Computer Support Forum

I have the hacktool.rootkit virus and it keeps coming back

Question: I have the hacktool.rootkit virus and it keeps coming back

I ran Norton Antivirus and it keeps telling me that it has fixed the problem and to restart the computer. I do that and then I run Norton again and it the same thing. I have tried to read through some of the similar questions, but did not really understand them, I am not sure what a hijack log is and such. With step by step directions, I might be able to do it myself. I am running windows xp. I keep getting a pop up saying that "this link does not exist" but it comes up when I am not trying to click on anything. Any help would be GREATLY appreciated!!

More replies
Relevance 100%
Preferred Solution: I have the hacktool.rootkit virus and it keeps coming back

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Relevance 75.98%

My computer is infected with a virus hacktool.rootkit (Symantec) that keeps coming back.Symantec is always running and the autoprotect shows the file as "cleaned by deletion" but it pops up again in 5 minutes. There are a number of different versions of the files including ntesik.sys, securentm.sys, sti64si.sys and acpi.sys. I see they have been picked up on the HijackThis scan as UnknownUnknown (near bottom of log).The file petert.exe also shown near end of log as created 2009-03-26 is suspicious. Shut I shutdown a window pops up that petert.exe could not be closed properly. Everytime the virus appears it also drops a file in the temp folder. Sometimes it tries to send an e-mail that is blocked by Symantec.I have tried a few online spyware scans but without success.I have deleted all files in the temp & cookie folders and also the windows/ prefetch because these looked suspicious.This is the log from HijackThis. Can you please help????:DDS (Ver_09-03-16.01) - NTFSx86 Run by petert at 16:18:42.19 on Mon 03/30/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.460 [GMT -7:00]AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files... Read more

Answer:Hacktool.rootkit keeps coming back!

This problem has been resolved - virus from an infected e-mail

2 more replies
Relevance 105.37%

Hi

My topic is similar to "Hacktool.rootkit keeps coming back!, Do not know how to fix" posted here on 30 March by Peterbtw921.

Yesterday Symantec started removing various files from \Windows\System32\drivers folder, but they kept reappearing under different names every hour (such as systemntmi.sys, acpi32.sys, systemntmi.sys, etc). Overnight my computer crashed with a Blue Screen, memory overfill I reckon. This morning Symantec started combating same files every 5 minutes. About 30 minutes ago - after I found you and read about Hacktool.rootkit, my computer came under attack: someone is trying to send out various messages (not sure with which application, notifications came out of the bottom right corner). Some of these are stopped by ZoneAlarm firewall (outbound activity - too many messages), others are stopped by Symantec. With all these notifications it became impossible to work on the computer.

I am aware of your policy requiring me not to seek advice elsewhere and not applying changes to my computer.

Many thanks in advance

Vitaly

DDS.txt log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS (Ver_09-03-16.01) - NTFSx86
Run by stream at 10:03:06.42 on 08/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.2046.902 [GMT 1:00]

AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Anti-virus Firewall *enabled*

============== Running Processes ==... Read more

Answer:Hacktool.rootkit keeps coming back; computer under attack

Hi vitaly7,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you. Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.Thanks

12 more replies
Relevance 86.51%

The computer is running Xp service pack 2.
When I first tried to fix a popup problem with symantec, the user (my daughter) couldn't log on anymore.
Safemode would begin to load and then rebooted.

I fixed several registry entries using knoppix under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
and copied over a copy of userinit.exe, and ntldr from another Xp installation.

Now the user can logon, but the web pages are redirected to advertisements for removal tools and other things.
A file called str.sys was removed by several malware and antivirus programs and kept coming back.

I still can't boot into safemode. I see a list of drivers loading and then the computer reboots. I would be grateful for any help, thanks.

Here is the report from Rootrepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/27 22:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00002984
Image Path: 00002984
Address: 0xB2A8F000 Size: 71424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2BC3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Lock... Read more

Answer:rootkit virus keeps coming back str.sys

Hi jobarb,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.I see you have Combofix. Please post the log(s) it has produced. If you have run it more than once Please attach all of them.The latest log is located at: c:\Combofix.txtThe earlier logs are located at C:\Qoobox\combofixX.txt where X is a number.

24 more replies
Relevance 80.77%

Hi all,I have this machine hit by a hacktool.rootkit: I have an always-up-to-date Norton Antivirus 2006 that pops up a "Virus Alert" saying that the virus "was automatically deleted" whenever I try to open a partition(C: or D: ... etc.). Whenever I run a full system scan it says no threats are in the computer but it keeps behaving weird: a "Can't run 6-bit Windows program" message pops when the OS loads, Hidden Files and Folders cannot be shown (yes, I checked the Show box), partition opens in another window than the My Computer one, and it runs really slow. I've googled a lot of blogs to solve the probem and knew that the first thing to do is to turn off System Restore. What should I do then? Attached is the Hijack This! report.P.S. The machine is not, and not likely to be, connected to the internetThanks.[saving space - attachment deleted by admin]

Answer:Hacktool.Rootkit Strikes Back

1. Print this post out, since you won't have an access to it, at some point.2. Close all windows, except for HijackThis.3. Put a checkmark next to the following HijackThis entries:- F3 - REG:win.ini: load= D:TCWIN45PIPELINEremind.exe D:TCWIN45PIPELINE\remind.exe- O4 - HKCU\..\Run: [amva] D:\WINDOWS\system32\amvo.exe4. Click on "Fix checked" button.5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts)6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to "Show hidden files, and folders".7. Delete following files/folders (if present):- amvo.exe from D:\WINDOWS\system328. Turn off System Restore:- Windows XP:   1. Click Start.   2. Right-click the My Computer icon, and then click Properties.   3. Click the System Restore tab.   4. Check "Turn off System Restore".   5. Click Apply.      6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.   7. Click OK.- Windows Vista:   1. Click Start.   2. Right-click the Computer icon, and then click Properties.   3. Click on System Protection under the Tasks column on the left side   4. Click on Continue on the "User Account Control" window that pops up   5. Under the System Protection... Read more

14 more replies
Relevance 80.77%

Hi all,
I have this machine hit by a hacktool.rootkit: I have an always-up-to-date Norton Antivirus 2006 that pops up a "Virus Alert" saying that the virus "was automatically deleted" whenever I try to open a partition(C: or D: ... etc.). Whenever I run a full system scan it says no threats are in the computer but it keeps behaving weird: a "Can't run 6-bit Windows program" message pops when the OS loads, Hidden Files and Folders cannot be shown (yes, I checked the Show box), partition opens in another window than the My Computer one, and many other problems, and it runs really slow. I've googled a lot of blogs to solve the probem and knew that the first thing to do is to turn off System Restore. What should I do then? Attached is the Hijack This! report.
P.S. The machine is not, and not likely to be, connected to the internet.
Thanks.
 

More replies
Relevance 77.08%

Rootkit.TDSS Hacktool.rootkit

just showed up, have not had a problem for a few months. Please Help with removal. and is someone hacking me or is this common virus floating around? THANKS!

Answer:another virus Rootkit.TDSS Hacktool.rootkit

bump

11 more replies
Relevance 75.03%

I can't seem to get rid of this virus.I have AVG/ NORTON installed. It keeps coming back even after I reformat. However, I did move my files (pictures, music) to my external drives before reformating my computer.. can that be a reason why it keeps coming back to me? Does this mean I have to wipe out all my information from my externals?Everytime I open a my local disk.. or an external harddrive or a flash drive.. I get a popup this message from my virus scanner. Please help. I'm also new to the forum. I had to register because I was so stumped with this problem. Thanks in advance.Also, I think this AVPO.EXE is also associated with the virus. Logfile of HijackThis v1.99.1Scan saved at 9:03:56 PM, on 9/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\PROGRA~1\Grisoft\AVG... Read more

Answer:Hacktool.rootkit Virus Hjt Log, Please Help!

First of all, you are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:CLICK HERE to download the HijackThis Installer:Save HJTInstall.exe to your desktop.Double-click on HJTInstall.exe to run the program.By default it will install to C:\Program Files\Trend Micro\HijackThis.Accept the license agreement by clicking the "I Accept" button.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.Click "Save log" to save the log file and then the log will open in Notepad.Click on "Edit -> Select All" then click on "Edit -> Copy" to copy the entire contents of the log.Come back here to this thread and paste the log in your next reply.Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.You may delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.Double-click on dss.exe to run it, and follow the prompts.When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimizedCopy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the ex... Read more

1 more replies
Relevance 75.03%

After clean up with norton anti-virus, I still received the virus in the system as previous member had the same problem here the link to the post :

http://forums.techguy.org/malware-r...0146-solved-hacktool-rootkit-virus-moved.html

I think Flrman have solve the problem that previous member had and I ran into the same issue please help to clean this virus out of my system. Here the attachment of the rootkitreavel scan, but I don't know which files to deleted with killbox software.
 

More replies
Relevance 75.03%

Hey guys, my pc got infected by a virus called Hacktool.Rootkit. My norton detected it and deleted it continuously. All my virus definitions are updated, but i dont know why this trojan still disturbing. The file in with the trojan was found is C:\windows\system32\wincap.sys So, I delete the file with Killbox. I deleted all autorun.inf files from each drives. Now, i have no problem at least they are good now. But, I cannot Show my hidden files, they are not working. anybody can help me? Below is the log file from HiJacKthis
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:07:31 AM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Sym... Read more

More replies
Relevance 75.03%

Logfile of HijackThis v1.99.1Scan saved at 2:58:01 PM, on 1/13/06Platform: Windows 98 SE (Win9x 4.10.2222A)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\SYSTEM\KERNEL32.DLLC:\WINDOWS\SYSTEM\MSGSRV32.EXEC:\WINDOWS\SYSTEM\MPREXE.EXEC:\WINDOWS\SYSTEM\mmtask.tskC:\WINDOWS\SYSTEM\MSTASK.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXEC:\PROGRAM FILES\NORTON ANTIVIRUS\ADVTOOLS\NPROTECT.EXEc:\windows\SYSTEM\KB891711\KB891711.EXEC:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXEC:\WINDOWS\EXPLORER.EXEC:\WINDOWS\TASKMON.EXEC:\WINDOWS\SYSTEM\SYSTRAY.EXEC:\LOGITECH\MOUSE\SYSTEM\EM_EXEC.EXEC:\WINDOWS\SMCTRLW.EXEC:\WINDOWS\SYSTEM\HPOOPM07.EXEC:\WINDOWS\SYSTEM\WLANSTA.EXEC:\WINDOWS\TPPALDR.EXEC:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXEC:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXEC:\WINDOWS\SYSTEM\SPOOL32.EXEC:\WINDOWS\GWHOTKEY.EXEC:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXEC:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDNAGENT.EXEC:\WINDOWS\RunDLL.exeC:\WINDOWS\SYSTEM\WMIEXE.EXEC:\PROGRAM FILES\COMMON FILES... Read more

Answer:Hacktool.rootkit Virus

Hi,

Sorry for this delay. Post please a fresh hijackthis log if you still have problems.

1 more replies
Relevance 75.03%

I have a colleague who suspects that he is being hacked after discovering that he has a virus in his laptop. The name of the virus is Hacktool.Rootkit and it has disabled some applications too including, as he said, his anti virus software. My friend is facing problems now and is afraid that he does a lot of online purchasing using his credit card.

I have asked my friend not to connect to the internet for the time being while I ask for help fromf you good folks on this forum to give us direction on how we can fix this problem up.

Looking forward to your help and thanks in advance.

Answer:Virus: Hacktool.rootkit

Here are two Rookit scanner/removers to try. Neither is for VistaPanda Anti-Rootkituse the in depth scan, by checking the box. Requires a reboot. Also submit files when asked.AVG Anti-Rootkit Remove anything they find

2 more replies
Relevance 75.03%

I started getting redirected from search links. Then it also started to open new tabs and/or windows to other sites. My Windows Explorer keeps stopping and having to close and restart. It took a couple scans for my Norton 360 to find it but said it cleaned a hacktool rootkit virus, but the problems still persisted after reboot. I have gone through most of my processes and registry and have removed everything I found that shouldn't have been there and have ran more scans with ccleaner, Microsoft Malicious Software remover, Norton, Spyware Doctor and they still don't find anything. And last night it started to play radio out of nowhere without opening any programs and I can't find it in the processes anywhere. I also couldn't rune the RootRepeal because it would lock entire computer up and sometimes give me blue screen.

DDS (Ver_09-10-26.01) - NTFSx86
Run by Administrator at 12:04:55.98 on Fri 11/20/2009
Internet Explorer: 8.0.6001.18828
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2046.1133 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRest... Read more

Answer:Hacktool Rootkit virus

ok I opened CMD and waited for the music to start. here is a list of dll's that the process was running
Image Name PID Modules
========================= ======== ============================================
iexplore.exe 4228 ntdll.dll, kernel32.dll, ADVAPI32.dll,
RPCRT4.dll, USER32.dll, GDI32.dll,
msvcrt.dll, SHLWAPI.dll, SHELL32.dll,
ole32.dll, iertutil.dll, urlmon.dll,
OLEAUT32.dll, IMM32.DLL, MSCTF.dll,
LPK.DLL, USP10.dll, comctl32.dll,
comdlg32.dll, COMCTL32.dll, winmm.dll,
OLEACC.dll, WININET.dll, Normaliz.dll,
imagehlp.dll, mswsock.dll, WS2_32.dll,
NSI.dll, IEFRAME.dll, Secur32.dll,
NTMARTA.DLL, WLDAP32.dll, PSAPI.DLL,
SAMLIB.dll, VERSION.dll, wshtcpip.dll,
wship6.dll, NLAapi.dll, IPHLPAPI.DLL,
dhcpcsvc.DLL, DNSAPI.dll, WINNSI.DLL,
dhcpcsvc6.DLL, napinsp.dll, pnrpnsp.dll,
... Read more

34 more replies
Relevance 75.03%

Every time I start my laptop, I receive a auto-protect result with HACKTOOL ROOTKIT infecting my files and deleting them automatically. Each time I start up, different files are infected and deleted. I did a virus scan but the problem still cant be solve.

Why is this occurring and how do I fix this?

Answer:Hacktool Rootkit Virus

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds. http://www.superantispyware.com/Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.http://www.bitdefender.com/scan8/ie.html--------------------------------------------------------------------------------Post a Hijack This Log in the Hijack This Forum by following the directions in the link below if the programs above have not removed ALL malware. DO NOT post a log in this forum. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/How to Start Windows in Safe Mode:http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

2 more replies
Relevance 75.03%

I hope someone can help. My computer was recently infected by the virus hacktool.rootkit. Norton identified it and tried to quarantine it, and when I scan my computer, Norton does not see it. However, it pops up a few minutes later. Here is the hijackThis logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:47 PM, on 10/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\system32\dlbucoms.exe
C:\WINDOWS\sYSteM32\SvchOst.eXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\windows\freddy68.exe
C:\windows\pp12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleTool... Read more

Answer:Hacktool.rootkit virus

16 more replies
Relevance 75.03%

I know this is long, but bare with me...

I got a virus that attacked my pc today. It closed all windows and forced a shutdown. After shutting down, I cannot even get back to the desktop. It boots to the desktop, and the icons appear and disappear about 4 or 5 times, as if the pc is loading the start programs over and over again. Eventually my antivirus (symantec corporate) will detect the virus in the following folder
Device\Harddiskvolume1\windows\system32\Drivers\Beep.SY

From this point the system usually freezes and I have to push the restart button.

I have tried booting in every safe mode, and I get the same result. I have managed to run a few malware and antivirus programs, to no avail. I also tried repairing windows and have repeatedly gotten errors about files missing ( \i386\l.intl.nls )

The problem is, I know where the virus is, but cant stop it. I talked to microsoft and they said I have to do a parallel install and start again from scratch, which I am trying to avoid. I have tons of music and games amongst other files I would like to save, and do not want to have to transfer up to 80g of files through a parallel install.

Any advice is appreciated.

Programs I have ran:
Symantec Corporate Edition
AVG Antispyware
Regscrub XP

Answer:hacktool.rootkit virus NEED HELP!

We recommend that you read this article… "IMPORTANT - 5 Step Process: Read This Before Posting For Malware Removal Help"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

After your system has been verified as clean, if your are still experiencing those problems come back here and we will assist you further.

1 more replies
Relevance 75.03%

I'm running windows XP with Symantec. When I run a full scan in regular or safe mode I get no immediate threats, but I keep receiving auto protect pop-ups of 'Hacktool Rootkit' I found a similar thread that instructed using 'rootkit revealer' I downlaoded that and ran the scan. It finds 179 discrepancies, but when I try to save the results to post here, the entire program shuts down. It also won't allow me to copy and paste. Most of the descriptions say 'hidden from windows API'
 

Answer:Hacktool Rootkit Virus on XP

6 more replies
Relevance 75.03%

I have a virus from clicking on AIM, and it was quarantined according to symmantec. However every time i restart my computer i notice my firewall is disabled, and the virus is found again. I looked at a few security places and the virus comes up under different names... I have run AIM fix, spybot remover, and ad aware as well as my virus program...
can anyone help?
Thanks... also i have hjt so i can provide a log if requested
 

Answer:virus from AIM (hacktool.rootkit)

actually... jus restarted my computer again... nothin crazy happend... i guess aim fix worked... i take it back... thanks anyway
 

1 more replies
Relevance 75.03%

ok so heres my hijackthis log if anyone can help please.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:28 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PhanTim3\PhanTim3.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C... Read more

Answer:I have hacktool.rootkit virus

16 more replies
Relevance 75.03%

Hi,

I saw earlier a number of posts from Firman advising how to get rid of the Hacktool rootkit virus in XP.

I got this so and so the other day and Norton quarantined 14 infected files. However, it was on my laptop which hasn't got much stuff on it yet so to be really sure I wiped it clean and reloaded everything.

Will this have done the trick or could it still be lurking somewhere. If it came vis e mail would it have had to be contained within an attachment or can it just be within the main e mail body.

Many thanks to anyone who can help.
 

More replies
Relevance 75.03%

Hi everyone, I've been getting notifications every few minutes from Symantec that a Hacktool.Rootkit threat has been found. These warnings say that the file was located here;
C:\WINDOWS\system32\drivers

and that Clean and Quarantine actions have failed but Delete has succeeded.

These warnings keep popping up and it's driving me crazy!
Can anyone advise me on this?

Thanks,
Franki

PS - just ran a Hijack This scan (coz that's what other people in this forum seem to be doing!) here's the log report -

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tp4serv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\IBM\Updater\jre\bin\javaw.exe
C:\Program Files\IBM\Messages By IBM\i... Read more

Answer:Hacktool.rootkit virus

Ok, just ran Rootkit Reveal - here's the results;

HKLM\SECURITY\Policy\Secrets\SAC* 20/02/2003 18:30 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 20/02/2003 18:30 0 bytes Key name contains embedded nulls (*)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Logs\04052009.Log 05/04/2009 00:28 1.38 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN24.tmp 04/04/2009 23:42 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN27.tmp 04/04/2009 23:49 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN2B.tmp 04/04/2009 23:54 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN2F.tmp 05/04/2009 00:01 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN36.tmp 05/04/2009 00:06 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN38.tmp 05/04/2009 00:13 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN3C.tmp 05/04/2009 00:18 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temp\BN40.tmp 05/04/2009 00:28 31.53 KB Hidden from Windows API.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1205RRDA\E... Read more

1 more replies
Relevance 75.03%

Hi, From 2 days my machine is very slow. When i scanned in Symantec Antivirus, it showed some files re been effected with hacktool.rootkit virus. But iam not sure how to solve this problem. Please help me with the same. Pls find the trace below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:18 PM, on 1/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Persits Software\AspEmail\BIN\EmailAgent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\Program Files\Hewlet... Read more

More replies
Relevance 74.21%

My computer has been infected with the Hacktool.Rootkit virus. Norton Anti-Virus has been deleting the same group of files (about 4 or 5 different ones, all with the .sys extension) over and over every 1 minute it seems. A few hours ago, the infection was severe with dozens upon dozens of messages popping up with various spam-style contents in them, making the computer inoperable. My computer is operable right now, but the threat seems to be still present. Here's the logfile:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Anthony at 0:33:50.57 on Fri 04/17/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.130 [GMT -5:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC&#... Read more

Answer:infected with Hacktool.Rootkit virus

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following....Please download The Comedian.exe to your desktopDouble click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedNEXTPlease download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you wi... Read more

2 more replies
Relevance 74.21%

my colleague had plugged in his external harddrive to my laptop and thats how it got infected.it got affected with hactool.rootkit virus and im goin nuts deleting it...it keeps re-appearing....before formatting my laptop, i took backup on my external harddisk. then i formatted laptop, and was about to put the data into laptop, then again it appeared. that means my external harddisk too is affected. i cant afford to loose the work data in my external drive and USB Flash. please help!!!!!!!!!!!!!!
 

More replies
Relevance 74.21%

podmena traffica testtest........................................
I am new to these forums but they seem to be very helpful.

Every so often my Symantec Antivirus pops up saying that it's detected a virus. I did a manual scan of all my drives and found some infected file which were moved to quarantine and then I deleted them. Unfortunately it is still detecting new viruses so I'm guessing I haven't fixed it by deleting those files.

Any help you give would be greatly appreciated

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:33:54 PM, on 5/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Symantec AntiVirus\DefWatch.exe
d:\MATLAB6p5\webserver\bin\win32\matlabserver.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\QuickTime\qttask.exe
D:\DAEMON Tools\daemon.exe
D:\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\PowerISO\PWRISOVM.EXE
C:\WINDOWS\services.exe
C:\Program... Read more

Answer:Hacktool.Rootkit Virus popups

podmena traffica testck on links in google it opens up some other window
 

2 more replies
Relevance 74.21%

I have recnetly download a keyboard macro program and got a crazy virus called HackTool.Rootkir virus.

Norton detected it then closed all programs and re opened them saying it is blocked and then in 2 seconds closing programs again because there was another attack and during that time I tried to run as many scans and do everything that i read on other forums to fix this but nothing worked.

Things that I did:

Disabled system restore
Scanned with norton and after it found viruses rebooted
Went into safe mode (same thing happening programs closing and opening)
Used the regedit, used the services.msc used task manager to find files relating to the program as were given by instructions and havent found anything.

I just ran hijackthis and havent found anything that was directed to fix.

Please someone help.

HiJackT DDS Log:
DDS (Ver_09-01-07.01) - NTFSx86 NETWORK
Run by Ilya at 5:46:13.92 on Wed 01/14/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2029.1589 [GMT -5:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated)
FW: Norton Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
... Read more

Answer:Infected with HackTool.Rootkit Virus

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1Link 2Link 3Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

2 more replies
Relevance 74.21%

Hi there i am kind of new to this site and i hear that i might be able to find some help to my problem if i post here, The problem is i have gotten a virus about a day ago and it's called Hacktool.rootkit i have tried various methods to remove this from antivirus and antimalware scans in regular mode and safe mode with different programs, but it has not been removed no matter how many scans i do. Also it seems that the virus has removed something called a Base Filtering Engine on my computer. And i can't activate my windows firewall and advanced security. What should i do? Also im not very good at computers so if whoever answers could be patient and give me a step by step process that'd be great. Also im currently using windows 7 home premium if that makes a difference. Thanks in advance for your help and patience!

Answer:Need help removing a Hacktool.rootkit virus!

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

3 more replies
Relevance 73.39%

Windows XP- running Norton Anti-Virus.

Infected with hacktool.rootkit and possibly more.

Unable to install HJT. Saved to desktop, tried installing. Nothing. Its not even in my software to remove & try again.

Have been getting several different alert from Norton. Mostly the hacktool.rootkit and Norton will say its resolved. Its not. My computer seems to be sending out spam as I'm getting errors from Norton saying that ALOT of email has been refused. When I check my outbox, nothing that I didnt send is there.

Two suspicious files: c:\windows\system32\drivers\netsik.sys
& c:\windows\system32\drivers\systemntmi.sys

Just checked Norton AntiVirus history: it shows variations of this bn3c4.tmp accessed your network resources.
frontdeskuser.exe made 3 modifications to your System Configuration
qttask.exe modified your System Configuration.

HELP PLEASE?!

I'm in over my head and Norton, well you know what it does.

Many thanks,
Iva
 

Answer:Hacktool.Rootkit ??? Virus using my username.exe - Windows XP

I have tried several times to get HJT on but to no avail! I do however have malwarebytes. Could I use a log from that program instead?

Thanks- Still need help
Iva
 

1 more replies
Relevance 73.39%

Sorry to repost this but my last thread expired before i was able t get all informaion that was needed. So here goes again.
______________________________________________________________
I am a NYC DOE teacher and recently turned on my computer to have a message from Symantec that I have a virus that is unable to be quarantined or deleted. The program keeps popping up and saying that it tried to quarenteen it but that it faled

It was called hacketool.rootkit and the file name is rd189E.tmp.

My computer also said that there was a self replicating Trojan that may cause the system to crash.

The virus made my system unstable such that I could not open any of my applications or an internet browser to try and find a solution. All that would happen is every few seconds everything on the screen except for the background would disappear for a second or two and then reappear.

I then restated my computer in safe mode. I was ableto restore it to several weeks ealier, which allowed me to have access to the system. I have backed up most of my files aswell as run the logs required.


Is there a method to remove this virus? If not is there a way to access some of the files on my computer. It has been a week or two since I have backed up my student?s grade data and I could really use to get stuff off this computer

Thanks so much
Bob



DDS (Ver_09-01-07.01) - NTFSx86
Run by ROBERT HARRITS at 13:00:20.14 on Fri 01/23/2009
Internet Explorer: 7.0.5730.13 Browser... Read more

Answer:Hacktool.rootkit virus/self replicating trojan

Hello, Bob.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Pl... Read more

19 more replies
Relevance 73.39%

I was infected with Hacktool.rootkit as detected by my Symantec Antivirus. It Quranteened the file. Then When I tried to scan my disk, it hanged. I restarted my computer and tried to run the scan again. It says static and wouldn't run. I tried TrendMicro online scan. It deleted this one file mplayer1799.mp4. So I tried to run my scan. Still no go.

I tried to open Hijackit. It wouldn't open. Restarted in Safe Mode. HJT still would not open. I went ahead and deleted a bunch of files from c:/WINDOWS that begins with mplayerxxxx.mp4 that were as it appeared, downloaded around the same time I caught the virus. I realize I'm not suppose to delete any files but this was before I decided to seek help here.

I looked around in multiple forums. Came upon instructions to d/l sysclean.com from TrendMicro. It deleted two more files -- UnixSys08.sys and UnixSys32.Jmp. I restarted my computer. HJT and scan still doesn't work.

I tried ComboFix next. The first time when it was done, the log appeared but I lost all the icons on my desktop. Even the Start bar on the bottom disappeared. I had to restart my computer without saving the log.

Once my computer started up again. HJT worked. Scan is still dead. I've been able to solve my problems in the past checking out threads from this forum. I hope someone can help me now. THANKS!

Answer:hacktool rootkit killed anti-virus

Bump*
I just realized that i cannot adjust my clock. I would change the time but when I restart, it would go back to the hour before I change it. Might be a separate issue?

1 more replies
Relevance 73.39%

my girlfriend has a virus on her computer that norton is detecting.... isnt detecting it in a scan only doing a pop up of the virus claiming it cannot be removed.... i cant find it anywhere to get rid of it and read other forums all over the net for removal instructions and none of them are helping.... i had her run the trojan hunterm... norton a million times... and restart her computer and do a hijack... here is the log... can someone please help its driving me crazy i cant find anything pertaining to this virus on her computer... i think im overlooking something... :ranting: ive even tried to do a restore point which i know i made one a few weeks ago after i got rid of another type of virus she had and yea that isnt showing up its showing only a restore date of today....
Logfile of HijackThis v1.99.1
Scan saved at 1:30:16 PM, on 10/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\S... Read more

Answer:Solved: hacktool.rootkit virus [moved from XP]

14 more replies
Relevance 73.39%

I am a NYC DOE teacher and recently turned on my computer to have a message from Symantec that I have a virus that is unable to be quarantined.

It was called hacketool.rootkit and the file name is rd189E.tmp.

My computer also said that there was a self replicating Trojan that may cause the system to crash.

The virus made my system unstable such that I could not open any of my applications or an internet browser to try and find a solution. All that would happen is every few seconds everything on the screen except for the background would disappear for a second or two and then reappear.

Is there a method to remove this virus? If not is there a way to access some of the files on my computer. It has been a week or two since I have backed up my student?s grade data and I could really use to get stuff off this computer

Thanks so much
Bob

Answer:Hacktool.rootkit virus/self replicating trojan

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

If you're not receiving help elsewhere and still require assistance for this issue, please follow the process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

After running through all the steps, you shall have a proper set of logs. Please post/attach as instructed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your next reply.

------------------------------------------------------

Download the files to a USB drive on another computer and transfer the files to your desktop.

------------------------------------------------------

2 more replies
Relevance 73.39%

Helphacktool. rootkit virus has infected msdirectx.sys file and I can't quaranteen and I'm not sure if I delete file my system will still work? I have tried several restores from recovery points but this just gets so far then stops. I have install Service pack 2 since aquiring the virus and prehaps this is preventing system restore!!Any suggestions as I'm getting very haressed!Bev

Answer:hacktool. rootkit virus has infected ms directx

you can safely delete this file, as it is not an actual system file.you may have to go into safe mode for it to allow you to delete it though. (press F8 during bootup and select Safe Mode from the list)

3 more replies
Relevance 73.39%

Your Help Will be Very Much Appreciated!!

It started around March 26, 2009. I started getting "attacked" buy these Pop ups for different Antivirus progams. (I have Norton 360.) I ran five System Scan b/w 3/26/09 to 4/15/09. It kept detecting a Trojan Virus. I called Norton and they stated that they are having issues with a malware/virus that changes the regs keys and thatsince I hit the "X" closed button on IE that I basically accepted the End Terms and let the virus in. (Basically kicking me when I'm already down.) Needless to say they are NO help.
For some reason today I'm not being attacked by Pop ups. (Which I suspect may be lying dormaint.) I decided to run another Full System scan & bam--Norton discovered HackTool.RootKit!! They quaranteed it. I rebooted the system and ran another full system scan and it detected the same Hacktool.rootkit twice. So as a novice, I'm a little freaked out that both issues are still infecting my system.
I have been looking at several different forums and really felt safe and comfortable with you all, so I am hoping that someone can help me get these issues resolved and return some sanity back into my life!!

Here is a Copy of the Hijackthis! Log I ran minutes ago:
Logfile of HijackThis v1.99.1
Scan saved at 2:20:19 AM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe... Read more

Answer:AntiVirus Pop Up Attack & Hacktool.rootkit virus

6 more replies
Relevance 73.39%

Hi,

I found this link on this forum which is very detailed regarding the Hacktool.Rootkit:
http://forums.techguy.org/malware-r...0146-solved-hacktool-rootkit-virus-moved.html
Currently my system is (having Norton Antivirus) showing these signs of rootkit and i am trying to fix it.
It had modified my desktop settings and I am not even able to view the 'Desktop' and 'Screen Savers' tabs on clicking 'Properteis' option from the menu displayed on right clicking anywhere on desktop.
Need help in this regard.. I am running currently the RootkitRevealer.exe and waiting for logs. will post them here as soon as I get them. Had one doubt here..
In just couple of steps below (of the post in above url), it's mentioned to delete following 2 files using Killbox.exe:
1. C:\WINDOWS\SYSTEM32\clemfc42.exe
2. C:\WINDOWS\SYSTEM32\sesdmmoh.dll

Just want to know that I need to delete the same 2 files or will they differ based on what the rootkitrevealer logs are going to show?

Thanks for all the help,
Neeraj
 

Answer:Hacktool.RootKit virus problem.. Help needed!

Hi,

I am attaching the KasperKey logs and Active scan logs. Kindly help.

Thanks,
Neeraj
 

1 more replies
Relevance 73.39%

Hello there!I have been happily working away on this system for 4 years and have never had a problem. That all changed last Friday. I have a PC running Windows XP professional loaded with SP2 and all the normal MS-update stuff. My anti-virus program is Symantec Norton Antivirus. I attached a coworker's flash drive and my system complained about an infection. I tried to delete it but it said it could not be deleted. I ran the usual gambit of Ad-Aware SE and Spybot. I updated and ran my Symantec which said it saw W32.Gammima.AG (associated with x.sys, e.sys, l.sys, wincab.sys) and Hacktool.Rootkit (associated with A0125783.com, A01258793.com, A01258707.com, 9v5a2.dll). When I then tried to delete them the program froze. It also would not reopen. So I restarted the computer and tried to update it and run it and delete what it came up with all with the same results. I tried reloading in Safe Mode to delete them, but it never saw them in Safe Mode when I ran the virus check. This is a work computer for a lab with lots of data on it and programs which would be rather devastating to lose. Games are never ever played on this system. I disabled System Restore since a page recommended that for the Rootkit virus but that has not helped it get deleted. I have run Housecall anti-virus, Panda anti-virus, and Bit Defender. All these found stuff that they said they deleted but still the problems continue. It I try to directly open my C: drive or my back-up external hard ... Read more

Answer:Virus (some Viruses?)--w32.gammima.ag And Hacktool.rootkit And Maybe Others?

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today. Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A HijackThis LogThanks,Charles

2 more replies
Relevance 72.57%

Hi,This is my first post in this forum. Let me introduce myself. I am Varun Tyagi and live in New Delhi, India. Yesterday, I was downloading something, suddenly lots of pop ups started coming on my lappie screen. That was something weird , b'coz norton was trying to send some kind of messages (approx. 50 odd msgs). And after that Auto protect result came to the fore and displayed that my laptop is infected by Hacktool.Rootkit virus. I googled it out and found out lots of ways to heave a sigh of relief but was unsuccessful. I tried MBAM, Unhackme, Spygot-Search and destroy, SDFix and various other methods to get rid of them. However, I was able to delete lots of infections but the two sys file (ipsecndis.sys and ntndis,sys).I tried every possible way to delete these files but whenever i connect to the internet, these two files get life and they again come to infuriate me. I came to know through the extensive research that the hacktool virus has created a backdoor kinda stuff in my lappie.I request you to help me out in this issue as I am really frustrated and feeling helpless.Thanks a lot in anticipation.P.S. I feel like writing a letter to my friend

Answer:Infected with Hacktool.Rootkit virus (ipsecndis.sys and ntndis.sys)

Hello,Please follow the instructions in ==>This Guide<== starting at step 6.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please a description of your computer issues and what you have done to resolve it.If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.Orange Blossom

2 more replies
Relevance 72.57%

My computer constantly resets my settings (ie desktop, makes me reconfigure programs as if they were just restalled), and also will randomly restart. i've tried Ewido, Norton, and Adaware; none pick it up. Norton told me:

C:\WINDOWS\SYSTEM32\msdirectx.sys
is infected with the Hacktool.Rootkit virus.
and then

C:\DOCUME~1\CAITLI~1\LOCALS~1\Temp\6arab3.html
is infected with the Trojan.Elitebar virus.
Unable to repair this file.

i followed someone else's instructions on how to get rid of this, yet the problem persists, and there is a strange file called !Submit which keeps reinstalling itself on my C:\ drive. it contains a number of files which i can't delete, namely miunst.exe, ladhide5.dll and Perflib_Perfdata_860.dat. also, booaffic.dll, winsuBrm.dll, yrtsiger.bat, and addrbk.ni\

also, what is nwiz.exe?

Additionally, a new program called mIRA installed itself in my computer in the C:\Windows\System32 area, although i have never installed that. A friend said that it was a chat kind of program, but that it shouldn't be in that directory. When I tried to uninstall it it told me that not all files could be deleted. Is it possible that this is the virus?

Please help!
Logfile of HijackThis v1.99.1
Scan saved at 10:09:48 PM, on 9/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\sy... Read more

Answer:Malware/Virus: Trojan.Elitebar and Hacktool.Rootkit

*Uninstall the following from Add/Remove Programs (if listed there):

Media Gateway
Viewpoint Manager
WildTangent
Please download LQfix.exe and save it to your desktop.

Double-Click LQfix.exe and click Next > Next > Install.
Leave the default settings, if you change them, the fix will Fail!
Now make sure the "Launch LQfix" box is checked.
Click the Finish button, after clicking the Finish button the fix will start.
Follow the on-screen prompts.
Your system will now reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.
Now do a scan with HiJackThis and post a new log.
 

3 more replies
Relevance 72.57%

Hi, I have a situation here where I can't seem to get internet access. A virus has pop-up under symantec called hacktool.rootkit. I tried deleting the hpdriver.sys file that the virus was supposedly attached, in safe mode. When I rebooted the machine..the virus came back up.Here is my Hijackthis Log:Logfile of HijackThis v1.99.1Scan saved at 4:23:30 PM, on 9/6/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\msdtc.exee:\allaire\coldfusion\bin\cfserver.exee:\allaire\coldfusion\bin\cfexec.exee:\allaire\coldfusion\bin\CFRDSService.exeC:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exeC:\WINNT\System32\svchost.exee:\HAHTsite\webapps\bin\hsradmin.exee:\HAHTsite\webapps\bin\hscontrol.exee:\HAHTsite\webapps\bin\hsredir.exeC:\WINNT\System32\cba\pds.exee:\HAHTsite\webapps\bin\hsadmsrv.exeC:\WINNT\System32\ismserv.exeC:\WINNT\System32\llssrv.exeC:\Program Files\Dell\SysMg... Read more

Answer:No Internet Access due to a virus called hacktool.rootkit

Download http://www.bleepingcomputer.com/files/winpfind.phpExtract WinPFind.zip to your c:\ folder.Reboot your computer into Safe ModeThen open c:\WinPFind and double-click on WinPFind.exe. When the program is open, click on the Start Scan button to scart scanning your computer. Be patient as this scan may take a while. When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.

1 more replies
Relevance 71.75%

Hi

I am running Windows 7. Few days ago, I started getting blue screen as soon as I started my computer. It was rootkit infection through MBR. TDDSKiller detected it.

After that, I cured using TDDSKiller, but my computer starts showing "OS not found" on startup. I got Win 7 installation disk and ran bootrec /fixmbr.

Since then rootkit keeps coming back in few hours and I have to everytime repair it using bootrec /fixmbr., otherwise blue screen starts coming up.

Is there a way I can permanently solve this. ?

Answer:Rootkit keeps coming back daily

Hello,Yes but we need a deeper look. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

1 more replies
Relevance 71.75%

Hi,

My computer was recently infected with Malware Defense, which I removed using the following guide http://www.bleepingcomputer.com/virus-removal/remove-malware-defense. After following the steps, I was able to remove it, but my computer continued to behave strangely.

Specifically, my computer currently runs much slower than it did before, has sporadic issues connecting to the internet, and fails to startup the first time it reboots after Malwarebytes Anti-Malware removes "rootkit.tdss". I have now managed to remove "rootkit.tdss" at least 5 times now, but it keeps coming back.

Here is my HijackThis log:
"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:47 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoi... Read more

More replies
Relevance 71.75%

Yesterday I got a Rootkit warning, Said it was a Win 64: Evo-gen (Susp) I followed instructions, and ran a boot time scan. At around 60% complete it found 3 instances of a Win 32 (not the win 64 like the warning said)
It gave me choices as to what to do. I chose repair all. The scan finished, and I got back on line. I started scanning with all my other protections SAS, MAM etc. AS I was doing this the warning showed up again.I ran another boot time scan. It came out clean. No files corrupted. (or words to that effect) Got the warning again. Scan came up clean again.
I continued using my computer, and after a while I got the message again. Since the boot time scan had come up clean two times in a row I just Xed it out. It came up two or three more times, so I decided to shut my computer down for the night.
Today I got on line, and the warning showed up again. So I ran the boot time scan again. This time it found one instance of the Win32 (again, Not the Win64 that I was warned about) This time instead of choosing repair, I choose fix all instantly. All that did was move it to the chest?? THe scan finished , and I got back on line. After a while I got the Warning again. I ran,a boot time scan, and it came out clean Was on the computer again, and got another warning Xed it out.

What's going on, and how can I fix it?
As it stands now I'm kind of worried about using my computer. So. I am going to write a couple important E-mail and shut my computer down. I will ... Read more

Answer:Rootkit warning keeps coming back

You've been to this forum before so you should know the drill....

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

67 more replies
Relevance 71.75%

Ok, Im new here and have a big question I discovered I had a rookit called a0zdz1mw.SYS
It will change its name after I delete it and then restart, AVG keeps picking the file up but with a different file name everytime I used a program called Unhack me and it says that the file is an ATAPI IDE Miniport driver and It says it is dangerous I dont know what do to As I had this same type of Rootkit on my old Desktop. I dont want to do a full system reinstallation, so I came here for help, If you need more information I will give it to you but I dont know where to get the detailed report for the file as of right now.
 

Answer:Rootkit that keeps coming back after restarting and changes name

bump
 

1 more replies
Relevance 70.93%

I have a Windows 7 64bit laptop I am trying to clean. So far, I've run Malwarebytes, Spybot, CCleaner (temp files & registry) and Avira.

I am left with Avira constantly telling me I have a few infections left. It will delete the files, but they only come back after I reboot.
This is the supposed infected file that always shows up:
C:\Users\*username*\AppData\Local\rrsrlshm\axkevsqd.exe
There are also a few suspicious looking txt files (random filenames) in C:\Users\*username*\AppData\Local\ that get recreated if I delete them, as well as a startup entry for axkevsqd.exe.

Avira tells me this is a TR/Rogue.kdv.683151 infection.

Thinking this was a rootkit problem, I have also tried scanning with TDSSKiller (picks up nothing). RKill fails to complete. Removing suspicious entries with Hijackthis doesn't stick (they come back). ASWMbr says it's Win32.Malware-Gen infection.

My client would like me to try remove the virus rather than reformat if possible so I hope you guys can help me out

// DDS Logs to follow as instructed //
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Chris at 17:32:20 on 2012-07-30
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.4061.2901 [GMT 8:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Update... Read more

Answer:TR/Rogue.kdv.683151 - rootkit - keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463070 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 70.93%

so i ran malwarebytes, and this thing keeps coming back

its lagging my vent and internet and god knows what else

please let me know what i need to do
 

Answer:rootkit.tdss.sys cant remove keeps coming back

Hello onegai5465,

Welcome to TSG.

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.
 

3 more replies
Relevance 70.93%

Recently infected with a trojan, malware bytes will find the file which is c:\Windows\System32\Drivers\wavry.sys as a rootkit.agent. I cannot figure out how to remove it. I tried malware bytes and it says it will remove on reboot, when it does, it comes right back. Please help me out. Here is a hjt log to help start things out. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:56:39 PM, on 10/3/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Novatel Wireless\Novaco... Read more

Answer:rootkit.agent Cannot remove, keeps coming back!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

3 more replies
Relevance 70.93%

Well, I need some help. It is my first time coming here, and thank you for any help you can provide. I appear to maybe have a rootkit or something that is generating Trojans. It appears to be coming from the Google Install folder in Program Files (x86). I scanned with Malwarebytes and it found a rootkit, and maybe removed it, but it might be back, as the same Trojans (they were all being blocked by Avira) are being generated. Malwarebytes said it was Rootkit.0access. Should I just delete the folder or would that not help at all?

Answer:Constant trojans and rootkit that might be coming back

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

9 more replies
Relevance 70.93%

I had Avast warn me 4 times that I had a Rootkit Hidden Process.
c:\\Windows\system32\drivers\ATWPKT2.SYS and another one too.

I did post yesterday morning on Tech Support Forum, but had no response, so I am posting here as well.

I tried to follow the 5 steps, but I ran into a problem.

First, I didn't scan with Panda because yesterday I scanned with Avast and today I had to do it again. It took over 1 1/4 hours, so I didn't do it again with Panda.

Then, on Step 5, after trying to run the DSS, I got the BSOD 2x while it was trying to create a restore point.

Since DSS didnt' work, I downlowded the current HJT program and ran that. My log is posted below.

I am using XP Pro, with a SP2. I had no problems ever with my computer,but this week I tried to upload onto YouTube, and then I had this problem. I won't do that again..

Thanks for understanding about the steps in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:49 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Progr... Read more

More replies
Relevance 70.11%

Greetings all I'm hoping someone could help me with this little problem my brother has gotten himself into. A few days ago I'm going to wager the 23rd of this month my brother's laptop somehow got infected with a Rootkit. No clue how he got it my brother is pretty careful about his internet browsing. Then again these things are designed to be very difficult to detect. I've noticed some other folks having similar problems so this must be a new threat possibly.The main symptoms the computer displays are that it's exceedingly slow to do anything, IE start up, browse files and folders, browse the internet. It will commonly hang as if frozen from time to time as well. Trying to restart it or shut it down causes the system to lock up at the "system is shutting down" screen requiring a forced shutdown and on the 23rd a new user called "HelpAssistant" was created. AVG found a bunch of stuff in this user's local settings/temp directory. I'm gonna assume those were what caused the initial infection. Disabling the account in Local users and groups and then restarting the computer just causes the folder to be recreated but rather then just "HelpAssistant" it will use "Helpassistant.*random username*" The folder contains copies of important operating system files from the main account on the computer making it hard to remove and causing it to take up 2-3 gigs of unneeded space. Deleting the folder nets the same result its just recreated at start up.... Read more

Answer:MBR rootkit detected, HelpAssistant user keeps coming back

Please ignore the above message I have solved the problem myself.

2 more replies
Relevance 70.11%

Seems like I am infected with some sort of malware, I've gone as far as I can alone, and I'm no expert with computers. Reformated my system after initial crash now still infected (or more likely reinfected), keeps making my system attempt to connect to 206.161.121.2,3,4,5 etc. , my research so far yields this is not a new problem in the virusphere, though no one seems to be saying anything more about it other than that they have the infection. Start ups and restarts often very buggy and crash a significant number of times, though when running mbam it just restarts to remove it and it comes right back after restart. mbam has gotten it down to one trojan and its memory process each time, though they come right back. Anyway I can be helped would be wonderful, thanks. Windows 7 OS. If I see any more crash logs, I'll try to catch the errors and add them in.

Answer:malware problem, rootkit? Trojan keeps coming back.

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

9 more replies
Relevance 70.11%

Malwarebytes keeps finding rootkit.tdss and says it removes it, but it keeps coming back. I have tried running malwarebytes, trend micro's housecall as well as CA antivirus. Need help please.

Running Windows XP service pack 3.

Answer:Rootkit.tdss Malwarebytes removes it but it keeps coming back

Hello and welcome. in order to remove this you will need to run HJT/DDS.Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.

1 more replies
Relevance 69.7%

Hello,A few days ago, I suddely got spammed by some fake antivirus called "Antimalware".I suspected it was fake so proceeded to boot up my pc in safe mode and Google the sollution.From there I've read in similar situation that I should download "Malwarebyte's Anti-malware".I updated it to version 1.42 and let it scan without any programs on safe mode. It found 35 or so infected virusesand deleted em. After this I rebooted my pc and everything was working fine again, except that I couldnt run checkdisk or defragmentation. When i rebooted my PC again, my pc kept crashing when trying to open simple things like 'My computer' or internet, but at least the spamming of AntiMalware was gone. I rebooted it again in safe mode, scanned again and it found 3 files. Each time I delete these (called: 2x trojan.FakeAlert and Rootkit.TDSS) they keep coming back when I reboot. i'm now typing this in safe mode as I cant open internet on normal mode.Here's the log of my last scan: (It's in dutch so I hope you can read it - if not I can do it in englishMalwarebytes' Anti-Malware 1.42Database versie: 3392Windows 5.1.2600 Service Pack 2 (Safe Mode)Internet Explorer 7.0.5730.1119-12-2009 12:42:44mbam-log-2009-12-19 (12-42-44).txtScan type: Volledige Scan (A:\|C:\|D:\|E:\|F:\|G:\|)Objecten gescand: 261760Verstreken tijd: 33 minute(s), 26 second(s)Geheugenprocessen ge?nfecteerd: 0Geheugenmodulen ge?nfecteerd: 1Registersl... Read more

Answer:Trojan.FakeAlert/Rootkit.TDSS viruses keep coming back

Rootkit.TDSS\\?\globalroot\systemroot\system32\H8SRThxvgjklylq.dll (Trojan.FakeAlert)You are heavily infected with a very persistent rootkitPlease read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. You will also be instructed to create a Root Repeal LogWhen you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.The HJT team is very busy and it will take awhile to get to your postPlease be patient and good luck

2 more replies
Relevance 69.7%

I have run several scanners (MalwareBytes, SAS, rkill, Sophos A/V and A/R, Rootkit Repeal, GMER, TDSS Killer, etc). Originally I found and removed some problems, mainly via MBAM. All scans come back clean now but I know something is on here because of some weird behavior. I can't install direct X, it fails with an error stating that the cabinet files are corrupt. Everytime I start IE it says that it is not the default browser. One of the scanners (I think CatchMe) came back saying that the C: drive was not present.

Other than that it is running well. I don't see any browser or search redirects. It doesn't seem to be bogged down. I ran system file checker and it just goes away eventually, I don't get a message that it did or did not repair any files.

There are some weird things in the GMER log, but I don't know what they mean. I included that below as ark.txt

Hopefully you guys can help.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Garrett at 15:49:09 on 2012-04-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.509 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple ... Read more

Answer:unknown rootkit/malware, scans keep coming back clean

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Everytime I start IE it says that it is not the default browser.Go to Menu Tools > Internet Options > Programs tab.Change the settings under "Default Browser" ===Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not b... Read more

16 more replies
Relevance 68.88%

Referred from here: http://www.bleepingcomputer.com/forums/t/273580/please-help-vista-virus-cannot-seem-to-get-rid-of-it/ ~ OBI have gotten rid of most of my annoying problems but this (trojan.win32.tdss.aalc (v)) keeps sporadically showing up in my Vipre scans. Also Vipre consistently stops (tdlclk.dss) from opening. Here are my DDS and RootRepal logsThank you very much in advance.

Answer:tdlclk.dll, trojan.win32.tdss.aalc, rootkit keeps coming back

I just ran a full system scan and this came up as well.

Trojan.Win32.generic!BT

23 more replies
Relevance 66.42%

Hi i am new to this sort of forum and my computer has been running very slow, as of today. And i found this site and i have read the 5 steps and i think i have done everything right so here are my longs =]

Thank you in advance.

Here is my main log:

Deckard's System Scanner v20070729.57
Run by Nick on 2007-08-04 at 15:55:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2007-08-04 05:55:54 UTC - RP249 - Deckard's System Scanner Restore Point
38: 2007-08-03 14:33:23 UTC - RP248 - System Checkpoint
37: 2007-08-02 14:02:02 UTC - RP247 - System Checkpoint
36: 2007-08-01 13:19:14 UTC - RP246 - System Checkpoint
35: 2007-07-28 14:44:35 UTC - RP245 - System Checkpoint


-- First Restore Point --
1: 2007-06-26 17:09:07 UTC - RP211 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Nick.exe) ------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:57:52 PM, on 4/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\sy... Read more

Answer:New:Virus:Eicar.Mod, Hacktool:Hacktool/MSNpass.D, Virus:Trj/Downloader.MDW

bump.

15 more replies
Relevance 64.78%

I hope that this is in the right section but I am having a problem with my computer. I can constantly hear programs running in the background. I currently have two anti spyware/malware installed on my computer. One is SpyHunter and the other is CyberDefender. They both are picking up on some virus called Vundo and everytime I delete it, it just comes right back. It is so frustrating surfing the internet because it freezes or moves extra slowly. Figured I'd ask you guys before I take a hammer to it lol.

Thanks

Answer:Windows XP SP2 running slow, virus protection catches it but the virus keeps coming back

Hello,i am moving yjis to the Am I Infected forum from XP.Please disable those apps while we do this.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the St... Read more

9 more replies
Relevance 64.37%

Hello I've been battling with this fake AV for a while now and I just discovered that Windows Firewall is putting out this error code when I try to restore it, 0x80070424. I am using AVG 2012 as a anti-virus program and running Windows 7 Home Premium SP1 64-bit. If anyone can help me with this I would be forever grateful.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Cole at 12:53:54 on 2011-12-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6062.2980 [GMT -5:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k Loc... Read more

Answer:Windows Firewall fails to start and this fake anti-virus virus keeps coming back!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434544 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

9 more replies
Relevance 64.37%

I have used Rootkit Buster, Kaspersky Scan, TDSKILLER, Rootkit Unhooker, Malwarebytes, Hijackthis and pretty much any program you can think.

I cannot get rid of this rootkit. Every Time I restart, Symnantec Endpoint Protection Detects it.

The name of it in Endpoint is: Hacktool.Rootkit

Then name in Kaspersky is: Rootkit.Win32.ZAccess.C

Answer:Hacktool.Rootkit/Rootkit.Win32.ZAccess.C

You have a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS log for further investigation.Please read the "Preparation Guide".If you cannot complete a step, then skip it and continue with the next.In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day. Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

1 more replies
Relevance 63.96%

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

Im sure my Hijack Log is fairly clean... -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:53 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin... Read more

Answer:Virus that keeps coming back and back and back, so on

bump, hopefully someone takes notice

19 more replies
Relevance 63.96%

i just wanted to noe if i was clean or not..
 

Answer:virus kept coming back

No you are not clean yet. I need the C:\MGLogs.zip --> from running the C:\MGTools.exe.
 

11 more replies
Relevance 63.96%

Running Malwarebyte's Anti-Malware and i get the same results everyday. I also get redirected when using google. My Malwarebytes results are:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/11/2009 6:25:05 PM
mbam-log-2009-05-11 (18-25-05).txt

Scan type: Quick Scan
Objects scanned: 134478
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\roger.spiller\protect.dll (Worm.Autorun) ->... Read more

Answer:Virus Keeps coming back

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 63.96%

Hiwould like some help please, avg removes virus, but next day it is backRegardsDerekLogfile of Trend Micro HijackThis v2.0.2Scan saved at 18:24:19, on 02/11/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\sttray.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files&#... Read more

Answer:virus keeps on coming back

Hello ziggyzig Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please perform the following:Please do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXT
Now click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail BasesClick OKNow under select a target to scan:Select My Com... Read more

9 more replies
Relevance 63.96%

So my computer got a virus from a game that I tried downloading. Avast! did a boot scan and got rid of it, but a day or two later, I got messages from Chrome that said I had a virus again, but of course those are usually scams. I did another scan, just to be safe, and Avast! found two items, got rid of them, and ran another boot scan, just to be safe.

Next day, I figured it had to be from Chrome because of the fact that I attempted to download the game from Chrome and was getting odd popups and such but IE wasn't doing that. So I deleted it. My friend suggested downloading Malwarebytes so I did that as well. It found two more Trojans and so did Avast! after a full system scan. Got rid of those as well and found they were gone afterwards.

I can't tell if my computer is infected again but earlier Malwarebytes apparently blocked a couple malicious websites, and since Avast! usually did that when the virus would come back, I ran another scan and found one thing, a YouTubeAdBlocker, I don't know if I wanted to get rid of that because an AdBlocker sounds like something I would want to keep and I heard that sometimes, Malwarebytes finds things that aren't really dangerous, but idk I am not an expert. I tried not to worry about it after that but I just want to be safe.

I am running two full system scans as we speak with Malwarebytes and Avast! to see if they will find anything that way since quick scans didn't find anything (except the AdBlocker again) and... Read more

Answer:Virus that keeps coming back?

Hi,
In order to help you, we need reports generated on your system. Please follow this topic and attach requested reports: http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/
 

1 more replies
Relevance 63.96%

I'm not sure whether it's a virus, trojan, spyware etc but I have something running on processes which takes up around 180k memory. Everytime I close the process it re-appears but as a different name... For example, as of now the process is called 'xsggsz.exe' but now I've closed it and it's re-appeared as 'vzdfme.exe'

I've used spysweeper, McAfee, Ad-Aware and system mechanic to try and get rid of it but it just won't budge.

I'd appreciate any help regarding this.

Thanks!
 

Answer:Virus That Keeps Coming Back!

go to http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm and click on



scan your pcClick to expand...

Panda has the most upto date scanner I've seen

also if you do not have a firewall - you really need one.
I've used the free version of zonealarm for a number of years, and never had a problem, except a couple of times when I turned it off to access a site (that was real dumb)
 

1 more replies
Relevance 63.96%

Hello,

I am using a 64 bit version of windows vista. I have a virus on my computer that keeps coming back. Usually I am able to remove viruses on my computer using a combination or rkill, malwarebytes, and super anti spyware, but this specific virus keeps coming back, even after I clear it with malwarebytes. Also the virus wont let me update my malwarebytes software. I have tried to do a sytem restore, but everytime I click on the icon, i am asked to select a program to open system restore with, and I am not sure which program to pick. On my desktop there is a suspicious icon named system restore. Any help would be greatly appreciated.
Thanks

Answer:Virus keeps coming back

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 63.96%

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program File... Read more

Answer:Virus keeps on coming back

Anyone?

4 more replies
Relevance 63.96%

Hello, a few weeks ago I had alerts from ThreatFire saying that "c:\2F2FE1D9C8463A4E6C7466B1CF9E03AD\MPSIGSTUB.EXE"was trying to modify another program, copy itself to multiple locations, I clicked ignore to these after looking it up, and finding out that mpsigstub.exe was related to windows malicious software remover. When I  tried to look inside the folders, they renamed themselves. I started to panic when I found out that its normally in the system32 folder, so my friend came round to help me delete it and remove the registry changes it had made. I know that was a virus, but I'm not sure about these: Not so long ago a very similar directory had been created again, this time with stub.exe in it. I deleted them, and ran an anti virus scan. C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09186521\WER11A7.tmp.hdmp and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report11188777 were infected and quarantined . stub.exe was also trying to modify other programs etc. Just today I found two more directories with similar names, such as 70d953ce1268e4d3b8, with eventlog.txt in them. I haven't got any warnings as far as I know, so I want to know if this is the same virus, or even if its actually a virus at all, and I'm just being paranoid. Thanks in advance  PS. I also had a process called conime.exe, I looked it up, and its to do with using an Asian language. Apparently, if this is running while you aren't using an Asian language... Read more

More replies
Relevance 63.96%

Hi all,

Looking for a little help here. I have removed a virus now with ESET and malwarebytes and it keeps coming back. See the log below.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Carrie Ann at 19:38:56 on 2012-04-03
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3963.1965 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agr64svc.exe ... Read more

Answer:Virus Keeps coming Back

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download aswMBR.exe to your desktop. Double-click aswMBR.exe to run it.
Click the Scan button to start scan.
Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
Click Save log, and save it to your desktop.
Click Exit.
Please post the contents of that log, aswMBR.txt, in your next reply.
There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download tdsskiller.exe and Save it to your Desktop.

Double-click tdsskiller.exe and click 'Run'

Click 'Change parameters' then under 'Additional options' tick both boxes > OK.

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then ... Read more

10 more replies
Relevance 63.96%

Hello,

I have been using Kaspersky and it has been finding this. Even after deleting it, it still seems to come back. Below are pictures which may help.






I didn't download AVG since I had those pics posted above. Hopefully this is okay. I appreciate very much in advance any help that may be given.

I am interested in knowing what in the world this thing is!

-MDB
 

Answer:Possible virus...keeps coming back!

Welcome to MG's!

Something didn't go right, let's run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Before running the above, you MUST shut down ALL antivirus and antispy programs you have running.
 

1 more replies
Relevance 63.96%

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Michael at 19:00:59.98 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.765.240 [GMT -7:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\ag... Read more

Answer:virus keeps coming back help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 63.96%

It all started last week when my computer contracted Trojan.Nebuler. My copy of Norton could'nt get rid of it so I downloaded various so called fixes. In the end I had to manually delete the trojan following the instructions on symantics web site - but that was when the fun really began. All sorts of pop up software has been appearing e.g. SysProtect, Drivecleaner and adult sites. Plus the computer has slowed down to a crawl. I have scanned my machine using Norton and AVG and Trend Housecall. And although they find new viruses, and remove them, they keep on coming back. I also downloaded and installed a Registry cleaner - to see if this would speed the thing up a bit, hope i havent deleted anything important (although it says I can recover the lines I have deleted). Can anyone help - here is the hjt log.


Logfile of HijackThis v1.99.1
Scan saved at 10:05:18, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program F... Read more

Answer:Virus keeps coming back!

16 more replies
Relevance 63.96%

http://www.bleepingcomputer.com/forums/topic433509.html/page__p__2516707__fromsearch__1#entry2516707

Answer:Virus keeps coming back

Please follow the guidance in post number 2 in that topic.

1 more replies
Relevance 63.96%

Hi,Norton found the virus called Back door greybird.k on C:\windows\G_server_hook.dll.I logged on to the safe mode and deleted the G server. exe and dll file.But Norton keeps finding this virus. How can I clean the virus?Thanks very much. (Moderator edit: moved post to more appropriate forum. jgweed)

Answer:Virus coming back again and again

Symantec Security ResponseI'd recommend submitting a hijackthis log here.How to submit a hijackthis logDownload HijackthisTry running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.ziporDrWeb CureITIf your good with the command line also try Sophos Command Line scannerAlso try installing and running A2 Free and EwidoI'd also run Spybot and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"At the C:\ prompt type the following:-cd\C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofixcd\C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

2 more replies
Relevance 63.96%

Hello, ago 2-3 weeks I got some viruses, i tried to delete them but they come back everytime..
The viruses are in 3 drivers (D,E,C) and also i got another virus named Backdoor.Agent
By the way I use Windows XP
Can somebody help me?

Answer:ms-dos virus keeps coming back

Hey?

7 more replies
Relevance 63.96%

Logfile of HijackThis v1.99.1Scan saved at 9:56:14 PM, on 3/4/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\System32\wsys.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\WINDOWS\system32\wsxsvc\wsxsvc.exeC:\WINDOWS\system32\vmss\vmss.exeC:\WINDOWS\system32\ykyogu.exeC:\WINDOWS\system32\lodbksuj.exeC:\WINDOWS\system32\xmsiaybg.exeC:\WINDOWS\system32&#... Read more

Answer:How do I get rid of my virus, cause it keeps coming back....

Now please Download LSPFix from:LSP-FixDisconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\aklsp.dll and c:\windows\system32\dolsp.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.Then Reboot.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersPrint out these instructions and then close all windows including Internet Explorer.Then I want you to fix some of those entries. Please do the following:Please make sure that you can view all hidden files. Instructions on how to do this can be found here:How to see hidden files in WindowsRun Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagteamgirls.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blankR0 - HKCU\Software\Microsoft\Internet Explo... Read more

1 more replies
Relevance 63.96%

I really need help. Whenever I scan with avast, it tells me there's a virus. I can't delete because it's being used by another program. So I got into safe mode and try to remove it. A while later after I deleted it and back into Windows, I scan again and it's back. It's always in the same place too:

C:\.....\Temporary Internet Files\Content.IE5\ZTNTM02A\movie[1]
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:08 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet ... Read more

Answer:Virus keeps coming back

Anyone?
 

1 more replies
Relevance 63.96%

Combofix just restarts my computer and won't run and nothing can find the virus but it's there. It started as a fake antivirus, then when I deleted it it created win 7 antivirus 2011. I think I got rid of that one too, but now everytime I click any link it takes me to some random add page instead. I've already did a system restore from days ago and even that didn't work, but it stopped my problem with running .exe's from the win antivirus.

Answer:Virus just keeps coming back!

Hello having run ComboFix we need to see that and a DDS log.As you now see Combofix is not to be run like a commmon tool. It's why we post this above the malware forums.ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the ComboFix log you posted earlier.Let me know if that went well.

3 more replies
Relevance 63.96%

Hopefully I've included enough information and made this topic correctly...
 
Basically I had an issue where my microphone would mute itself, figured it was a virus, and ran malwarebytes. It found stuff, removed it, and everything worked fine... for about a few hours. A few hours later the same thing occurred, ran malwarebytes again and found the same thing: "dnsl64.exe" detected, along with other things that it appears to be downloading. No matter how many times I remove it it seems to come back, and googling dnsl64.exe popped up no results that I could find and then each scan (after a few hours) pops up a bunch of junk, even if I leave the computer idle. It also downloaded something that appeared to change my browser homepage to "search.snapdo.c*m" if that helps diagnose anything.
 
I've attached the MWB and FRST logs, hopefully they help diagnose what the problem is! Thank you in advance for any help, would really appreciate getting rid of this nasty thing.

More replies
Relevance 63.96%

hello

I have a virus Worm_RBOT.BCQ found on file C:\windows\system32\micront.exe

I have followed to the letter the removal instruction by Trend

I have deleted the file, deleted all Registry reference to this file, deleted all temp files and Bin , all in safe mode..

The virus seems to have been deleted. but when I connect to the net, after a while , virus is detected and all is back to square one..

Please Help!! how can I get rid of this Virus forever....

Thanx
Jadan
 

Answer:virus keeps coming back

10 more replies
Relevance 63.96%

Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead So... Read more

Answer:Virus Keeps Coming Back

16 more replies
Relevance 63.96%

I have a Toshiba laptop that back in March I had a virus and went to to a local PC store and had the virus removed.  A few months later the virus came back and I had a friend remove that virus and all was well for about a week when the virus came back once again and was removed and seems to be removed right now.  I am afraid this is going to happen again and want to know if you can check the HiJack This log here to tell me if there is something seen that I am not able to identify as a virus.  I did use the self help scan tool but I dont really know what I am looking at.  The scan is here http://www.computerhope.com/cgi-bin/process.pl?o=20192628.I run McAffee AV on this laptop along with MalWareBytes and MS Windows Defender.  I did updates and scans to each one of them 2 nights ago both in normal mode and in safe mode and none of them are returning any bad files, however, I am reluctant as this has happened three times now.  I am wondering if there is a hidden rootkit file that the softwares are not picking.I run the following system:OS Name   Microsoft? Windows Vista? Home PremiumVersion   6.0.6002 Service Pack 2 Build 6002Other OS Description    Not AvailableOS Manufacturer   Microsoft CorporationSystem Name   CHARLENE-PCSystem Manufacturer   TOSHIBASystem Model   Satellite A305System Type   X86-based PCProcessor  &nb... Read more

Answer:Virus Keeps Coming Back

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************SUPERAntiSpywareIf you already have SUPERAntiSpyware be sure to check for updates before scanning!Download SuperAntispywa... Read more

12 more replies
Relevance 63.96%

My computer has been acting up and now a virus keeps appearing even though my virus scan deletes it when it appears. Now my desktop icons are changing and folders are missing. Please help. Thanks in advance to all who reply! Logfile of HijackThis v1.99.1Scan saved at 4:39:20 AM, on 8/31/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exeC:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exeC: ... Read more

Answer:Virus keeps coming back

Hi noobie_comp_geek,

Sorry for keeping you waiting.

If you still need help, please answer these questions:

- What's the name of the virus?
- Where (in wich file and/or folder) is the virus found?
Jan

1 more replies
Relevance 63.96%

There's a virus named wlzxha.exe in C:\WINDOWS\system32\ that keeps coming back after I delete it. The virus is "Downloader" according to Norton. It deletes fine (I've done it in safe mode) but it seems to come back after each restart.

I have already run a virus scan and spyware scan multiple times.
 

Answer:Virus keeps coming back

13 more replies
Relevance 63.96%

For the fourth time in the past few months, I have been experiencing strange pop-ups blocking my use of various programs. Twice, my IT dept. attempted removal of the virus, which looks like a virus warning from McAfee but will not allow removal or the use of the programs it is blocking. This time around it was blocking my use of Internet Explorer and Outlook.

A screen popped up and each time I tried to open the programs it would log a warning in the screen. The screen showed options for removing the items logged, however it would not respond to clicking any of the options and would only go away if I closed it out completely. If I did close it, as soon as I attempted to open those programs again, the warning would reappear. This is nearly identical to the last two or three times I have experienced this, with a couple weeks in between occurences.

I rebooted several times and recieved a pop-up message from Windows saying "Windows has recovered from a serious error." The third time I rebooted, it actually allowed me to open these programs without the warning. The first two times it would not go away. This has happened a couple of times prior, where that message seemed to temporarily fix my issue.

Is this a real virus that is hidden in my computer? What can I do to remove it completely?

Answer:Virus that keeps coming back

Hello can you run an MBAm scan and post a log back .. Let's see what it may show.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top... Read more

7 more replies
Relevance 63.55%

EDIT:Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~boopmeLogfile of Trend Micro HijackThis v2.0.4Scan saved at 10:25:51 AM, on 10/2/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\WINDOWS\system32\CSHelper.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Winamp... Read more

Answer:Browser redirecting virus///Virus keeps coming back//Thank You

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

2 more replies
Relevance 63.14%

It keeps detecting this 4 rootkits:

Win32:Alureon-DJ[Trj]
Win32:Alureon-BR[Rkt]
Win32:Alureon-DJ[Trj]
Win32:Alureon-BR[Rkt]

What shhttp://forums.majorgeeks.com/newthread.php?do=postthread&f=35ould I do?
 

Answer:Avast! Detects and removes "Alureon" Rootkit but it keeps coming back.

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user account (if you have on... Read more

1 more replies
Relevance 63.14%

My norton antivirus software has picked up a virus called "Hacktool.Rootkit". It cannot delet it form my system. HAs anyone come across this and are there any fixes available. I've included ahijackthis log if this is helpful.

Cheers...

Logfile of HijackThis v1.99.1
Scan saved at 9:37:48 PM, on 10/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program ... Read more

Answer:Re virus "hacktool.Rootkit"

please stick to the other thread from now on! Don't double post, this thread will be closed by a mod later!
 

2 more replies
Relevance 63.14%

Hello ... I got a norton anti-virus notification saying i have a virus named hacktool.rootkit and it says it cannt delete the file. I tried both doing it manually and in safe mode with networking and it says "its currently in use by another user or program" and i tried deleting this when NO programs were running.

My files are located in c/documents and settings/Administrator-All Users-BernieGrish(thats my folder i log into when i load up windows) and User Data.

I was allowed to delete all the files that were reported as the virus from Admin-All Users-User Data but could not delete the files form BernieGrish. The files are...
-ntuser.dat (Tried to delete it and it said) "Cannot delete ntuser: It is being used by another person or program. Close any programs that might be using the file and try again"
-NUTUSER.DAT.LOG (Tried to delete it and it said)"Cannot delete NTUSER.DAT: It is being used by another person or program. Close any programs that might be using the file and try again"
-msdirectx.sys When i click on the file to try to delete it norton automatically pops up saying "Norton AntiVirus has detected a virus on your computer"
-Object Name ... The path i told you before [email protected]/berniegrish\msdirectx
-Virus Name ... Hacktool.Rootkit
-Action Taken ... Unable to repair this file
I then proceed to click ok and it repeats the same message but this time for action taken it says... Access to the file was denied.
After I ... Read more

Answer:help with virus "hacktool.rootkit"

16 more replies
Relevance 63.14%

--------------------------------------------------------------------------------

My norton antivirus software has picked up a virus called "Hacktool.Rootkit". It cannot delet it form my system. HAs anyone come across this and are there any fixes available. I've included ahijackthis log if this is helpful.

Cheers...

Logfile of HijackThis v1.99.1
Scan saved at 9:37:48 PM, on 10/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDO... Read more

Answer:help with virus "hacktool.rootkit"

8 more replies
Relevance 63.14%

Hey guys I have scanned with Malwarebytes, Superanti Spyware, and Hitman they all have said none except Malwarebytes and I know its right because my computer will randomly shut off some times.

Answer:Virus. keeps coming back.Winsvcs.exe

Hello please post that MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Is it Winsvcs.exe or winsvc.exePlease Download TDSSkiller Launch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan results.>>>>ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>>>ESET ONLINEI'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the
icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings fr... Read more

9 more replies
Relevance 63.14%

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 12:34:15 AM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

i really appreciate any help!
 

Answer:trojan virus keeps coming back!

7 more replies