Download this file :

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
or
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall

=====================
Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others as they were.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everythin... Read more

3 more replies
Relevance 54.12%

The system is infested with a bogus antivirus program called Professional Antivirus program. It has a green shield icon with a white checkmark. It comes up and starts running a scan immediately, throws up a bogus Windows Security screen and fake firewall messages. The system also has icons on the desktop named: spam001.exe, spam003.exe, troj000.exe, pornotube.com, nudetube.com, and youporn.com. The windows taskbar is missing and the task manager has been disabled. I have run the DDS and GMER utilities and have attached the logs. I am in PST and will be unavailable to respond or work on this again until this evening. I am posting the DDS log results below:DDS (Ver_10-03-17.01) - NTFSx86 Run by Owner at 22:13:27.20 on Wed 09/22/2010Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_14Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.81 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: Antivirus *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}============== Running Processes ===============c:\windows\system32\svchost -k dcomlaunchsvchost.exec:\windows\system32\svchost.exe -k netsvcsc:\windows\system32\svchost.exe -k wudfservicegroupsvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Mozilla Firefox\firefox.exesvchost.exeC:\PROGRA~1\AVG\AVG8\... Read more

Answer:Professional Antivirus program / malware infestation

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

12 more replies
Relevance 54.12%

Dear TechGuy staff and volunteers,

First off, let me say how thankful I am for the time and dedication that you provide to the internet community.

I am writing in regards to a malware/trojan infestation on my laptop that has gradually made it difficult and frustrating for daily use. The problems began small: pop-ups and spam with internet traffic that grew to a large divert problem, where now I can hardly click any option from a search engine without being redirected to a spam site.

The various online scanners, including HouseCall, Kaspersky, and ewido, all report installation problems when I go to run them (even in safe mode w/ networking), and the trial AntiVirus software I've downloaded for Norton and Kaspersky A) cannot connect to install new signatures (even manually the links of the company websites do not work) and B) report no infections.

Though it may be psychological, the computer also seems to be running considerably more sluggish than it did in the past!

Attached is my HJT log below, and if there is any more information I can provide, please let me know.

Thank you for your time,
-Brian

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:09 PM, on 8/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Defender\M... Read more

Answer:Malware/trojan infestation on my home office PC

Bump!
 

2 more replies
Relevance 54.12%

Hello, I am having an extremely hard time removing some Malware/Trojans from my computer. I have followed all the scanning, safe-booting, and preparation tips listed in the READ & RUN ME FIRST Malware Removal Guide before posting my problems. I have spent literally about 10 hours trying to get rid of the viruses/spyware/malware and eliminated a couple problems but some will not go away. This is the worst infestation I have personally ever seen. At first my computer ran fine. Now it is extremely slow and my dvd drive won?t work as of today. Here is what my various tests showed and resulted in:

Trend Micro-Cillin (my default virus protection):
When the virus first hit it detected it but could not clean, delete, or quarantine it. The original file was: expl_execod.a - Now when running a Trend full scan it doesn't pick up any viruses or anything. I have real-time scanning enabled and it occasionaly warns me about various Trojans trying to load and it quarantines all of them except for Troj_Purity.r and TROJ_DLOADER.HBJ

Spybot-Search & Destroy:
It detects Smitfraud-C.Toolbar888 When I click Fix selected problems it says it cleans it, but upon restarting the computer it is back again.

CounterSpy:
Results attached below. Files come back after computer restarted.

BitDefender:
Results attached below.

Panda ActiveScan:
Results attached below.

XoftSpySE:
This scan finds: Troj/Agent

software\microsoft\windows nt\currentversion\winlogon\notif... Read more

Answer:Trojan/Malware infestation. Please Help! Logs attached!

I also must thank any who help in return.
 

9 more replies
Relevance 54.12%

Below is my HJT Log.

I have hguest and hpwis at least and probably more. The first symptom I noticed was a few weeks ago when all my cookies started disappearing or not working. Message boards and banks started never remembering me from one hour to the next. For a while I thought I could deal with that, but I eventually noticed that my task manager always said I was running hguest. I found it was a malware so I went and found a file called hguest and I deleted it. That was a few days ago and the cookies haven't gotten any better. But every hour or so an error would pop up and say it can't find hguest.

Today I started getting bombed with porn popups. Several per minute and now and then there is a burst where I can hardly keep up. It is doing it as I type this. And when I try to use the task manager it says it has been disabled by the administrator.

The popups are mostly Spanish and Russian language porn sites, but a every now and then it tries to download a codec that I reject and now and then it just puts up an error saying that I'm not allowed to download a file, which is something I'm not trying to do.

I did something I'm probably not supposed to do by trying to fix it with HJT this without help. I deleted several R1's called hpwis. It didn't help.

Here's the current HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:29 PM, on 9/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 ... Read more

Answer:Ugly Malware Infestation - Pop Ups, No Task Manager

I managed to get things fixed, I think.
 

1 more replies
Relevance 54.12%

Hello! Thanks for giving your time and experience to help others!

I have spent most of the day trying to rid a friend's laptop of multiple malware programs and now seem to be seeing some of the same ones returning. Also, after I do a search in Google, if I press a link I may go to an unrlated site. Also, although I thought I had removed SystemDefender, it still pops up every so often.

This laptop belongs to a college freshman and I'm trying to get it cleaned up for him since classes start in a day and a half.

It is a Gateway MX6930, Intel Core 2 T5500, 1.66GHz, 1.99GB RAM, running Windows XP Media Center Edition Version 2002, SP2. It has AVG Free 8.0, Ad-Aware, and Spybot Search&Destroy on it.

When I got the laptop, it was showing "Virus Alert!" in the task tray where the clock should be, and My Computer was missing, and the Start Menu was missing Run, Control Panel, and other things. I started it in Safe Mode. I ran MSCONFIG and disabled everything I couldn't verify should be running (by googling it on another computer). I also ran AVG in Safe Mode. After rebooting, the Start Menu seemed to be OK again. I downloaded Malwarebytes' Anti-Malware and SUPERAntispyware Free and ran those. I then updated the definitions for AVG and Spybot S&D and ran them. I updated Anti-Malware and ran that again, too. I have not yet run Ad-Aware. I am running Kapersky on-line at the moment. Some things that were deleted: Vundo, FakeAlert, Agent, Dropper, ... Read more

Answer:Malware Infestation and Google Link Hijacking

I've continued to run AVG, Malwarebytes' Anti-Malware and SUPERAntispyware Free, Ad-Aware, and Spybot S&D, looked carefully at every line from HijackThis, made a couple of registry tweaks (saved the entries before changing them), and I think I've gotten all the malware off the laptop -- ran all the above software and only hit two tracking cookies.

But the Google problem is still there. I think this could be an exploit based on DNS poisoning because the laptop is still Windows XP SP2. Somehow the control panel said automatic updates were on but they were turned off in the services. I turned them back on and am installing SP3. Then I'll install all subsequent updates and see if the Google prblem is resolved. I know this was fixed in Windows and a lot of other software recently. I'm running a fully updated laptop next to the problem machine, both connected to the same wireless router, and my laptop has no problems with Google while my friend's laptop does.
 

2 more replies
Relevance 53.71%

hi, i seem to have gotten some really crazy viruses suddenly on my computer. it slowed down to a chug, then showed a command prompt for about a second before crashing.

when it restarted my background had been replaced by a warning that said i was infected with spyware. that background is now gone. basically the computer takes a long time to startup and is running extremely slow. every now and then it will crash and reboot (showing a command thing before it does).

the first time after it crashed there were a few weird things in my msconfig startup, i deselected them. the only thing that's suspicious now is something called "winupdate" which i didn't have before and which i disabled from starting up. after googling winupdate appears to be a trojan.

some other things. it let me run malwarebytes anti malware, but when it tried to reboot to remove things on startup, it didn't actually reboot all the way, it just sayed as a mouse icon on a blank screen...

whatever virus i have appears to be the nasty kind that doesn't let me run other anti-virus programs. it doesn't let me run ad-aware or combofix. also, it doesn't let me use system restore (when i click 'next' nothing happens').

im also getting weird popups ('message from webpage'--- klikk her for $ GRATIS i blackjack sjetonger) with an option of clicking OK or cancel. hmmmm

well, those are all the symptoms i can see, heres my hijack this

Logfile of Trend Micr... Read more

More replies
Relevance 53.71%

hello all,

i use my pc for video games as well as all other functions, but im quite sure this malware came from the video games side....

anyway recently i downloaded a program to help me understand the game better and well to my suprise, the day after i downloaded it, my pc was under attack.

it seems that whoever i downloaded this program from installed a keylogger as well as other vicious programs on my system (yes, i know stupid me )....

he gained access to my accounts and completely wiped everything away.....

i used spybot/ad-aware/and AVG but they did not help as the thief continued to steal stuff from my account....

i am in the process of re-formatting my pc....

but my main question here is......i have a few computers networked and am worried that the malware can spread through my network to my other pc's....

is this possible?

do i need to re-format all my other computers?

any help or further input on this would be greatly appreciated.

Thank You.
 

Answer:Please help me out..severe malware on pc..

Hi

Well you dont necassarily need to format the other PCs, what I would do is to run some extra scans and tools on those PCs to see if anything malware-ish pops up.

Especially some of the Alternative Scans as in Ewido, A-Squared and Backlight as well as our normal guide below, only if something is highlighted as malware in any of the scans, then attach the logs for that PC as required ( but if multiple PCs are infected start a new thread fo rech PC and in the title add the tag PC #1 or PC #2 etc so we know these are different PCs logs )


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important... Read more

1 more replies
Relevance 53.71%
Question: severe malware

Hi everybody,

I've a computer that was infected and I've tried to clean it though it looks there is some infections that I can't find. I used Ad Aware and Spybot to clean the computer, I ran Trend Micro scans and everything was OKed. However, my desktop is showing a black screen with 'warning, your computer might be infected with spyware. Click here for the latest remover.

Here is my WinPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

????????????????? Checking Selected Standard Folders ????????????????????

Checking %SystemDrive% folder...
UPX! 16-May-05 5:02:30 PM 151696 C:\FxSasser.exe
UPX! 20-Jul-05 4:23:00 PM 6146 C:\q809295.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 25-Jul-05 9:24:38 AM 15442435 C:\WINNT\lpt$vpn.745
qoologic 25-Jul-05 9:24:38 AM 15442435 C:\WINNT\lpt$vpn.745
SAHAgent 25-Jul-05 9:24:38 AM 15442435 C:\WINNT\lpt$vpn.745
UPX! 03-May-05 11:44:44 AM 25157 C:\WINNT\RMAgentOutput.dll
UPX! 17-... Read more

Answer:severe malware

Hello samia and welcome to the BC malware forum. We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. If you do not have a copy of HijackThis or do not have the latest version (1.99.1) then download it from here: HijackThis_sfx.exe Double-click on the file you just downloaded and click on the UnZip button to install the program. It will be installed to the C:\Program Files\HijackThis\ folder by default.Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.I will review your log when it comes in.DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTEROT

8 more replies
Relevance 53.3%

I have aDell Inspiron 1100 running WinXp.Spyware Doctor has identified:Trojan Virtuemode,RootKit Agent, and Adware Components.Claria. 7 threats ,238 infections.
Here's the problem: slow bootup and when background and icons appear, the icons and start programs disappear before I can get to click on one to run it! The background image stays, but after 15 to 30 seconds icons will again appear. This sequence continues until it finally stops and only the background image is shown. This may be after 5 or more minutes when it finally stops the sequence.
I was once able to run Spyware Doctor which identified the malware, but it couldn't remove them..I had the freeware version.
It will not read a CD so I can't do a restore or reinstall.
Could I use a flash drive with Spybot or other program to clean this stuff out?

Or, are there any good suggestions to clean this up.
I have other computers
with which to load the flash drive
hgbbs
 

Answer:Severe malware problem.

Welcome to Majorgeeks!


Hopefully you can run the below as this will give our malware experts some info as to help you remove this malware pest, if you get stuck on any part that wont run due to the issues you have with slow applications, just move onto the next part fo the guide, but the more you can complete and gather the logs the better.


Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide plus a guide on how to attach the logs HOW TO: Attach Items To Your Post
 

3 more replies
Relevance 53.3%

I have a malware/virus that is causing havoc with my computer - xp dell dimension.

At first, the malware disabled my ability to open the control panel and any programs in the "start" menu. After running Malwarebytes, I was able to get that back. However, the malware is still there causing major delays in my surfing and other apps. I get redirected quite a bit to this address: http://scanner.micro-av2009.com and http://scanner.rapidantivirus.com. Also, I noticed that Malwarebytes removes lots of infected files, but they come right back after the reboot. There must be some hidden file that spawns all these files after they are removed!!

Additionally, the malware has turned off my ability to download any MS Windows security updates - automatic updates are turned off and I get error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. I have tried to turn it back on repeatedly in "Services," but no success. Additionally, I attempted to follow MS advice at this address: http://support.microsoft.com/kb/838428/ However, the directory they are referring to (Legacy_RPCSS) is not present on my directory.

OK, so I decided to take the bitter medicine of just sending my computer back to original factory settings, but this pig of a malware has actually somehow disabled that capability, too!! Can you please help me to resolve? I pasted the Hijack This log below:

Do you know who created this malwar... Read more

More replies
Relevance 53.3%

I am running a Dell Laptop with Vista Ultimate SP2 (all windows updates have been done), I have Mcafee Total Protection 2009 as my antivirus scanner.
My problem is that I can no longer adjust my background nor see image icons, as shown in the images below.
http://i42.photobucket.com/albums/e303/infinete/error1.jpg
http://i42.photobucket.com/albums/e303/infinete/error2.jpg
I have posted this question on a previous thread in section of this forum
"http://forums.techguy.org/windows-vista-7/833710-weird-problem-image-files-background.html"
One error that I keep getting is "ID Finder For DDoSeR has stopped working" which is apparently a form of Malware I believe.

Here is my HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:41, on 10/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Microsoft Office\Office14\GROOVEMN.EXE
C:\Program Files\IRReceive\IRReceive.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DELL... Read more

More replies
Relevance 52.48%

About a week and a half ago, I turned on my computer to find that it would completely freeze when I tried to log on. I booted in safe mode and did a system restore, thinking a recent windows update may have caused the problem. I was then able to log on, but ever since, the computer will occasionally just freeze up, usually when an internet browser is in use(the freezes seem to be mostly random, although web email and ebay almost always trigger one). Task manager shows very little CPU usage (only about 2-5%). Initially it was only internet explorer that froze, so I switched over to firefox, which worked only for about 30 min before it froze as well.
 

Answer:Severe performance decline: malware?

It looks like you may have a faked partition:'

Code:
FALSE Disk #0, Partition #3 5363466240 Unknown

Partition Disk #0, Partition #3
Partition Size 5.00 GB (5,363,466,240 bytes)
Go to the control panel, Admin. Tools, disc management and attach a screen shot of your partitions.

Then:
Go to the below link and follow the instructions for running TDSSKiller from Kaspersky
TDSSkiller - How to run
Be sure to attach your log from TDSSKiller

Please also download MBRCheck to your desktop.

See the download links under this icon
Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

 

3 more replies
Relevance 52.48%

screen blacks out. scripts wont load correctly. wont load some images on internet browser. icons disappear when clicked on sometimes. long boot time. extremely slow.DDS LOGstill trying to get GMER to finish a scan. will post as soon as it completes.DDS (Ver_10-03-17.01) - NTFSx86 Run by jacob burger at 15:45:12.07 on Fri 09/03/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.70 [GMT -4:00]AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:WINDOWSsystem32svchost -k DcomLaunchsvchost.exeC:WINDOWSSystem32svchost.exe -k netsvcsC:Program FilesIntelWirelessBinEvtEng.exeC:Program FilesAVGAVG9avgchsvx.exeC:Program FilesAVGAVG9avgrsx.exeC:Program FilesIntelWirelessBinS24EvMon.exeC:Program FilesIntelWirelessBinWLKeeper.exeC:Program FilesAVGAVG9avgcsrvx.exesvchost.exesvchost.exeC:WINDOWSsystem32LEXBCES.EXEC:WINDOWSsystem32spoolsv.exeC:WINDOWSsystem32LEXPPS.EXEsvchost.exeC:PROGRA~1COMMON~1AOLACSAOLacsd.exeC:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exeC:Program FilesAVGAVG9avgwdsvc.exeC:Program FilesBonjourmDNSResponder.exeC:Program FilesFlip VideoFlipShareFlipShareService.exeC:Program FilesAVGAVG9avgam.exec:program filesmcafee.comagentmcdetect.exeC:Program FilesAVGAVG9avgnsx.exec:PROGRA~1mcafee.comagentmctskshd.exeC:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXEC:Program FilesIntelWirele... Read more

Answer:Very severe virus/malware problem

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Do not Attach logs unless I ask you to.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Note** If you are having problems posting the complete log into this thread upload them here http://www.rapidshare.com/ and post the links in this thread Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Gmer is the best but can be hard to get a log lets try this and see what we get.Scan With RKUnHookerPlease Download Rootkit Unhooker Save it to your desktop.Now double-click on RKUnhookerLE.exe to run it.Click the Report tab, then click Scan.Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.Wait till the scanner has finished and then click File, Sa... Read more

16 more replies
Relevance 52.48%

The whole incident started with pop ups by "Internet Speed Monitor." I had run Spybot and gotten rid of bunch of files called "Command Service." But I was still stuck with the pop up and a bunch of suspicious processes that still refuse to go away--And they were fooling my computer into thinking there was no HDD to boot. After rooting it out manuelly, I was able to get rid of the ISMPack and whatever it was that was causing the HDD error, but this one is being a stubborn little bastard:

LSSrvc.exe

I've run CCleaner and I've already run CounterSpy and, while it's taken out most of the trash Spybot wasn't able to, even CS was unable to get rid of this. I wanted to run BD and PandaScan, but the sites wouldn't let me. Do you know how I might be able to get rid of this? I know for a fact it's not supposed to be there.

BTW, while I'm here I might as well ask about something weird that happened with Spybot: When it failed to remove all the malware and ads, I figured I'd update it but every time I tried, it would read, "invalid floating point." When I circumvented the it by using the start menu, it denied me again, but this time saying, "An outside source has corrupted this program." Is SpyBot even reliable anymore? Can I trust it to not have been tampered with ever again?
One more thing: I've been trying to remove CounterSpy from by machine, but it refuse to let me from the Control Panel. What&... Read more

Answer:Severe malware problems (not sure how to identify it)

Welcome to Major Geeks!

First a few questions.

Why didn't you attach the requested log from CounterSpy?
When you tried to run BitDefender and Panda, what browser were you using and what exactly happened?
Why do you have no antivirus and no firewall applications installed?
Do you know what the below is?
O4 - HKCU\..\Run: [ISMPack6] "C:\Program Files\ISM2\ISMPack6.exe"

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.1_02

Run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {44A3BC3F-0E9E-423F-811D-569C55234475} - C:\WINNT\system32\mlljg.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dmapz.exe] C:\WINNT\system32\dmapz.exe
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: fccdcby - fccdcby.dll (file missing)
O23 - Service: Microsoft Internet Explorer - Unknown owner - C:\WINNT\system32\_svchost.exe (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

Extra... Read more

9 more replies
Relevance 52.48%

Hi, I'm spica, nice to meet you.

Last week my computer was shut down by spyware and the last notification from my computer was a trojan warning. I ran my anti-spyware software, it couldn't remove two files no matter what I did. Later I found out that the files were associated with the Bancos virus. (sms32.dll.ini and win32.dll.ini) When I restarted the computer to run the antispyware again, the computer wouldn't even let me log in anymore. I tried going in Safe mode, same thing happens. I log in as the administrator, the computer logs me out automatically in 5 seconds. Is there a way around this? At this point, editing my registry is impossible and I don't know if reformatting my hard drive is even possible.

I called three technicians and all of them told me that it's a lost cause and to reformat the drive or just get a new computer. If you have other suggestions or ideas, please share!

Thanks for reading, and look forward to your responses-

spica
 

More replies
Relevance 52.48%

This is a computer with multiple infections. I am attempting to assess what infections they are and what can be done with the infections in place. Normally, with all that I've found, I would wipe the hard drive and start over. But it is necessary, in this case, to identify all the malware I can. The computer did not have malware or virus protection. The OS is Vista. I initially ran malwarebytes in a regular session. The results: [codebox]Malwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 3930Windows 6.0.6001 Service Pack 1Internet Explorer 7.0.6001.180004/16/2010 2:30:36 PMmbam-log-2010-04-16 (14-30-36).txtScan type: Full scan (C:|)Objects scanned: 303203Time elapsed: 5 hour(s), 14 minute(s), 30 second(s)Memory Processes Infected: 1Memory Modules Infected: 1Registry Keys Infected: 2Registry Values Infected: 3Registry Data Items Infected: 1Folders Infected: 1Files Infected: 319Memory Processes Infected:C:Program FilesGamevancegamevance32.exe (Adware.Gamevance) -> No action taken.Memory Modules Infected:C:Program FilesGamevancegamevancelib32.dll (Adware.Gamevance) -> No action taken.Registry Keys Infected:HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallgamevance (Adware.Gamevance) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVe... Read more

Answer:Forensics of a very severe malware infection

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

11 more replies
Relevance 52.48%

My computer has so many problems with it right now. I ran MBAM and S&D a couple times and each time came up with nothing. One of the problems is that my internet seems to be blocked or something. I am using a wireless connection on my laptop right now but on my computer, whenever i open firefox, nothing loads up as if it gets stopped automatically. Other problems are some virus programs being installed, windows XP's interface being changed into some older looking one and my hardrive memory is being drained.

I tried to do a DDS scan but the notepad came up blank everytime.

Thanks to anyone who can help me.

Answer:Severe virus/malware problems

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

48 more replies
Relevance 52.07%

Hi all, Hoping I can get some help. Seem to have managed to really mess up my laptop. Basically in Normal windows mode dllhoste.exe seems to eat all my system resources and then I get a blue screen of death. In safe mode I can use most things but it is slow and unresponsive. Below is my hijackthis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 17:10:04, on 06/07/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18248)Boot mode: Safe mode with network supportRunning processes:C:\Windows\Explorer.EXEC:\Program Files\Windows Media Player\wmpnscfg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\wbem\unsecapp.exeC:\Windows\explorer.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.comR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Intern... Read more

Answer:Please help - malware infestation - Google redirects and blue screen of death dllhost crashes

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 52.07%

symptoms include not being able to access windows updates; browser being hijacked and redirected all the time, svchost.exe and other .exe runtime errors, slow computer, etc.

dds log is here:

DDS (Ver_10-11-10.01) - NTFSx86
Run by DRL at 13:55:35.02 on Wed 11/24/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1167 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sp... Read more

Answer:severe malware/virus/bot/worm infection

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

3 more replies
Relevance 52.07%

My high school senior's laptop was totalled by malware on 10/25. Pop-up message 'Antivirus System Pro' prompted her to buy - she closed window without but damage is done. There may have been a few things resident already, who's to tell.

Syptoms= Computer does not have wireless or NIC connectivity- blocked. Wireless continually seeking a connection and being blocked. Malwarebytes was onboard - now cannot scan. Also has MacAfee - cannot run scan. Problems with logging on as different users. Sporadically cannot reboot windows - NT timing out message pops up. Searched modified files from 10/25 and found chhite application which I put in recycle bin. Found UECJSYSGUARD.EXE-05346AED.pf and put in recycle bin. Noticed cookie from greatfeedmill, among other cookies including pctools from that same time; reported to be a malicious redirected internet site. A bunch of stuff created in another user's application data folder about the time this attack happened - application data\microsoft\cryptnet also google desktop files in my daughter's user temp files

Was able to install and run Avira antivirus and it isolated 15 issues - some may be false positives from spybot which we used to have installed - they have been quarantined.

Downloded DDS and will not allow script to run from either CD or main disk drive (I disabled Avira) - don't know what to do to get that info.

Ran GMER which run pretty well but did lock up towards the end of the scan - I have a 2 part scan fi... Read more

Answer:Severe Malware Damage - Critical Laptop

Hello -

Sometimes, a machine gets so badly damaged the best course of action is to reinstall using a Windows installation disk, or revert it to factory condition using the recovery disks or recovery partition most large manufacturers provide these days.

Let's see if we can get a bit more detail about what's going on. The gmer log did provide some detail.

Please save this file to your desktop. Double-click on it to run a scan. This scan may take a while. Please wait until you see this in the command box:


Finished! Press any key to exit...


Now, press any key to exit. There will be a log called Win32kDiag.txt on your desktop. Please post the contents here.


Also see if this next tool will run...
Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\rsit\info.txt

Click Upload.



---------------------------------------------------------------------------------------------

19 more replies
Relevance 52.07%

hello guys, i hope you can help me out here

i got a laptop from a friend with vista home edition

he cannot surf the web, firefox says "the connection was reset" when trying to access a website and IE says "internet explorer cannot display the webpage"

altough i can ping websites and run msn messenger

-i'm not surfing trough a proxy

-i have a valid ip adress, dhcp assigned, firewall is disabled(could only be done in safemode!? cause vista hung before)

-i read that it could be a problem with winsock but i tried repairing it with 2 different tools with no success(first tool said there was no problem).

-DNS settings are correct cause nslookup looked fine

-when bootin in safe mode i don't get a valid ip adress but (169.)

-i scanned with SUPERantispyware and avast with no results, i can not install spybot because while it's installing it needs to download files.

-i have a hijack this log but i'm no expert in reading the log
what steps should i take to get rid of this damn virus
 

Answer:severe problem with internet connection due to malware

Welcome to Major Geeks!





muckvv said:





when bootin in safe mode i don't get a valid ip adress but (169.)Click to expand...

Then it is not really a valid IP address. That is just the default when you are not talking to the DHCP server.





muckvv said:





i can not install spybot because while it's installing it needs to download files.Click to expand...

Spybot can be updated manually. Spybot Search and Destroy Update






muckvv said:





what steps should i take to get rid of this damn virusClick to expand...

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

You will have to download the tools using another PC and copy to this PC via CD, flashdrive, ...etc. The same will be necessary to get the logs back to us if no connection is available after the scans.
 

3 more replies
Relevance 52.07%

Can anyone assist me please? - Since last Tuesday My home PC has been infected with what I can only assume is a piece of Malware - It pretends to be the windows system advising that I have a Netsky32 virus and need to download some antivirus software to remove it. It then continually opens internet explorer windows and locks my machine up.

I have a HP Pentium 4 machine running windows XP home service pack 2 - I was using Norton antivirus 2008 - I have (since last Tuesday) removed this and replaced it with Spysweeper and Kaspersky 7.0 - Spy sweeper found and removed 4 trojans and 60 tracking cookies on its first safe mode sweep - despite this the problem persists. Kaspersky found an invader trying to infect internet explorer but even when removed it re asserts itself. I had some advise from Spysweeper to run a smitfraudfix in safe mode - this did help temporarily and gave me the opportunity to remove Norton and upload Kaspersky 7.0 which has been preventing the virus re asserting itself however the machine is still overloaded by the Kaspersky software fighting against it.

Any advice?
 

More replies
Relevance 52.07%

I have done the best I can on my own, and I am not getting anywhere.

Over the past few months I have had alot of trouble with malware ransoming my computer. It usually starts out with some fake virus protection warnings etc and after a few reboots my system is totally screwed up.

Last time it got so bad I couldnt boot up, it went straight to blue screen before even attemtping to start Windows. Had to ultimately wipe everything and start from scratch.

I do not understand how this keeps happening, as I run MBAM and SAS on a regular basis, and also have virus protection in the form of Shaw Secure (from my ISP, created by F-Secure, i know, not the best)

Anyway right now it is at it again, cannot run most programs, I get a dll or image not valid message. There is a little red X in the bottom right on task bar, that keeps asking me to activate virus protection, but even clicking OK doesnt do anything. I can run scans with SAS and MBAM and it always finds things, such as Trojan.Vundo, Trojan.fakealert.BTQ, gen.trojan.heur, rogue.w32 etc etc, so i get rid of them, reboot and things just keep getting worse. I can no longer update SAS or MBAM because my connection is ransomed, but I believe I have the latest versions anyway.

Why cant MBAM and SAS get rid of my problems, despite repeatedly finding and removing these threats?
What do I do next as I am fearing another wipe?

I am extremely frustrated and would appreciate any insight or help.

Thank You!

~Adam

Answer:Severe repeated infection, malware/ransomware

I just want to add a little bit more information to my above post.

I am running Windows XP. My background has been changed to blue, and I am unable to change it to anything else.

I just finished running MBAM and SAS full scans again, 3rd or 4th time this evening. Found Trojan.FakeAlert (cannot remove, delete on reboot) and a pair of Warning.html files.

Rebooted, and, as usual, my virus program (from F-Secure) identifies a threat (FakeAlert.BTQ) and attempts to remove it, then asks for a reboot. Error message keeps popping up anytime a programs trys to run: "The application or DLL C:\Windows\system32\helper32.dll is not a valid Windows image..."

No internet..etc. Rinse, repeat and so on. At least I can still boot up, and hopefully will be able to fix this before it's too late again.

Thanks again

~Adam

2 more replies
Relevance 52.07%

I share a computer with the rest of my family, we all have seperate accounts but mine is the admins. On logon the other day I found a whole lot of porn screens popping up, and hogging the processes. The process was "obd.exe", so i stopped the process and ran a search with "malwares: anti-malware", which seemed to find and delete a whole lot of malicious software.

but THEN on restart when I logged in explorer.exe was not running and I couldn't access the control panel...

So yeah, the pc is pretty much useless to my whole family atm and they expect me to fix it posthaste; problem is that I'm not too technically savy so I NEED YOUR HELP!

This is the HijackThis Log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:06 PM, on 16/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C... Read more

Answer:Severe virus/malware issue (obd.exe related)

bump, my computer is now infected with a load of new viruses...
 

2 more replies
Relevance 50.84%

I remember a file(I don't remember the name because I deleted it), sent to me not two days ago. This was the beginning of my problems. I tried to scan the file for viruses, but, accidently, when I right-clicked the icon to click scan for viruses, I clicked OPEN instead. So began the obnoxious pop-ups and downloads of random malware ridden programs. I need to know what I have to delete.Logfile of HijackThis v1.99.1Scan saved at 8:42:58 PM, on 8/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exec:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\HPZipm12.exeC:\WINDOWS\sys... Read more

Answer:Command Service Malware, Causing Severe Pop-ups And Random Downloads

By the way, the Command Service, mentioned in the title, is MOST DEFINITELY the cause of my problems. My AntiVirus(Symantec) program caught several trojans screwing with my computer.

11 more replies
Relevance 50.84%

Hello,My computer has gotten severely infected with malware, it started a couple of days ago when I accessed a Simpsons-streaming site. The internet slowed down dramatically, I started getting google redirections, and Adaware was unable to completely remove the problematic files. I noticed there was something with lsass.exe being malfunctioning (probably virus related to this)? Anyway, I made a system restore, going back a couple of days. However, this didn't help it. I did a MBAM scan and noticed the names that are mentioned in the topic title. I wanna try to remove as much as possible, try to do a clean and then repair, and then attempt to format and reinstall the system. Any help is appreciated,Best regardsTommyP.S. I tried running the GMER application but when I start the scan, my computer just restarts.DDS log:DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by Administrat?r at 18:26:38,03 on 2010-04-03Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.3.1252.46.1053.18.1015.620 [GMT 2:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\system32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\wbem\unsecapp.exeC:\WIN... Read more

Answer:Vundo, Gootkit, Backdoor.bot, Malware.trace, Severe infection

Hello TommyI,Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.This tool is not a toy and not for everyday use.ComboFix SHOULD NOT be used unless requested by a forum helperIf you need help, see this link:http://w... Read more

9 more replies
Relevance 50.84%

I have a laptop here with a very serious malware infection that I'm not able to clear with the tools at my disposal. 
 
I first tried running Rkill in normal operating mode, and it stalled indefinitely at the “Performing miscellaneous checks” stage.  I gave up there, rebooted into Safe Mode and got the same results. 
 
I then ran TDSSKiller, selected the "Loaded Modules" and "Detect TDLFS file system" options.  After rebooting, TDSSKiller reported that Rootkit.Boot.Harbinger.a was detected and cured. 
 
While TDSSKiller was doing it's thing, Microsoft's Malicious Software Removal Tool
Tool launched, reporting detection of malicious software and recommended a full scan.  I terminated that process, downloaded the latest release of that tool and initiated a full system scan.  Unfortunately, it stalled at scan item number: 1108958.  I let it set there for several hours before I terminated it.
 
NOTE 1:  Before initiating the MSRT, I checked running processes and found “Driver Detective” running.  As that was likely malware, I terminated that process.
 
NOTE 2:  During the MSRT run, MSE detected and cleaned the following threats in the background:
    - Trojan:Win64/Alureon
    - Trojan:DOS/Alureon.M
 
I then rebooted and tried running Rkill again - same result - indefinite hang at “Performing miscellaneous checks”. 
... Read more

Answer:Severe rootkit/malware infection - Rkill and MS MSRT Hang when run

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/530544 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

25 more replies
Relevance 50.84%

Hi I'm sorry didn't know what to put for the subject line. I cannot run Win7 it keeps crashing, free2ing up requiring a "cold boot". There are a Number of problems - every once in awhile I can start Win7 regularly but I get a pop up box telling me there is a problem starting windows Microsoft is checking for a problem - then it scans and another pop up stating Windows has shut down. I cannot remove the "popular screensavers" from the control panel remove program box - when I try my computer flashes that BSOD and restarts, before the Win7 logo my system runs a ChkDsk automatically and keeps going through this vicious cycle. When I am able to get into the normal Win7 (not in safemode as I am currently in ... in order to get help from this forum my programs that I use daily (IMVU, Facebook) will not open it goes through the opening process then it starts the blue screen, then restarts, runs that scandisk and free2es up requiring another cold boot. I attempted to go into system restore - but there are NO restore options - which is false - I do a system restore once a week - since Aug 2012 and none are there, the virus that I have won't let me restore to an earlier time and it took my Maleware bytes out completely. I don't know what else to do besides seeing if this laptop will fly (throwing the damn thing out the window from my 3rd floor apartment) I am beyond frustration. I think I covered everything it's doing - sorry if I messed up th... Read more

Answer:Ran Malware Bytes found a PUP but now severe problems starting Win7

I just ran MalewareBytes and I haven't done anything yet to "fix" the laptop as I am still waiting for SuperAntiSpyware to finish it's scan but here is the saved log file from MalewareBytes Scan:Malwarebytes Anti-Malware 1.70.0.1100www.malwarebytes.orgDatabase version: v2012.12.30.06Windows 7 x64 NTFS (Safe Mode/Networking)Internet Explorer 9.0.8112.16421Trina Marie :: TRINAMARIE-PC [administrator]30/12/2012 10:00:26 AMMBAM-log-2012-12-30 (12-11-12).txtScan type: Full scan (C:\|)Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUMScan options disabled: P2PObjects scanned: 444295Time elapsed: 2 hour(s), 8 minute(s), 30 second(s)Memory Processes Detected: 0(No malicious items detected)Memory Modules Detected: 0(No malicious items detected)Registry Keys Detected: 58HKCR\CLSID\{C39937A0-C59D-4506-A9FC-0A0138192287} (PUP.FunWebProducts) -> No action taken.HKCR\TypeLib\{C39937A5-C59D-4506-A9FC-0A0138192287} (PUP.FunWebProducts) -> No action taken.HKCR\Interface\{C39937A7-C59D-4506-A9FC-0A0138192287} (PUP.FunWebProducts) -> No action taken.HKCR\CLSID\{a9197738-02a5-46ef-bbf9-fde251c5a631} (PUP.MyWebSearch) -> No action taken.HKCR\TypeLib\{bbb1a756-c3a5-42cf-8fa3-ba0bd4c6f386} (PUP.MyWebSearch) -> No action taken.HKCR\Interface\{A1C4DF97-9F5A-4518-A185-B71B3E2EDFA2} (PUP.MyWebSearch) -> No action taken.HKCR\CLSID ... Read more

3 more replies
Relevance 50.43%

Both my home computer as well as my laptop were comprimised at least by May of 2009 and maybe prior to that. I believe that this was done by someoe who enabled remote access and drooped my firewall.I found some super long log files in C drive that after days of going through, I could make out that major changes had been done on 5/28/09. I have folowed all instructions for the prep guide but both comps will not proceed through GMER. (it locks up after several hours). I recently downloaded process explorer and went through running apps and found that numerous other "shadow" users had been created that redirect commands to these unknown users. I have ran Malwarebytes, spybot, AVG, regestry cleaner, spyware doctor, Avaria, spybot, and regestry booster but after running Process explorer and seeing how intensive this still is.......I really need some help, Please. As I said, GMER on the laptop locks up over and over. The laptop is what I am most worried about so if I could please get some help on fixing it, it would be greatly appreciated. DDS (Ver_10-03-17.01) - NTFSx86 Run by Ronnie Jennings at 22:47:20.47 on Mon 04/05/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1161 [GMT -5:00]AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}AV: AVG Internet Security 3-pack *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: AntiVir... Read more

Answer:Computer has severe malware, has added user files, logs attached. Please help.

Hello I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy. As you can see the logs we ask for are very extensive and take a lot of time to investigate. In addition, since I am still in training all of my responses have to be reviewed by our excellent expert staff so there may be a delay in response time. The advantage is that your log will be evaluated by two sets of eyes and two brains. If you haven't already, you can keep the link to this topic in your Favorites. Alternatively, you can click the Options button at the top bar of this topic and Track this Topic, where you can choose email notifications. Please make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box.Please do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and ... Read more

8 more replies