Computer Support Forum

Solved: It Keeps Coming Back

Question: Solved: It Keeps Coming Back

Please help! I have some kind of virus that keeps popping up IE windows on loans, zipcodez, and other crap. I've run Combofix (latest version), ATF Cleaner, dss.exe, Smitfraud, Virtumundo, and several anti-virus programs. Kapersky found several Win32.downloader viruses and another program found PurityScan, Win32.KillAV.dll, and something about Outerinfo. They deleted the alleged viruses but when I reboot, its back and the unwanted windows pop up. I've disabled sytem restore and tried running several of the programs in Safe mode and even went into msconfig to diable the startup items. I give up at this point!
Here is my latest HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:35:06 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\System32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.netaddress.com/tpl/Door/Login?Domain=usa.net
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Watch for Browser Events - {42A7CE31-CEE7-4CCE-A060-A44A7E52E062} - C:\PROGRA~1\KEYBOA~1\kie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6996CC44-CA9F-4A11-9C55-0583E1169E0D} - C:\Program Files\Ahead\homepyceC:\windows\system32\usmvt3\gyreo83122.exe.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll (file missing)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) -
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) -
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1405/ftp.coupons.com/v7/brix6ie.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} -
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} -
O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KX-HCM10 Control) - http://66.149.60.199:8629/kxhcm10.ocx
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) -
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} -
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A609CB6E-FEB5-47C3-966C-1B916842BD01} (Nlopflash Class) - http://poker.milbestlight.com/poker/PokerCreations.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775F} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlabsli.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/sj/en/check/qdiagh.cab?326
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe

--
End of file - 10213 bytes

Relevance 100%
Preferred Solution: Solved: It Keeps Coming Back

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Solved: It Keeps Coming Back

Here is the Combofix log:
ComboFix 08-01-09.2 - Owner 2008-01-10 16:47:32.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.681 [GMT -6:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 16:54 . 2008-01-10 16:54 <DIR> d-------- C:\Temp\tn3
2008-01-10 12:00 . 2008-01-10 12:00 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:39 . 2008-01-10 16:53 932 --------- C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-09 16:34 . 2008-01-09 16:34 <DIR> d-------- C:\Deckard
2008-01-09 11:51 . 2008-01-10 16:54 7,037,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-09 11:51 . 2008-01-10 16:54 133,664 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-09 11:51 . 2008-01-10 16:53 95,300 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-09 11:51 . 2008-01-10 16:53 13,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-09 11:49 . 2008-01-09 11:49 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-09 11:49 . 2008-01-10 16:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-09 11:48 . 2008-01-09 11:48 <DIR> d-------- C:\KAV
2008-01-08 16:47 . 2008-01-09 06:23 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-01-08 12:34 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 18:33 . 2008-01-07 18:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-07 18:27 . 2008-01-09 22:31 <DIR> d-------- C:\Program Files\a-squared Free
2008-01-07 18:24 . 2008-01-08 12:58 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-07 18:22 . 2008-01-08 16:10 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-01-07 06:35 . 2008-01-07 06:35 <DIR> d-------- C:\Documents and Settings\Owner\DoctorWeb
2008-01-06 21:28 . 2008-01-09 17:38 1,242 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-06 16:20 . 2007-10-09 20:36 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\winz7
2008-01-06 16:04 . 2008-01-06 19:28 <DIR> d-------- C:\WINDOWS\system32\usmvt3
2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\oobe3
2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\comp2
2008-01-06 16:04 . 2008-01-06 16:04 <DIR> d-------- C:\WINDOWS\system32\cache3
2008-01-06 16:04 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\rushqayi.exe
2008-01-06 16:04 . 2007-12-11 13:14 151,552 --a------ C:\WINDOWS\system32\bkmoopob.exe
2008-01-06 16:04 . 2007-12-13 12:25 139,264 --a------ C:\WINDOWS\system32\mobjchku.exe
2008-01-06 16:04 . 2008-01-06 16:04 86,016 --a------ C:\WINDOWS\system32\drivers\viaidee.sys
2008-01-06 16:03 . 2008-01-09 16:33 <DIR> d-------- C:\WINDOWS\system32\ardCo01
2007-12-30 19:30 . 2004-11-02 09:04 57,806 --a------ C:\WINDOWS\system32\igfx.hlp
2007-12-14 17:01 . 2008-01-03 21:42 <DIR> d-------- C:\Program Files\ESPN
2007-12-13 18:40 . 2007-12-13 18:40 <DIR> d-------- C:\Program Files\AnVir Task Manager
2007-12-13 14:07 . 2007-12-13 14:07 3,856 --a------ C:\WINDOWS\crmtemp1.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 22:09 --------- d-----w C:\Program Files\Keyboard Express 3
2008-01-10 05:11 --------- d-----w C:\Program Files\Google
2008-01-10 02:33 --------- d-----w C:\Program Files\Common Files\Real
2008-01-08 02:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 02:24 --------- d-----w C:\Program Files\Coupons
2007-12-04 14:56 93,264 ----a-w C:\windows\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\windows\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\windows\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\windows\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\windows\system32\drivers\aavmker4.sys
2007-11-20 02:53 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\windows\system32\drivers\secdrv.sys
2007-10-11 23:09 164 ----a-w C:\install.dat
2005-09-10 22:26 155,808 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2003-03-27 05:50 0 ----a-w C:\Documents and Settings\Owner\psp.exe
2004-06-07 22:51 32 --sha-w C:\windows\{67E6958A-C0CD-4569-9BDE-8E8ACC4EBC3E}.dat
2004-06-07 22:51 32 --sha-w C:\windows\{935B295C-3F47-46F0-A059-535C738EB8A5}.dat
2004-06-07 22:53 32 --sha-w C:\windows\{A3358B5E-7578-4E1C-B97A-FE9B3A6D6B57}.dat
2004-06-07 22:55 32 --sha-w C:\windows\{E00CD1D6-4D17-494D-9898-8DD45E61631D}.dat
2004-06-07 22:51 32 --sha-w C:\windows\{E9BAEA32-77B9-42F1-BD34-CEB1C11B22FE}.dat
2004-06-07 22:51 32 --sha-w C:\windows\system32\{475A9358-FD46-40E1-A177-15F859636038}.dat
2004-06-07 22:55 32 --sha-w C:\windows\system32\{6869CE72-D209-41E4-8881-0DB331C276AD}.dat
2004-06-07 22:53 32 --sha-w C:\windows\system32\{6B5FBBC4-4162-498E-AF43-F27E329A0ECD}.dat
2004-06-07 22:51 32 --sha-w C:\windows\system32\{9FC94A9C-9D85-4960-A9EF-EBE237E64BFF}.dat
2004-06-07 22:51 32 --sha-w C:\windows\system32\{EE8DA68D-043C-4984-8F78-C52ABF1BD6BC}.dat
.

((((((((((((((((((((((((((((( [email protected]_12.54.43.90 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-31 14:00:00 163,328 ----a-w C:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-09 22:47:55 1,417,216 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-09 22:47:55 8,192 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-09 22:47:56 1,413,120 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-09 22:47:56 8,192 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-09 22:47:56 9,777,152 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-09 22:47:56 307,200 ----a-w C:\windows\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2006-08-17 12:28:27 721,920 ----a-w C:\windows\system32\dllcache\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\windows\system32\dllcache\lsasrv.dll
- 2006-04-20 12:18:35 360,576 ----a-w C:\windows\system32\dllcache\tcpip.sys
+ 2007-10-30 16:53:32 360,832 ----a-w C:\windows\system32\dllcache\tcpip.sys
+ 2008-01-09 17:51:56 194,320 ----a-w C:\windows\system32\drivers\klif.sys
- 2006-04-20 12:18:35 360,576 ----a-w C:\windows\system32\drivers\tcpip.sys
+ 2007-10-30 16:53:32 360,832 ----a-w C:\windows\system32\drivers\tcpip.sys
- 2006-08-17 12:28:27 721,920 ----a-w C:\windows\system32\lsasrv.dll
+ 2007-11-07 09:26:56 721,920 ----a-w C:\windows\system32\lsasrv.dll
- 2007-12-02 23:00:05 18,684,536 ----a-w C:\windows\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\windows\system32\MRT.exe
- 2006-01-09 15:36:06 40,960 ----a-w C:\windows\system32\swsc.exe
+ 2000-08-31 14:00:00 136,704 ----a-w C:\windows\system32\swsc.exe
- 2006-12-01 11:20:32 79,360 ----a-w C:\windows\system32\swxcacls.exe
+ 2000-08-31 14:00:00 212,480 ----a-w C:\windows\system32\swxcacls.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2006-01-07 05:29:48 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 401,491 2004-02-03 21:42:54 C:\Program Files\Microsoft ActiveSync\bak\WCESCOMM.EXE

----a-w 98,304 2005-07-28 01:28:32 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 160,568 2007-08-05 21:22:02 C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe
----a-w 118,784 2007-11-07 12:04:57 C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe

----a-w 100,056 2006-07-30 14:50:38 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 126,976 2004-11-02 14:59:42 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 155,648 2004-11-02 15:03:44 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 188,416 2002-12-10 00:19:20 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb07.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6996CC44-CA9F-4A11-9C55-0583E1169E0D}]
C:\Program Files\Ahead\homepyceC:\windows\system32\usmvt3\gyreo83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\windows\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe" [2007-11-19 14:40 231952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 12:11 233472]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^iksystray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iksystray.lnk
backup=C:\WINDOWS\pss\iksystray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Keyboard Express 3.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Keyboard Express 3.lnk
backup=C:\windows\pss\Keyboard Express 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WPN111 Smart Wizard.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR WPN111 Smart Wizard.lnk
backup=C:\windows\pss\NETGEAR WPN111 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\windows\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared]
C:\Program Files\a-squared Anti-Malware\a2guard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acme.PCHButton]
--a------ 2002-10-17 20:45 159744 C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\Alcxmntr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnVir Task Manager]
--a------ 2007-12-05 18:08 976896 C:\Program Files\AnVir Task Manager\AnVir.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 07:00 79224 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BROWSE~1]
C:\PROGRA~1\TEXTHE~1\BROWSE~1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-18 01:11 69632 c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 C:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDBitSet]
--------- 2002-05-29 13:49 200704 C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
--------- 2003-07-23 09:41 65536 C:\Program Files\HP DVD\Umbrella\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 15:22 3739648 C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hpppta]
--a------ 2000-12-05 12:02 86016 C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppta.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 18:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
--a------ 2005-02-02 15:44 61440 C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mozilla Quick Launch]
--a------ 2003-06-24 11:09 568096 C:\Program Files\Netscape\Netscape\Netscp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
--a------ 2006-01-06 23:29 69688 C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 10:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\system32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2002-10-01 01:39 548933 C:\WINDOWS\system32\nview.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2002-10-01 01:39 372736 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRINT DATA SENDER]
C:\Program Files\PRINT DATA SENDER\hpscschd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-13 23:42 212992 C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-11-07 06:04 118784 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 19:42 69632 c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
--a------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2007-02-13 12:29 35328 C:\Program Files\Winamp\Winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ERSvc"=2 (0x2)
"mnmsrvc"=3 (0x3)
"IntelliKeys USB Service"=2 (0x2)
"Fax"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"NProtectService"=2 (0x2)
"gusvc"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"MDM"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"a2free"=2 (0x2)

R1 viaidee;viaidee;C:\windows\system32\drivers\viaidee.sys [2008-01-06 16:04]
R3 usbprint;Microsoft USB PRINTER Class;C:\windows\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]
S2 IkFirm;IntelliKeys Firmware Download Driver (IkFirm.sys);C:\windows\system32\Drivers\IkFirm.sys [2003-07-11 11:43]
S3 ATHFMWDL;NETGEAR WPN111 Bootloader driver;C:\windows\system32\Drivers\athwpn.sys [2004-10-14 17:24]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\windows\system32\DNINDIS5.SYS [2003-07-24 11:10]
S3 GVCplDrv;GVCplDrv;C:\windows\system32\drivers\GVCplDrv.sys [2004-05-02 02:47]
S3 P2150FXP;Polaroid USB Filter Driver (FILTER);C:\windows\system32\DRIVERS\P2150FXP.SYS [2002-07-30 04:23]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\windows\system32\DRIVERS\WPN111.sys [2005-01-07 09:07]
S4 IntelliKeys USB Service;IntelliKeys USB Service;C:\ITOOLS\INTELL~2\private\ikusbsvc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.
Contents of the 'Scheduled Tasks' folder
"2008-01-10 22:57:00 C:\windows\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 16:54:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\windows\TEMP

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2008-01-10 16:57:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 22:57:46
ComboFix2.txt 2008-01-09 23:08:34
ComboFix3.txt 2008-01-09 22:59:38
ComboFix4.txt 2008-01-08 22:56:29
ComboFix5.txt 2008-01-08 22:44:16
.
2008-01-09 12:15:10 --- E O F ---
The URLs of the unwanted windows are zedo.com and popunder.paypopup.com

2 more replies
Relevance 61.09%

My computer was fine until it got infected with Spyware =[ ... it started when i stupidly decided to install an Active X to watch an online movie, and now the System Alert keeps on popping up and say that there is active spyware and i should download an up to date antispyware ...It's driving me crazy, i've been trying to scan my comp so many times, with spybot, adaware and Avast....i follow some guide that people posted for help on this forum, but the weird thing is, when i restart my comp, the shield (or system alert) doesnt show up anymore, but the next day, it appears again =[ ... i dunno what to do ...i tried rescan my comp and reboot it again and it doesnt show up anymore, i dunno if this is good or bad. What should i do if it appear again ??

Oh, and i use a Window Xp 2000

thank you so much for helping mee ..
 

Answer:Solved: it keeps on coming back

12 more replies
Relevance 61.09%

Keep getting repeditive detections of adware.quadrogram files, I have tried many programs to remove, but they can not get all of it out and it replicates. Have worked on this for two days - can someone help me please.
lharrell1

Logfile of HijackThis v1.97.7
Scan saved at 10:29:56 AM, on 4/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Minuteman\SentryII\SentryII.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\DATAVA~1\VVAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\docume... Read more

Answer:[Solved] help - it keeps coming back

16 more replies
Relevance 60.68%

Ok below is my HJT Log, I have been trying to remove this thing for some time and it keeps coming back. Any help you could give me would just make my day. Thanks in advance.


Logfile of HijackThis v1.97.7
Scan saved at 3:11:55 AM, on 7/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Temp\Hi\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\Terry\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\Terry\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\Terry\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsof... Read more

Answer:[Solved] CWS Keeps Coming Back Pleas Help (HJT Log)

12 more replies
Relevance 60.68%

When I run CW-Shredder, it finds something called CWS.Searchx. It Removes it, but it always seem to come back. Does anybody know any way to remove it permanentley? It keeps changing my IE homepage to about:blank and sending me to a strange search page. I went to www.merijn.org and it says to remove CWS.searchx, it it involves registry editing.

This is my Hijack this log:

Logfile of HijackThis v1.97.7
Scan saved at 09:56:03, on 26/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\Tablet.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\Explorer.EXE
C:\WINNT\soundman.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Magic Keyboard\MagicKey.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Magic Keyboard\OSD.EXE
C:\WINNT\system32\monitorbk.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.ex... Read more

Answer:[Solved]CWS.searchx - Keeps coming back!!!

16 more replies
Relevance 60.68%

I am not getting rid of spyware. I scanned in safe mode with adware, spybor and spyware doctor and mcaffee and they deleted the spyware, but after say 30 mins browsing the spyware comes back.. I am not able to locate any trojans yet..

This is my hijackthis log file.. Can someone explaine to me what is happening??
Thanks in advance
Vince
Malta

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:08:36 PM, on 8/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\VDOTool\TBPanel.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\TVR\RecSche.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\DAEMON Tools Lite\... Read more

More replies
Relevance 60.68%

My Norton finds and squashes them (so it says) but they keep showng up when reboot. Also, when I'm on a busy network I get dozens of requests for "Block Always" or "Allow Always" on various freindly-looking IPs/Ports. Pleae help. I'm tired of playing Whack-A-Mole with these tngs. HJT follows:

Logfile of HijackThis v1.99.1
Scan saved at 7:29:34 AM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
... Read more

Answer:Solved: Gremlins Keep Coming Back

7 more replies
Relevance 60.68%

Hi, I have symantec antivirus and it detected virtumonde and quarantine it but it just keep coming back when I reboot the computer. My computer is much slower than usual and I'm getting crazy trying to get rid of it. Here's my hj log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:06:27, on 2007-09-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
F:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Symantec AntiVirus\DefWatch.exe
F:\Program Files\Alias\Maya6.5\docs\wrapper.exe
F:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
F:\Program Files\Alias\Maya6.5\docs\jre\bin\java.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Symantec AntiVirus\Rtvscan.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\DeltTray.exe
F:\Program Files\Motherboard Monitor 5\MBM5.EXE
F:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
F:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
F:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
F:\PROGRA~1\SYMANT~1\VPTray.exe
F:\Pro... Read more

Answer:Solved: virtumonde keeps coming back

13 more replies
Relevance 60.68%

hi there,

i'm trying to find out why the heck my taskmanager won't open (even clicking on tskmngr.exe doesn't do anything). found a couple of trojans on my computer when i ran a scan with avast. oops! i think i deleted them, but i can't be sure. hijackthis showed this ridiculous "msupdate", which is said to be dangerous, or is it? i don't know. i think it's best if i post my log file. please help me clean my computer, i'll be eternally grateful for all your help and advice thanks

Logfile of HijackThis v1.99.0
Scan saved at 21:28:32, on 13.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Programme\Alwil Software\Avast4\aswUpdSv.exe
E:\Programme\Alwil Software\Avast4\ashServ.exe
D:\NORTON~2\GHOSTS~2.EXE
D:\Daemon-Tools\daemon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QuickTime\2\qttask.exe
D:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\MsUpdate\MsUpdate.exe
C:\WINDOWS\System32\scvhost.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programme\Web\Webshots\webshots.scr
E:\Programme\Alwil Software\Avast4\ashW... Read more

Answer:Solved: Trojan keeps coming back

16 more replies
Relevance 60.68%

Neither Norton IS or SuperAntiSpyware catching it. What program do I need to find it and remove it once and for all? Booting up computer gives me "RUNDLL...error loading c:Windows\system32\gzmrotate.dll The specified module could not be found."
 

Answer:Solved: gzmrotate.dll keeps coming back

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

3 more replies
Relevance 60.68%

When I uninstall programs like CashBuddy and Bull's Eye Network, or OIN they keep coming back. Is there any way for me to get the programs from keep coming back?
 

Answer:Solved: Programs keep coming back!!!

7 more replies
Relevance 60.68%

Currently I am the sole owner of the only working computer among the small group of friends I live with. I allow them to use it, of course, I'm no computer nazi, but one of them must have tried to download something from some shady website because I've been getting a lot of Virus Alerts from Symantec AntiVirus telling me about Trojans and Adware and Keyloggers that keep coming back every time I delete them.

When i ran Spybot S&D it would automatically abort the scan itself telling me it was a user action. When i run the computer in safe mode, Symantec AV doesn't exist on my list of available programs.

So basically I'm at a loss. I'm not very well educated on the inner working of computers and I don't want to muck around myself if i'm not sure what i'm doing, so any help purging my system of these threats would be hugely appreciated, I use this computer for almost everything and I'd hate to lose it to viruses.

Thanks in advance for any help!
 

Answer:Solved: several Trojans keep coming back

16 more replies
Relevance 60.68%

I have this one thread that shows up in HiJack This everytime I run it. I fix it as recommended but it keeps coming back. This is the thread:

04 - HKLM\..\Run: [TkBellExe\ "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

How can I make it permanently go away if I need to at all?
 

Answer:Solved: fix in HiJack This but keep coming back

Don't worry about it - it is not harmful

Try unchecking in START RUN MSCONFIG
 

2 more replies
Relevance 60.68%

I started with the [email protected] think i got rid of that from some of the posts on here.... but now have Win32.P2P-Worm.Alcan.a and starware on the machine maybe the picrate is still there as well, can any of ya'll smarter than me people advise.... would love a little tech help,.....PLEASE.....

Thanks For Any Help Rendered
In Advance
con0627
 

Answer:Solved: trojans keep coming back, Help Please

16 more replies
Relevance 60.68%

dvk01 kindly helped me kill vundo not long ago. At his recommendation, I now use CleanUp, SpywareBlaster, AdAware and Spybot along with my Norton AV, and run a Panda ActiveScan fairly often. Winfixer pop-up appears on a regular basis (beginning about two weeks before vundo, and continues to--never saw it before that). Every time I run ActiveScan, awtsp.dll shows up--EVERY time. Did enough looking around to see winfixer and awtsp showing up together on many message board requests for help (?) but that's all I know. Nothing else I run is showing any signs of a virus or vundo repeat, but can someone explain why awtsp.dll keeps coming back, and how do I stop the winfixer pop-ups? Obviously my regular pop-up blocker does nothing to stop it (I get almost no other pop-ups but winfixer!). Am I right in thinking these two are connected somehow or is it just coincidence? Whatever it is seems to slow my computer down--not lots, but enough to be noticeable, and CleanUp seems to bring it right back to normal speed. What can I do other than keep wiping out awtsp.dll every time it re-appears? Thanks in advance for any advice!
 

Answer:Solved: awtsp.dll keeps coming back!

11 more replies
Relevance 60.68%

Hi,

Our Windows 2000 AD server has been infected with a malware that has taken over the browser and the desktop.

We tried a few simple things like deleting the WebSiteViewer folder, the 124233.exe file, temporary internet files, etc., but it keeps on coming back.
We also ran Ad-Aware and Spy-bot and always chose to get rid of everything.
Symantec Antivirus doesn't see anything wrong.
I went to Trendmicro.com and ran the scan. It found 5 troj* files and when I chose to delete them, this WebSiteViewer took over and started doing very unpleasant things.

So, I've seen that other people woth similar problems run hijack this and post the log here, so this is what I'm doing, hoping to get this problem solved.

Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 3:36:24 PM, on 11/30/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
D:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\CA\SharedComponents\C... Read more

Answer:Solved: WebSiteViewer keeps on coming back

16 more replies
Relevance 60.68%

Got the cool web search malware aka about:blank.
Got all latest versions and all windowsXP updates etc.

Tried CW Shredder - doesn't find it
Spybot sometimes finds it, clears it, but it comes back
Ad-Aware finds it, says it has cleared it, but the files remain.
Hijack this finds the one XXX.dll in windows/system32 and the registry entries.

I can manually remove the system32 .dll and repair all the registry entries, but after reboot, EVERYTIME I run Internet Explorer, about:blank reappears and a different .dll appears in windows/system32.

Have tried the hidden dll in HKLM...AppInit_DLL entry - but there is no data there.

I am obviously not finding the root infection. Any ideas PLEASE!!!!

I am getting VERY VERY frustrated!!!

Thanks
 

Answer:[Solved] About:Blank - keeps coming back!!

16 more replies
Relevance 60.68%

Hey all. Got a machine on my bench right now that's a bit baffling. It's running XPHE but appears that no service pack updates were ever installed. I'm going to see if it will see the network (sometimes yes and sometimes no...) and download all of the updates. But what's happening is, that when running MSCONFIG, despite removing the check marks from everything in the startup window, on each re-boot a new entry appears and is checked. The last two were ropula.exe and rbfkof.exe, both in the sys32 directory. Hopefully, downloading all updates will fix this, but is anyone familiar with these file names? Google finds no matches. Thanks!
rtg
 

Answer:Solved: .exe's keep coming back to startup

8 more replies
Relevance 60.68%

Hi, Southernpepper here. I am new to this forum, and so extremely happy to have found you. Thanks in advance for whatever help you can provide.

It begins--- Several friends and family members (all without pc access at the moment) come over to use our computer, which has left us with trojans, malware, etc., that keeps coming back. This has been going on for about 5 days. I don't know if that is a long time to have viruses, but it certainly hinders my work.

So far- I have used Ad-Aware and AVG (runs daily) to fix the problems, but they come back. I have also tried to clean up/out temporary internet files and whatever else looked like it could be a problem. Did I do more harm?

At the moment- I found your site this morning and took the recommended step of using hijack this. Below I am listing that file as well as my pc info. Please tell me what, if anything, can be done by me to solve this problem. You should know that my knowledge of technical issues is likely more inferior to most of the people you help. Looking at the info from hijack this looks like an alien language, so please understand if I am confused by your explanation and need to ask more questions.

Thanks!
Southerpepper
The computer -
OS Name Microsoft Windows XP Home Edition
Version 5.1.2600 Service Pack 2 Build 2600
OS Manufacturer Microsoft Corporation
System Manufacturer Gateway
System Model W3107
System Type X86-based PC
Processor x86 Family 15 Model 44 Stepping 2 AuthenticAMD ~1808 Mhz
BIOS Versio... Read more

Answer:Solved: Problems keep coming back!

11 more replies
Relevance 60.68%

Hi, I've noticed for a while that every time I scan my computer with AVG Anti Spyware, a treat called Trojan.Delf.Ndu appears. No matter how Many times I delete it it keeps showing up at the same place. C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

Once I delete it it deletes my firefox.exe so I have to reinstall firefox over and over again but it keeps coming back to the same place. Also, when I scan with Trend Micro it tells me new threats have been detected and to please scan again after I scan my computer. I was letting this go untill a few minutes ago when I plugged my flash drive in and a blue screen showed up! Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:50 AM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\... Read more

Answer:Solved: Trojan Keeps Coming Back!

13 more replies
Relevance 60.68%

Hi,

I have an annoying little problem! Somehow, at some point a dial-up connection called "Yacal" seems to have got installed on my computer without my knowledge (probably attached itself to some download and I didn't read the small print carefully enough!). Anyway, this annoying dial-up keeps trying to connect to the Internet, when I actually have broadband. I have tried deleting the connection, but the next time I reboot the computer it is back again. I tried changing the setting to "Never dial a connection" but after rebooting it always comes back as "Dial whenever a connection is not present" (but in fact it immediately tries to connect even though there is a permanent connection to the broadband!)

I have also tried removing any reference to it from registry, but that just comes back again after reboot;

This has been driving me mad as I just can't get rid of it. Then this morning I remembered something about Windows having a system whereby it automatically reinstalls some programs and have decided that it is probably something to do with this. The problem is it was such a long time ago that I came across this before I can't remember exactly how it works or how to access it to see if this is the problem. So I would be very grateful for any suggestions. Thanks,

Regards,

Colin.

Answer:[SOLVED] Diial-up keeps coming back!

Hi Colin. . .

See if SysInternals AutoRuns can help. You can use it to disable/ remove the startup app that is reinstalling the offending app - or both.

Download AutoRuns from Microsoft TechNet and SAVE it to your desktop. Then RIGHT-click on the AutoRuns icon, select "Run as Administrator". Allow it to scan the registry (status bottom-left of screen), then go through the tabs and un-check the boxes as you come upon the app.

Back up the registry 1st using System Restore. Create a restore point so if anything gets unchecked that shouldn't, you can return to the beginning.

AutoRuns.exe - http://live.sysinternals.com/autoruns.exe

AutoRuns.chm (help) - http://live.sysinternals.com/autoruns.chm

Regards. . .

jcgriff2

.

3 more replies
Relevance 60.68%

I have been reading post on here for two days and have saw that everyone needed to run these....HiJackThis, Vundofix, and Combofix. I tried running the Super Antispyware but it says that it cannot be verified and will not let me run it. I ran these and have the logs and would greatly appreciate it if someone could tell me what to delete off the logs. I ran the Vundofix yesterday and had some files that needed to be removed and it did. I didnt have a problem with McAfee security warnings all evening. So I get on the computer this morning and McAfee said I had Vundo again. I believe I understood this correct when it says only one problem per new thread. If not I appologize as I know there is a bunch of Vundo threads going on. Thanks for your help!!!
Logfile of HijackThis v1.99.1
Scan saved at 8:42:14 AM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.... Read more

Answer:Solved: Vundo.dll keeps coming back

16 more replies
Relevance 60.68%

hello.

After clicking too fast through some sites and accidentaly downloding one of those fake Anti-spyware programs, my computer became heavily infected.
I followed the advice on this site and others (thank you).. and I thought I got rid of it, however it continues to come back.
I now have numerous helpful programs to find an eliminate the junk, (AVG, PREVX, SUPERAntispyware, SPYBOT, ETC) but when we check 12 hours later our system i covered again
please help!

enclosed is the log from HIJACK THIS and the SUPERantispyware. I have a trendmicro housecall scan currently going, but that is not finished yet. note: many of the trojans listed i know about and can quarantine/move to vault/delete. the problem is that they all keep coming back!

Thankyou for any assistance you can offer ...

=============HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:46 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Network Associ... Read more

Answer:Solved: GRR.. trojans keep coming back! Please help!

14 more replies
Relevance 60.68%

Hello All,

One of the guys in the office here had a toolbar exploit/hijack that we had a heck of a time getting rid of.

It was the TBPS.exe and PIB.exe toolbar exploit. We killed this but some DSO exploit registry entries keep coming back.

What else do we need to delete or kill these registry entries or are they harmless?

They are HKey Users\Microsoft\Windows\Current Version\Internet Settings\Zone\0\1004!=W-3

Thank you in advance for any information pertaining to this problem we are having.

AJ
 

Answer:Solved: Help Please... Exploits keep coming back.

DSO exploit is a bug in Spybot.
 

3 more replies
Relevance 59.86%

Hi gang! Many thanks for all the informative stuff I've been reading here on the forums. I've been sweeping out my system every now and again running HJT. I run the results through several sites and keep 'fixing' a line that seems to keep coming back.

O23 - Service: WUSB54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv4.exe (file missing)

I'm not the only person who has this bugger show up on their HJT logs, as I've seen it on many a post. Can anyone tell me what is going on with this file and why it never seems to be there? I've 'fixed', uninstalled and reinstalled my Linksys software too many times to count, but it always seems to come back 'missing'.

Thanks in advance!

Here's the whole shabang:

Logfile of HijackThis v1.99.1
Scan saved at 11:51:10 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Pr... Read more

Answer:Solved: missing file in HJT log keeps coming back!

This is a known bug in the current version of HijackThis and is of no concern. The file is not actually missing, even though it's indicated that way in the log.

The only entries that show missing files that are actually missing are the O2's and O3's (BHO's and Toolbars). Any other entries, if you know they are valid, should be left alone.
 

3 more replies
Relevance 59.86%

Hi - my daughter handed over her 'blue-screen-of-death' computer to me and I got it back to the present state. She has some spyware/malware that keeps re-appearing after I run McAfee virus scans and Adaware. Can you help?

Tks a bunch!

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:06 PM, on 8/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\bdaecsc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\QuickTime\qttask.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\explore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctf... Read more

Answer:Solved: Spyware, Malware keeps coming back

16 more replies
Relevance 59.86%

I have the little shield emblem in the toolbar that tries to direct me to pcspyremover.com

Ad-Aware SE finds lots of nasties that keep coming back...

CWShredder diesn't find anything

CCleaner removes Uninstall keys (HSA, SE, SW)

Spybot S&D finds stuff like Hotsearchbar, CoolWWWSearch.aff.Winshow, Startpage-EH, and URLSearchHook.Altpz...

Norton Antivirus doesn't find anything...

BHODemon 2.0 is running...

AboutBuster removed several things but they keep coming back...

Here's a HijackThis log from this morning"

Logfile of HijackThis v1.99.1
Scan saved at 10:07:11 AM, on 5/20/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\d3lu.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\system32\netfq32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Progr... Read more

Answer:Solved: Spyware, etc. keeps coming back... rogue dll?

8 more replies
Relevance 59.86%

need help, tryed everthing i could . ad-ware ( will find when it stops my task manager from opening up ) spybot ( finds both kernels8 and smitfraud-c and fixes them ) and sometimes when my zonealarm stops a program ( name sometimes changes but now its
~E05090A0.tmp and ~DF9144.tmp will show up in temp folder ) i goto the systems32 folder and delete the kernels8.exe file . After i delete the file i run everything ad-ware,spypot, McAfee and even download yesterday prevx1 and ran that AND ALL COMES UP OK BUT the next day ( today ) when i start computer back up it shows up again not right away but when that tmp file gets stoped by zonealarm i look and there it is kernels8.exe and i delete it again and this time ad-ware didn't unlock my task manager so i had to boot to safe mode and do it there with ad-ware .
It looks like it's getting better so i need some help before i can't use this computer all the programs ( ad-ware se , spybot, McAfee, prevx1 ) can't find anything after i get rid of it but i think it will be back again tomorrow
thanks
 

Answer:Solved: kernels8.exe smitfraud-c keep coming back every day

9 more replies
Relevance 59.86%

Yikes,

I couldn't get rid of the "AlwaysUpdatedNews.com" Browser enhancer malware the conventional way through spy adware removal...so genius that I am , I searched files and folders in C:drive for the specific date the "enhancer" took over and deleted every file that was CREATED on that specific date, Not Modified or so I thought....Now "Windows cannot find the file %SystemRoot%\media\chord.wav" along with other .wav files.....UGh
Can you get me my sounds back and deal with malware along the way.

HEEelp.
Thank you.
Veri.

" I know ask a simple favor like Kill superman and you won't do it "
 

Answer:Solved: Booked Space keeps coming back.

12 more replies
Relevance 59.86%

Please help, have been trying to kill off this downloading agents with trendmicro etc. but they kept coming back. I have successfully delete them and remove their link with HijackThis but guessed I missed some.
The damage is not great, but it kept running my d:drive and uses a lot of my virtual memory.

Here's the log for any kind helpers,
Logfile of HijackThis v1.99.1
Scan saved at 11:32:45 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\usbcamb.exe
C:\Program Files\Fujitsu\Application Panel\QuickTouch.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32... Read more

Answer:Solved: Diskman32, AvPSrv kept coming back!!

16 more replies
Relevance 59.86%

Here's my hijack this log... I already use winsockxpfix to remove cn_api60.dll on restart and I already delete it in safe mode manually... it always works. However after about 30 min it keeps on coming back when I check in my hijackthis. I use avast antivirus, spybot, adaware, ewido and it wasn't able to detect anything, also lspfix doesn't work... it gives me "Parameters" is not a valid integer error

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\EPoX\EPTP\EPTP.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Anti-Blaxx\Anti-Blaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Ap... Read more

Answer:Solved: Help me remove cn_api60.dll it keeps on coming back T_T

9 more replies
Relevance 59.86%

Hi, I have only just registered with this site and hope someone can help.
O/S is XP Pro with SP2. I recently installed NAV 2005 which keeps informing me that it has found W32.Spybot.Worm in D:\explorer.exe and Config Setup.exe
It reports 4 "finds" at a time saying 2 are in D:\explorer.exe and 2 are in Config Setup.exe It says it has deleted them but a few hours later it reports them again. If I do a virus scan it finds nothing and neither did a Trend Micro scan or a scan with Adware Spy. I have looked at other threads and followed the safe boot procedure and still found nothing.
I am totally confused!!!
 

Answer:Solved: W32.Spybot.Worm keeps coming back!

16 more replies
Relevance 59.45%

Whenever I restart and log on, MSE informs me that I'm infected with Worm:Win32/Ainslot.A, then proceeds to remove it. I scanned in safemode with Malwarebytes and it detects and deletes the following:


Quote:




Registry Keys Detected: 1
HKCU\Software\VB and VBA Program Settings\SrvID (Malware.Trace) -> Quarantined and deleted successfully.
Files Detected: 2
C:\Users\Sean\AppData\Local\Temp\lsass.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Sean\AppData\Roaming\conhost.exe (Backdoor.CycBot.Gen) -> Quarantined and deleted successfully.




Scanned twice, exact same results. Looking forward to your guidance!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_31
Run by Sean at 12:07:50 on 2012-04-29
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.2.1033.18.8169.6357 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k Lo... Read more

Answer:[SOLVED] Worm:Win32/Ainslot.A Keeps Coming Back

Hello ninjasilver, welcome to TSF.

We need a little more info before we begin.

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator) At this time, select No when prompted to download the Avast database.
Click ScanUpon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

==================

Download TDSSKiller.exe and save it to your desktopExecute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicious objects are found, do NOT select Cure. Change the action to Skip, and save the log.
Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt

Please post the contents of that log in your next reply.

11 more replies
Relevance 59.45%

Hi,

When I started getting popups a few days back I ran a scan using Spybot. It detected Smitfraud-C.Toolbar888 and was able to remove it successfully. Also, AVG Anti-Spyware detected Adware.Virtumonde and deleted it. Even then the popups wouldn't stop so I scanned again using Spybot & it found the same malware again!! AVG also detects the same adware after every system startup. This is really frustating!! Please help!

Here's my HJT log:
----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 5:32:52 PM, on 5/23/2007
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\xampp\apache\bin\apache.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\xampp\apache\bin\apache.exe
D:\WINDOWS\Explorer.EXE
D:\xampp\mysql\bin\mysqld-nt.exe
D:\Program Files\ATI Technologies\ATI.ACE\cli.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Java\jre1.6.0\bin... Read more

Answer:Solved: Malware (Smitfraud-C.Toolbar888) keeps coming back

14 more replies
Relevance 59.45%

I read several of the threads concerning re-occuring virus/spyware/worm/malware issues. I downloaded ewido and hijackthis and ran them and the system seemed good until I logged onto the internet. Then it comes back. I am running Windows XP home edition and internet explorer. Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:39 PM, on 12/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NORTON~1\SPE... Read more

Answer:Solved: Spyware, virus keep coming back - ran hijackthis

14 more replies
Relevance 59.45%

A few days ago, Outerinfo installed itself onto my computer. I unistalled it twice--first using Outerinfo's uninstall feature via the "start" menu and the second time through "add/remove programs" in the control panel. It's not showing up on the start menu anymore, but Bitdefender's free online virus scan has detected it twice in the last couple days. I have Trend Micro installed and it doesn't pick up on Outerinfo, but has been busy these past few days detecting Mirar and a host of other trojan downloaders and adware installers.

Anyway, since that first infection, I've since downloaded Adaware, Ccleaner, and Spybot S&D, which have detected a bunch of stuff. I just can't seem to get rid of any of these things permanently. I ran Bitdefender this morning and it deleted Outerinfo yet again. Any help you can provide would be greatly appreciated!
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:13:37 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\syste... Read more

Answer:Solved: Outerinfo/WinAntiSpyware/Mirar/etc keep coming back

10 more replies
Relevance 59.45%

A few days ago I downloaded a bad file and my computer has been infected with all sorts of malware and trojans. I used AVG free edition, Spybot, and Ad-aware and I have got most of my problems gone, but I keep getting Trojan Collected.11.B, and Trojan Generic3. When I'm just using my computer normally, AVG pops up saying a threat has been detected, and it's either Collected 11 B or the Generic3. When I'm surfing the web, I sometimes get redirected to another website. I've tried AVG and Spybot countless times and I can't fully recover my computer. They just keep coming back every day! Please help, and I really don't want to reformat my computer again.

Here is my HijackThis log after using AVG:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:13:46 PM, on 4/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iTunes\iTu... Read more

Answer:Solved: Please Help! Trojans Keep Coming Back! (Collected.11.b, Generic3.uub)

11 more replies
Relevance 59.45%

Hi Jack,

I have Windows XP Professional SP2 and I keep getting popups in IE7 for ADs. They open in full new IE7 windows. Then when I go into safe mode it keeps restarting safe mode every 6 seconds or so.

I installed Kasperksy and it keeps blocking this

detected: Trojan program Trojan.Win32.Agent.bck URL: http://82.98.235.78/netob/valera.exe?uid=C3EF090E71EF11DCAD13F67908FAFFFF&guid=101E

I ran adaware and can't run spybot anymore.

When I run "VundoFix.exe" it usually finds about 3 dll files which names seem to constantly be changing. For example you can see one in this log called "cmulnmik.dll"

I delete these then these files usually come back with different names. I cleaned all my temp items. I did find mdengine.dll in my local files temp and I removed because I think I read that is a bad file, I am not sure if that's related.

Any help would be appreciated. Thanks
Heres is my Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 1:03:16 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe... Read more

Answer:Solved: Can't remove possible Vundo or valera dll's keep coming back

8 more replies
Relevance 58.63%

Hi
First time poster so I am sorry if the information is vague or not properly orginized.
I have owned my computer for about a year now and everything has been working fine and dandy. I have not installed any new hardware.
About a couple of weeks ago my computer started to freeze at random. During post, during loading of the OS ( Windows XP sp2 ) and at random when I got into Windows, evenly when I was using heavy duty applications ( games, wmvare etc ) and just browsing the internet and checking my email.

I first suspected the ram so I ran memtest86+ and Windows memory test which turned out to be ok ( the computer did freeze a couple of times when I ran these tests ).

The cpu temperature is steady at 35 and just about 41 while under stress. The system temp is steady at 41-43. All fans are working great.
I cleaned the case and I have blown all dust out of the videocard and fans.

I reseated the memory and videocard.
When the computer freezes I will try to restart the computer. Sometimes the computer freezes then at POST but sometimes the fans go on, HD start spinning but the computer will not start. The CD-drive will not open and the caps-lock will not go on.
I did suspect the Virtual memory but when the computer started freezing during post i quickly stopped thinking about that.

Here are my specs ;
4gb supertalent 800mhz
Core duo e6600
Gigabyte Motherboard, GA-P35-DS3R
Nvidia 8600GTS

It is worth noting that sometimes nothing will happen if the computer is left co... Read more

Answer:Solved: Computer randomly freezes and has troubles coming back up

12 more replies
Relevance 58.63%

Greetings folks,

I'm at the end on the line for my attempts to fix my PC, so I logged into here to find some help.

Ive run vundofix - states that its successful in removal after reboot (new scan doesn't show it)

MS Mal Software removal tool to pull the trojan, but they both keep returning after I launch Explorer 7. Running XP Pro - the following is my log, anybody see something that could be an issue?

Thanks in advance for any help!!
 

Answer:Solved: Hijackthis log - Win32/Rbot.gen!A and Vundo keep coming back

6 more replies
Relevance 58.63%

WINDOWS 2000 PRO
norton antivirus
Had the things I talk about below in the log
Used Spybot--clean
spysweeper-clean
adware-clean
cwshredder-clean
deleted all temps, cookies, and history,
Ran full norton scan it came up with nothing.
I looked in the event viewer under apps and saw that a bunch of errors were there I clicked on the events and it said norton had found a bunch of trojans and viruses but did not delete or quarentine them just left them.

I disabled norton antivirus and installed AVG Antivirus and AVG Antispyware
Ran a full scan (after updateing the programs) and AVG caught 15 virus and trojans and antispyware AVG caught the QHOST.mg trojan and cleaned it. to make sure I ran the Qhost fix from norton and it was clean.
the viruses and trojans that were caught were
Virus--Rejoice45.exe--Win32\PEMASK.A
Trojan Horse-atmQQ.exe--PSW.Generic5.RWU
Trojan Horse-1.exe--Generic8.MUH
Trojan Horse-Down(0).exe--Generic8.MUH
vIRUS--1.EXE--wIN32\PEPatch
Virus--sasa.exe--Win32\PEPatch
Trojan Horse--wnlftftf.dll--PSW.Generic5.TZT
Trojan Horse BackdoorDELF.aag--3800hk.dll
Trojan Horse-3Svchs0t.exe--PSW.Generic5.RWT
Virus--Down(1).exe--W32\PEMASK.A
Trojan Horse--Rpcs.dll--PSW.Generic5.PHM
Trojan Horse--1.exe--Generic8.OAQ
Trojan Horse--Who.exe--Generic8.0AQ
Virus--rejoice45.exe--Win32\PEMASK.A
QHOST.mg

Someone else tried to clean the 0svchs0t.exe and did part of it but not all. when I searched for the 0svchs0t.exe and found it I deleted it and then found the h2.dll and h3.dll and h5.... Read more

Answer:Solved: Windows 2000-Cannot get a couple of things out of HJT Log-keeps coming back

16 more replies
Relevance 58.63%

Hello All

I have really tried to find an answer looking at others posts but it seems like each persons problem is unique to their computer.

I never had any spyware problems before so I'm unfamiliar with a lot of programs. I have installed, adaware, spybot, avg antispyware, cleanup, win patrol, AntiVir Guard, and windows defender all because I have read other peoples posts. I know I probably don't need all of this but I didn't know what else to do. Also I am not too familiar with registry edits so I know I need to be careful if I have to change anything.

These are my computer's symptoms:

AntiVirGuard pops up 3 to 13 times saying trojan horses are detected what do I want to do? I usually select delete or block.

Then everything is usually ok until I get on the internet after which my computer redirects the sites I type in to a site called Jack9.com this happens every few minutes. Sometimes I get a bunch of popups in rapid succession and it freezes my computer. I have to restart windows explorer or restart the computer when this happens.

I have run every single previously mentioned program several times during startup and safe mode if possible and while they find things....they must be missing something because the problems continue.

I came across HiJack this and I have the log from the program. I am not completely sure what to do with it or if it can help but any assistance anyone can offer would be greatly appriciated. The log is below:
Logfile of ... Read more

Answer:Solved: Spyware, popups and keeps coming back HiJack this log included Please help

16 more replies
Relevance 58.22%

windows 2000 pro

I am 45 miles from home and need to get this computere running so please someone help so I can go

go into Hijack this log and delete the hijacker but keeps coming back anyway. Please advise as soon as possible. here is the log

Logfile of HijackThis v1.99.1
Scan saved at 5:36:34 PM, on 6/18/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\keyhook.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\SOUNDMAN.EXE
C:\WINNT\system32\paytime.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\paytime.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\system32\sistray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\newdial1.exe
C:\WINNT\system32\newdial1.exe
C:\New HJT P... Read more

Answer:Solved: windows 2000 pro- big problem-delete hijacker keeps coming back

9 more replies
Relevance 58.22%

Hello. Last week I foolishly went to a popular torrent site and was hit with MS Antispyware 2009. I've seen it before and know how invasive it is, so I decided to format C/reinstall windows to wipe it out. I tried this a few times and it still comes back. It must have made it onto one of my other drives. I use this computer as my "work" computer. I record bands/artists for a living and as this is my primary DAW, there are lots of drives attached that it could have made it onto. After stumbling upon this forum, I tried a number of the tools used here. I now know that this was a mistake and I should have posted and left this to the experts. If it prevents me from getting help, I fully understand and comply by your rules. I tried Malwarebytes, Spybot, Avira, Hijackthis, and even Combofix with no luck. Those have eliminated the redirects, background changes, and warnings, though I'm still getting popups. I also ran the Kaspersky online scan last night, which took 7 hours and found only one infection. It found "start.exe" on my Ipod (drive J:). However it did not give an option for deleting it and I cannot locate it with Windows explorer. The popups sometimes contain info about my google searches. I still plan on reformatting my system drive when the infection is cleaned so that I can make a clean restore disk in the event this ever happens again. It shouldn't, I'm never running torrent software on my work computer again! In fact I think it should stay offline ... Read more

Answer:[SOLVED] Antispyware 2009 and popups coming back after format/reinstall

Hello BEN6732,

I see this thread has been marked as solved, yet there is no follow up post. Do you still require assistance?

9 more replies
Relevance 57.4%

Hi

Thanks in advance for the help. I checked the forums and looks like I have a similar problem to a couple of folks. I keep running Symantec and it finds the KillAV trojan and says its removed, but then it comes back. Now I cant access my Control Panel. Here is the Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:49 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\IDriveE\IDriveE Service.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Fil... Read more

Answer:Solved: KillAV keeps Coming Back Disabled Control Panel and Cant Access AV Sites

16 more replies
Relevance 55.35%

I've been having a a problem with the back left corner hinge since October of last year I poisted to another board about this problem hving been told that this issue would be passed onto support in my region. I'm currious as to weather I'll hear from these people in this lifetime or the next. I enjoy my Laptop and would like to continue using it but as time goes on it keeps seperating more and more and I have to snap it back into place to keep in together. I'm hoping to actually hear back from someone this time that will be able to help me in fixing this issue.

Answer:Back Corner coming from the back left side by the hinge

@jmb1313

 

I have brought your issue to the attention of an appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post personal information (serial numbers and case details).

If you are unfamiliar with how the Forum's private message capability works, you can learn about that here.

Thank you for visiting the HP Support Forum.

1 more replies
Relevance 53.71%

I already posted in How to remove Windows 10 upgrade updates in Windows 7 and 8
In this thread after the starting post from Tookeri other updates that had to be deleted were mentioned. I made a list in post 841
I did not have all these updates on the pc but those that were on it I hid.
Some of them came back and I hid them again.
Now today they are back - with some that I had not seen before.

I made an attachment that shows them and also shows that I hid them again

Will I have to check Windows Update for the rest of my live?????

More replies
Relevance 53.3%

When I'm connected to the Internet, I get the black screen with the Windows XP logo flitting about if I've been innactive for 2 mins. Can I correct it?
 

Answer:Solved: Screen keeps going back to Black screen with Windows XP icon keeps coming up

Only when connected to the internet?

Right click empty desktop.
Properties>Screensaver - Check what you have it set to.

Monitor Power.
Power schemes>always on.
Turn off monitor>never.
System standby>never.
Turn off hard disks>never.
 

2 more replies
Relevance 53.3%

? OS - Windows 7 SP1
? x64
? What was original installed OS on system? Windows 8
? Is the OS an OEM version (came pre-installed on system) or full retail version (YOU purchased it from retailer)? Retail Version
? Age of system (hardware) 4 months
? Age of OS installation - have you re-installed the OS? 1 week

? CPU Core i5-3330
? Video Card Nvidia GT 620
? MotherBoard
? Power Supply - brand & wattage 300w

? System Manufacturer Dell
? Exact model number: Inspiron 660
Added Samsung 830 128gb SSD + 3TG Seagate in replaced of the original 2TB Seagate HDD.


I have tried reinstalling Nvidia drivers, currently use the older version 310.90
Previously used 314.22.

Answer:[SOLVED] I get black screen after coming back from screen saver/idle

The following may be helpful when reading the remainder of this post:Beta and Legacy Drivers | GeForce
Quote:




NVIDIA Driver Downloads

Advanced Driver Search

Product Type: GeForce
Operating System: Windows 7 64-bit
Product Series: GeForce 600 Series
Language:
Product: GeForce GT 620
Recommended/Beta: Recommended/Certified

Search

Code:
Name Version Release Date
GeForce 314.22 Driver WHQL 314.22 March 25, 2013
GeForce 314.07 Driver WHQL 314.07 February 18, 2013
GeForce 310.90 Driver WHQL 310.90 January 5, 2013
GeForce 310.70 Driver WHQL 310.70 December 17, 2012
GeForce 306.97 Driver WHQL 306.97 October 10, 2012
GeForce 306.23 Driver WHQL 306.23 September 13, 2012
GeForce 301.42 Driver WHQL 301.42 May 22, 2012





BugCheck 0x117
These crashes are DirectX/graphics card related. DirectX comes installed with Windows, so this may indicate Windows corruption. It may also be that you have corrupted drivers or a graphics card hardware problem.
If you are overclocking any hardware, please stop.

Run a system file check to check Windows for corruption: Click Start Menu
Click All Programs
Click Accessories
Right click Command Prompt
Click Run as administrator
Type
Code:
sfc /scannow
and press Enter
Once it is complete, make note of the message. If it says Windows Resource Protection did not find any integrity violations., restart your computer and post back
If... Read more

7 more replies
Relevance 52.89%

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

Im sure my Hijack Log is fairly clean... -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:53 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin... Read more

Answer:Virus that keeps coming back and back and back, so on

bump, hopefully someone takes notice

19 more replies
Relevance 52.48%

I'm posting this on behalf of someone else, since she can't access her computer because of the following problem:

This person's running Windows XP SP2, and only has one user account without a password. Hence, her computer would automatically boot up to Windows without having to select a user account, etc. However, this morning, the "Welcome" screen came up for the first time ever so I told her to click on her username, which she did. Her desktop wallpaper appeared, as if Windows was starting up, but the "Welcome" screen came back right after. She also tried to click the "Reboot" button at the Welcome screen, to no avail (the computer would reboot and show the same Welcome screen).

Does anyone know what can be causing this? As far as I know, she hasn't installed anything yesterday before turning off her computer.

Thanks enormously in advance.

Answer:[SOLVED] &quot;Welcome&quot; screen keeps coming back

http://club.cdfreaks.com/showthread.php?t=135726

7 more replies
Relevance 52.48%

I have disabled all the settings in "Taskbar and Navigation Properties" that I can see to disable; but, charms will not go away. As concerns Charms, pointing to corners or anything related to that, I want it ALL GONE -- PERMANENTLY.

I'm running Classic Shell if that makes a difference.

See attached image.
 

Answer:Solved: "Charms" keep coming back

6 more replies
Relevance 49.2%

This is my second attempt at help. I failed my first time and after reading the preparation guide here I am. I tried fixing it myself and loading MBAM and it says I have an infected regestry value, (Trojan.Agent) When I run the MBAM it says my computer must reboot to fix. It does, but then I have the same infection. I am confused, frustrated, and not really sure now what I am doing. Thankfully there are those here that can help...I am humbled.

Here is my DDS.txt
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 16:10:46.34 on Tue 03/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.186 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINNT ... Read more

Answer:Not sure what I have...but it keeps coming back

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

2 more replies
Relevance 49.2%
Question: keeps coming back

I keep running scans and it cleans the computer sometimes. I will encounter xp antispyware 2009 and 2008 telling me that my computer is infected. It posts a permanent box on my desktop saying infected and keeps popping up at bottom right by time clock saying infected. I will run anti malwarebytes and it will clean it only if i do quick scan. But then i will run full scan and it freezes so i know it is still infected. And sure enough a few days later it is all back. Please help. I also run cc cleaner and norton but norton freezes too. I have also tried in safemode but still freezes. Thanks Any and all help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:21 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Inte... Read more

Answer:keeps coming back

bump
 

2 more replies
Relevance 49.2%

Everytime I run webroots spysweeper It finds a cws threat. I don't understand why it keeps popping up, even after I tell spysweeper to remove it. Someone want to help me....

Logfile of HijackThis v1.99.1
Scan saved at 7:44:30 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\programfiles\Spy Sweeper\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Eset\nod32kui.exe
D:\programfiles\Spy Sweeper\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\programfiles\MicrosoftAntivirus\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
D:\programfiles\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\programfiles\MicrosoftAntivirus\gcasDtServ.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
D:\programfiles\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.... Read more

Answer:CWS keeps coming back

8 more replies
Relevance 49.2%

2 nights ago i was surfing the next and i starting getting reports such as :

Windows has detected spyware infection!
It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you
Click here to protect your computer from spyware!

and

Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and
Internet files. Run full scan now to pervent any unathorised access
to your files! Click here to download spyware remover ...

i started getting a lot of popups trying to send me to a site calling cookingluck (f3.cookingluck.com, f5.cookingluck.com, f7.cookingluck.com,
f9.cookingluck.com) i close them before they can finish loading.

Now i didnt do the smartest thing and i downloaded one of the "anti-spyware" things they told me too. "system-defender". well thats about when everything went from bad to worse, shell.dll was giving me hell, wowfax.dll was messing up. The control panel icon also disapeared and anything i tried to do with the system it wouldnt let me..pretty much telling me i didnt have administrative privliges.

So i came on this site and saw the self help page and was looking it over and saw the the "SmitFraud and It's Variants Removal Instructions" section fit my problem to a T, so i followed the steps exactly as they are written. I also got rid of the system defender. When i rebooted into norma... Read more

Answer:It just keeps coming back.....

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix
When the tool is finished, it will produce a report for you.
Please post C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

12 more replies
Relevance 49.2%

Hi everyone,

i had this fake FBI Virus on a laptop couple days ago, it would not let the windows to boot, not even in safe mode. i got it to clean with kaspersky boot disc, and also scanned it with avg, malwarebytes, avast. send it back to customer, same night he called me saying avast kept picking up something but was not able to remove it! so i picked it up again the next day, scanned with avg & malwarebytes seemed to be cleaned up again, nothing was picking up any viruses. but guess what? this morning i have a text from a custoemr, saying he was locked up out of screen and he was able to get into it, but now avg is picking up something again!!! i asked him if he uses usb drive or external or anything but he said he did not use any of those! PLEASE HELP WITH REMOVAL OF THIS!!!!

Answer:It keeps coming back!!!!

Hello sapikest,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Before we start, please note:

Please be advised that this free service is typically for home users. We'll help you out this time, but in the future if you are unable to clean a machine via standard methods, then either backup the client's data and rein... Read more

2 more replies
Relevance 49.2%

Oh God help me... these anti-spyware pop ups keeps popping up and i always run a check on ad-aware 6 and Spybot once i see it. But once i connect to the net and open a site, it all comes back again n i haf to scan it all over again.... help please this is real miserable...

Thank you.

Answer:It just keeps coming back...

try manually removing, on www.doxdesk.com there are listings for spyware/parasites.

you could also go to run > msconfig and deselect any programs starting up that you dont recoginse.

also try going to http://www.symantec.com/homecomputing/
at the bottom is a link to a free online virus check, you may have one that persistantly downloads spyware.

and finally ensure you have a firewall and if you have one make sure its up to date. www.download.com has a free copy of zonealarm, thats a good one

6 more replies
Relevance 49.2%
Question: Keeps coming back

Ok guys not sure what I keep missing but the 020 line keeps coming back and changing it name.

I have ran CWS, ewido, Killbox ( and delete after reboot) VirtumundoBegone
Logfile of HijackThis v1.99.1
Scan saved at 11:25:30 AM, on 1/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hijack This\TrojanHunter 4.2\THGuard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDae... Read more

Answer:Keeps coming back

10 more replies
Relevance 49.2%

windows securty 7 keeps coming bak after doing all the steps
 

Answer:it keeps coming back

Please attach the logs from both SUPERantispyware and MalwareBytes. Also run the below and attach the log.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run
 

11 more replies
Relevance 49.2%

Hello, after removing numerous malwares, str.sys keep coming back even though i removed it several times.Here's the log, thanks for your help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:22:19 PM, on 7/16/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Toshiba\Utilities\KeNotify.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Symantec AntiVirus\VPTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Synaptics\SynTP\SynToshiba.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Program Files\Symantec AntiVirus\DoScan.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program... Read more

Answer:Str.sys keep coming back, help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 49.2%

okay, so yesterday i cleaned my pc with "malwarebytes anti-malware and there were like 11 viruses. then i scanned after t, none, so i get up this morning and scan my pc because everything is going SO SLOW! and now i got 10 viruses. can anyone please help? yesterday i had like 2 injections, 2 clickers, 2 malware.packs, and like 6 agents.
heres my log for yesterday: http://pastebin.com/panEZfVS
and heres todays: http://rhymingcolors.pastebin.com/G7gJ51nr
please help. 5 of those kinds ive never seen before :/ please comment below
 

Answer:they keep coming back >:(

8 more replies
Relevance 49.2%

Hey everyone this is the first time I have posted anything but i am having some serious problems. I let my brother borrow my laptop and when i got it back it was infected bad.
I have pc-cillin, Malwarebytes, and SuperAnti-Spyware.
SuperAnti-Spyware seems to clean everything after i scan and reboot but there are two things that keep coming back on the next re-boot.
1. Pc-cillin keeps giving me a waring telling me to close the browser when its not open with the web address of 110/rjsa/select.php?a=6707a0a cd82d9318fa98c6ee396eed8e61fcf4200553e0c95d8b1d81bbda3c1b&b=1001&c=1
2. There is a sys32 file that gets deleted and always comes back on reboot its MoIXWA40.dll
Pc-Cillin tells me this is a trojan.bho and says its will delete on reboot.
please help me this is so frustrating it slows everything down sooo slow.
 

Answer:Pop-Ups keep coming back

Hi, Welcome to TSG!!
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

1 more replies
Relevance 49.2%

I am having trouble getting rid of this BHO object.Everytime I manage to remove the dll and the BHO registry entry it comes back under a different name.I have run Spybot, AdAware and Trend Micro AV.Any help would be appreciated.Logfile of HijackThis v1.99.1Scan saved at 3:17:14 PM, on 04/16/07Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exeC:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exeC:\WINDOWS\TEMP\EWE594.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files ... Read more

Answer:Bho Keeps Coming Back

Hello EBurritt, I am SifuMike and I will be helping you. Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.******************Download ATF (Atribune Temp File) Cleaner? by Atribune DO NOT run it yet. Download and install AVG Anti-Spyware 7.5 (formerly Ewido) This is a 30 day trial of the programAVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.1. After download, double click on the file to launch the... Read more

11 more replies
Relevance 49.2%

I have a PC i believe is infected.
i have run Combofix, it appears to find something and reboot but i am unable to tell by the log what it found.
i think it is still infected because if i run CF again, it says it needs to reboot to continue.
 ComboFix.txt   29.88KB
  5 downloads
 ComboFix2.txt   30.15KB
  3 downloads
 ComboFix3.txt   26.11KB
  2 downloads
 ComboFix4.txt   29.75KB
  3 downloads

Answer:it keeps coming back

Hello cgtrott, I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate. Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were ha... Read more

2 more replies
Relevance 49.2%

I have done everything to get rid of my recent popups including runings spybot, adaware, microsoft Antispyware, Norton and Pandascan both in regular mode and safe mode. THey keep on finding stuff, but after restarting, they still come back. I have also empties the TEMP folder and cookies and temporary Internet files. I have included a HIJACK this log, hopefully someone can help. thanks.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:55 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe... Read more

Answer:HJT Log because they keep coming back

16 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disables Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

Three threads are not needed for the same problem.
 

2 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disabled Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

Thread closed, please do not post duplicates!
Continue here: http://forums.techguy.org/security/460316-e2g-keeps-coming-back.html
 

1 more replies
Relevance 49.2%
Question: Keeps Coming Back

Can someone please help me with this problem? All my AV programs detect a virus running in my system, but whenver I have it removed, it keeps coming back How can I stop this???


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:13 AM, on 8/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\csrcs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.... Read more

Answer:Keeps Coming Back

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------

If you still require assistance with this issue, please do this:
Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\rsit\info.txt

Click Upload.

---------------------------------------------------------------------------------------------

2 more replies
Relevance 49.2%

I've run Ad-awareSE, Trend Micro's housecall, and McAfee. I've also run Ad-aware while in safemode yet I still keep getting these popups and McAfee keeps telling me that " The file C:\\WINDOWS\system32\winupdt.exe was infected by the Downloader-LG trojan and has been deleted to complete the cleaning process. Its' says it repeatedly then stops then a few hours later it'll come back. Here is my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 6:07:30 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wkogyo.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:... Read more

Answer:They just keep coming back...

16 more replies
Relevance 49.2%

hi, i hope somebody can help me. I'm running windows 95 b with internet explorer 5.5 and I keep getting "Error loading C:\WINDOWS\TEMP\se.dll". when I run IE, avg detects trojan horse startpage 16.bd and my start page is now advertising called "about: blank" I've deleted se.dll but it just keeps coming back. I'd appreciate any suggestions. thanx!
 

Answer:se.dll keeps coming back!

it sounds like you got hijacked. this should have been posted on the spyware specific board. follow the instructions on this link below.

http://forums.majorgeeks.com/showthread.php?t=35407 <--
Sticky: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

g/l - sos
 

1 more replies
Relevance 49.2%

I am trying to clean out a co-worker's computer. I have restored to over a month ago and continue to find malware during scans. Any help appreciaded. Have not yet restarted to fully remove. Do I need to kill some files will killbox prior to the restart? Thanks, Jeff

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/31/2010 2:19:22 PM
mbam-log-2010-03-31 (14-19-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 231065
Time elapsed: 1 hour(s), 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-2658977195-169558386-357108580-1000\$RR7NTAN.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Wi... Read more

Answer:ave.exe keeps coming back

Windows restarted for updates while sleeping last night. Running malwarebytes again. Final rid of Hijackthis entries
O20 - AppInit_DLLs: C:\ProgramData\nuvanifi\nuvanifi.dll
2658977195-169558386-357108580-1000

Malwarebytes came out clean as well as a full McAfee virus scan. Hijackthis log appears clean too. With persistance I think I have this cleaned finally. I have both a dds scan and gmer report but don't really know what to look for. I can post these if someone has time to review them. I ran both prior to the windows update restart. Also updated and ran spywareblaster. Pop ups and redirects are gone too.

Partial log of items cleaned.
3/31/2010 2:19:22 PM
mbam-log-2010-03-31 (14-19-22).txt

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-2658977195-169558386-357108580-1000\$RR7NTAN.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Windows\System32\co... Read more

1 more replies
Relevance 49.2%
Question: Keeps coming back!

I thought I wiped it off already but it's back AGAIN! And my SpyBot S&D is missing all sorts of components so it's not working right and it's the only one that has found any. The Microsoft one found one and deleted it but SpyBot found 16 but only deleted 2 before running into problems. EliteBar is back also. Help again!
 

Answer:Keeps coming back!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
 

3 more replies
Relevance 49.2%
Question: Back coming off?

My Lumia 640 is quite new and the back plastic panel writing logo is coming off the Microsoft logo has come off and some letters are coming away?
Is this normal?

More replies
Relevance 49.2%

I can't get rid of this crap - I've ran everything on here that people say. I have SAV installed and up to date, I have SpywareGuard installed, I have ran HJT, I've ran Ewido software, nothing can get rid of this - Everytime I clean everything while in Safe mode and reboot, Spywareguard immediately starts popups saying a BHO has been added (suchs as C:\WINDOWS\system32\wvuvspq.dll) - I click remove BHO, and it comes back over and over...

Someone please help - this has totally destroyed my computer...
 

Answer:Someone please help - These BHO's keep coming back!!

Closing duplicate thread. Please continue to reply here: http://forums.techguy.org/malware-removal-hijackthis-logs/648572-please-help-my-hijackthis-log.html
 

1 more replies
Relevance 49.2%

I uses Vundofix, ad-aware, spybot, xoft, avg, House call, Microtrend, Don't know what to do next? here is my infoLogfile of HijackThis v1.99.1Scan saved at 1:48:37 PM, on 3/22/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\Program Files\Norton Utilities\NPROTECT.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\BearShare\BearShare.exeC:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.htmlO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\... Read more

Answer:Pop Up's Keep Coming Back

Hello Mhenry, Welcome to BleepingComputer!My name is Nick and I will be checking over your log.Let's get started.You will want to print or save these instructions.Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OKWhen Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.Once it's done scanning, click the Remove L2M button.You will receive a Done Scanning message, click OK.When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.Your computer will then shutdown.Turn your computer back on.Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.If Look2Me-Destroyer does not reopen automatically, reboot and try again.I highly suggest you get rid of BearShare. It is a P2P program which is usually the cause for malware.Read here for more information on clean and infected File Sharing Programs.Click Start> Control Panel > Add/Remove Programs and remove:BearSharePlease note any other programs that you dont recognize in that list in your next responseReboot your computer once more.Please go HERE to run Panda's ActiveScanOn... Read more

1 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disables Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

16 more replies
Relevance 49.2%

Hot bar I am told is a parasite.That is its a freeby thats seems frindly but in reality is sucking all your secrets.So last night I deleted all trace of it from the system by norton and by Regedit.Tonight it back......What sort of mallet this this need ?

Answer:hot bar keeps a coming back

Please post a HJT log click hereYou may need to post in in two halves because of the 800 word limit.Please double space it by adding a blank line after each line so that it is legible with the site's formatting.

4 more replies
Relevance 49.2%

Greetings everyone I need some help.

First off... I have followed all the proceedures listed on the READ ME thread that is asked and I STILL AM HAVING ISSUES.

I have Ad-Aware SE and with the VX add.

I have HiJackThis v1.99 and have followed the steps on that thread as well.

Here is the problem:

I run Ad-Aware everytime I log on, and even in safe mode. It finds beween 8 and 60 items. Mostly Malware and DataMiners. Then once I fix those I rescan and it comes up clean. However, I am still getting pop-ups, I have EnhanceMySearch, and when I log off and log back in... and re-run Ad-Aware I still have 8-60 items that show up and the same problem persists.

Can anyone help and point me in the right direction? It is a major annoyance. THANKS TO EVERYONE IN ADVANCE!!
 

Answer:It all just keeps coming back

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
 

11 more replies
Relevance 49.2%

Can't seem to get rid of the trusted zones, option is disabled in internet tools. I've run spybot, adware and avast but they still show.

Logfile of HijackThis v1.99.0
Scan saved at 10:18:03 AM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.... Read more

Answer:they keep coming back!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Right click on this link http://www.greyknight17.com/spy/De... Read more

3 more replies
Relevance 49.2%

Hello
For many years a succeeded in keeping my computers safe - then, not even a month ago, something surfaced. A Virut thing after I visited an insecure site.
If this can help, a few days before I had for the first time in my pc life installed a downloader program called Flashget-
Well I tried at first to clean up with Spybot and Spyware Doctor (who had not by the way intercepted the hostile item). But the machine had still a strange behaviour so I downloaded some Linux based Rescue CD .iso files (Kaspersky, BitDefender, WebDoctor), burned the CDs and went on scanning without Windows. Those found a wealth of infections by Trojans as well as by the Virut thing, so I kept cleaning and cleaning (desinfecting and/or deleting that is) until nothing more was found.
I then restarted Windows, uninstalled Flashget and installed Avast antivirus. Unfortunately when using my browser I started to get redirected to a "stolnik.net" whatever search I did. Plus Avast began to show infections spreading in the system by a "W32.Vitro" virus. So I tried again with the rescue CDs - Kaspersky found a couple issues but nothing else - and Avast still claiming I have the W32.Vitro everywhere.
At this point I used the VirutCF removal tool by Norton, but to no avail - there is no Virut infection in the machine.
I was beginning to get nervous so I downloaded the Combofix tool, disabled all and every anti-virus and -spyware - as requested - and tried to start Combofix: nothing happens... Read more

Answer:They keep coming back

If you truley have Virut the only real alternative is to do a complete wipe and reinstall. See boopme's post here:http://www.bleepingcomputer.com/forums/ind...t&p=1260380That will help you determine if you have virut, and if you do, what you need to do.

13 more replies
Relevance 49.2%

Here is my dilemna:

I've run Kazaabegone, CWShredder, Spybot and Adware with new updates and reboots in between. I've run Hijack This and removed what I knew to be suspicious files in safe mode. But one:

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

keeps reappearing on the HJT log after rebooting. I know I'm missing something; just don't know what.

Here is the entire log:

Logfile of HijackThis v1.97.7
Scan saved at 8:04:28 PM, on 2/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\Con... Read more

Answer:New.net keeps coming back

6 more replies
Relevance 49.2%

I have a problem with pop-up ads that keep on appearing randomly on my computer. I tried using adaware which picked up a lot of them, but they keep coming back later.

Hijack this log (Created with Hijack-this Analyzer)

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Fil... Read more

Answer:Pop-Ups that keep coming back

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

4 more replies
Relevance 48.79%

Somehow I ended out with this stupid thing on my comp and I have removed it with Spybot and Ad Aware two or three times now but every time I try to search it comes back.

I have downloaded and installed Hijack This and done a scan and this is what is reported. This is without running Spybot and Ad Aware again.

Logfile of HijackThis v1.96.1
Scan saved at 3:57:18 PM, on 8/23/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\RINGCENTRAL\BUZME\BMUI.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WMCONNECT\WWM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=75575
R1 - HKCU\Software\Mi... Read more

Answer:Tinybar!!! Keeps coming back!!

9 more replies
Relevance 48.79%

I found a few suspicious files one day while i was clearing up files around in my hd. backupuser.exe_backupuser.exemydocuments.scrrecycled.scrwinzip.pifphoto.scrc:\windows\appatch\lsass.exec:\windows\appatch\crss.exec:\windows\appatch\smss.exec:\recycled.scrand a registry valuemachine\software\microsoft\windows NT\CurrentVersion\WinLogon\Userinit: Userinit.exe,C:\WINDOWS\AppPatch\smss.exe,C:\WINDOWS\AppPatch\lsass.exePrior to posting this thread I have attempted to remove such files + registery value but some of the files and the registry value keep coming back after each reboot. Namely,c:\windows\appatch\lsass.exec:\windows\appatch\crss.exec:\windows\appatch\smss.exec:\recycled.scrAfter exhausting all my options I have come to seek help in this forums.Hope I made the right choice Anyway,I have followed as per instructions from this post http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/but recieved an error regarding the step involving root repeal. Don't know if it affects the scan but just gonna highlight the error.Error - Invalid PE image foundAlrighty then, here comes the big wall of textDDS (Ver_09-10-26.01) - NTFSx86 Run by User at 14:27:22.70 on Thu 11/05/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2248 [GMT 8:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D... Read more

Answer:Infection that keeps coming back

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

9 more replies
Relevance 48.79%

I have a Dell Dimension 8400 running Windows XP SP3 and I installed a new hard drive (wiped). I had some issues installing drivers and I downloaded some sort of a "driver detective" program that (I think) infected my computer with all sorts of crap. I know, I know -- I'm an idiot.

I ran Spybot, AdAware, Malwarebytes, and HijackThis. I scanned, rescanned, cleaned, rebooted several times, etc. I was able to get rid of everything (I think) except for KBDNET.dll. I can't "fix" it through HIJACKTHIS and when I delete it through FileAssassin, it comes right back after restart.

My HijackThis log is below. Can anyone help me to get rid of KBDNET.dll once and for all? Thank you!!

JC

====
 

Answer:KBDNET.dll Keeps Coming Back - Help!

You have gone thru the cleaning process just a few months back. You should know that you need to do the READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 48.79%

I have been attacked and infected by the "your computer has been locked by the FBI" twice now. last week i was hit by it, then just today it wiped me out during final testings for my online course work.
I need this thing GONE quick and for good. How do i remove it for good?
Is this thing snatching all my passwords and info?
I need some help and info on this ransomware virus

Answer:Ransomware keeps coming back - HELP

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

We want all our members to perform the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post/attach the logs in your next reply.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

------------------------------------------------------

If necessary, download and run the tools in Safe Mode with Networking: Restart your computer.
After hearing your computer beep once during startup, but before the Windows icon appears, start pressing the F8 key.
In some systems, this may be the F5 key.
Instead of Windows loading as normal, a menu should appear.
Use the up arrow key to highlight Safe Mode with Networking and press 'Enter'.
Login on your usual account.
------------------------------------------------------

2 more replies
Relevance 48.79%

A windows update called "Security Update for Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package" keeps coming back after installing it on windows update. I've installed it several times and the update history shows that is was successful seven times already but it's there again after reboot. Can someone give me some advice on what I should do?

Answer:Update keep coming back.

Microsoft Support addresses this issue in this article.
 
When the site opens you will see the option to use the Fix it tool, you can click on this and it will attempt to resolve the problem.  Of you can close the Fix it window and use the instructions below to manually resolve the problem.

14 more replies
Relevance 48.79%

Hello--I keep running my Spyware Doctor, and every day I get a warning that I have tdlcmd.dll in my Windows/system32 file, and every day I delete it, and then the next day it's back. There's obviously something else going on here that I'm missing. Thanks very much for any help you can give me!!

Here's my Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:10 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program F... Read more

More replies
Relevance 48.79%

I have a file folder that i keep deleting only for it to return. it doesn't come back at regular intervals either, it may take it a few minutes or the next time i open the laptop after hibernation. any ideas what is causing this?
 

Answer:folder keeps coming back

Welcome to Major Geeks. We really could use some information here. Please post the name of the folder, the folder's path/directory, which version of Windows you're running, etc...
Thanks!
 

1 more replies
Relevance 48.79%

i just wanted to noe if i was clean or not..
 

Answer:virus kept coming back

No you are not clean yet. I need the C:\MGLogs.zip --> from running the C:\MGTools.exe.
 

11 more replies