Computer Support Forum

malware removal help - removal instructions attempted

Question: malware removal help - removal instructions attempted

I posted the software forum yesterday and was instructed to complete the malware removal steps and repost here. I have a new computer running Windows 8.1. When I say new, I mean I started having problems within a couple of hours after turning it on!

I have McAfee antivirus protection and downloaded and installed my MSOffice 2013 Home and Student. All seemed to be fine. The MSOffice was up and running and McAfee said I was protected. Suddenly and I don't remember what I was doing...it said Microsoft something (sounded like an antivirus or firewall something) had detected several problems and I needed to "clean my computer". Oh so ignorant of all that was going on with learning Windows 8.1 after using XP for years I told it to clean. Somewhere in there it suggested I do a system restore. All seemed OK until I realized MSOffice was no longer there. I tried to download it again and reload, but with no luck. It occurred to me it had something to do with the system restore so I tried to undo the restore. That of course didn't help. I'm also now getting messages from McAfee that I am covered and safe but that my firewall is turned off and needs to be turned on. However I can get McAfee to do nothing. I can open a screen, but nothing I do makes it do anything. I tried downloading their "Virtual Technician" before I started the process you recommended and it acted like it was downloading, but 20 minutes later it was still "spinning".

I have attempted to go through all the steps in the recommended malware removal process. I will attach what I saved and here are some notes of what occurred as I attempted this. Please keep in mind this is all very foreign to me and I'm struggling to even function with Windows 8.1 must less dealing with these issues. Please be patient.
- When I turned off UAC and restarted the computer, it said it was installing 40 updates!
- RogueKiller seemed to run fine...log attached
- Malwarebytes- I ran it and it apparently saved a log, I didn't know how to post it, so I exported them as txt files. Hope that works
- TDSSKiller - no threats found and I didn't see anything about a saving a log.
- MGtools - I couldn't get it to download. Each time I tried, it said it downloaded, but it always showed 0 bytes and if I clicked on it, it said it couldn't run on this computer check with software owner.

I don't really know how to tell if things are working OK, but I still cannot install MSOffice (but as I understand it, that may or may not be related to this problem) and I still can't get MCafee to let me do anything. Well at least it doesn't appear to be, but since I didn't know if it was OK for me to try to turn it back on...

Now what?

So much for getting a new computer so I didn't have to worry about threats from using an unsupported XP! LOL

Patti

Relevance 100%
Preferred Solution: malware removal help - removal instructions attempted

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: malware removal help - removal instructions attempted

Can you try running the tools that were not working before including Hitman, in safe mode please. Let me know how you get on.

16 more replies
Relevance 78.01%

Apologies, but i'm a bit of a novice. my computer did a scan when i started it and came up with some trojans. when i tried to delete them, a malware removal programme tried to install itself so i closed the download dialog box. unfortunately, i cannot remember the name of the software that was trying to install itself. please would you review my log below and help me clean my computer?

many thanks
---------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by 0 at 19:57:35.67 on 02/01/2010
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.3000.1826 [GMT 0:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows&... Read more

Answer:attempted removal of trojans try to install "malware removal software

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 104.55%

I read and followed precisely "Vista and Win 7 Malware Removal/Cleaning Procedure"

My issue: I was informed my my isp the following: "Mail Log Parsed from Feb 15, 2013 19:47:04 to Feb 16, 2013 19:47:04 User sent approximately 141,801 messages to 136,591 unique recipients. There were 2598 bounces received in this period, 1 percent of the emails sent. "

I have AVG, running constantly. ISP changed my password to stop the mail. I ran AVG in safe mode. Still not sure trojan erradicated. ISP referred me to your site.

I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.

Please advise if you believe my system is clean, or what further I should do. Since I haven't seemed to find anything, it's hard for me to be comfortable that it's clean.

Thank you emmensely!!

Mike Sieber
 

Answer:Help with malware removal--have performed removal instructions

Welcome to Major Geeks!




mike sieber said:





I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.Click to expand...

Not problems. It is just junk from AVG. All of your logs are clean. Many times when something like this happens, it is not an infection. It is due to a spammer/spammers getting your email login and password and they use it from other PCs to send out their spam. There are cases of infections that can cause spamming ( like some master boot record or partition infections ) but you show no signs of these.


If you are not having any other malware problems, it is time to do our final steps:
We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to ... Read more

3 more replies
Relevance 100.45%

MS Removal Tool is a rogue software. It restricts you from accessing your desktop. You cannot start Task Manager, and you cannot open Internet Explorer or any other programs. This situation is the result of malware (a variant of Win32/Winwebsec) that is infecting your computer.
To remove the MS Removal Tool, follow the steps below: Boot your computer into Safe Mode.
Windows XP and Windows Vista:Start your computer and press and hold the F8 key.A Windows Advanced Options menu will appear. Use your arrow keys to scroll to Safe Mode and click the Enter key.Click the Start button, and then click Run.Type cmd then click OK. A black command prompt window will appear.Locate the affected directories:
Windows XP:Type cd c:\Documents and Settings\All Users\Application Data\ and press the Enter key.Type dir and press the Enter key.
Windows Vista:Type cd c:\ProgramData\ and press the Enter key.Type dir and press the Enter key.Type c:\Users\All Users\ and press the Enter key.Type dir and press the Enter key.Scroll through the list to find directories with random names that contains 18 characters. For example: cHl08200gMhHd08200 , pJg08200fBmPl08200.Type rd /s /q <random name>, and then press the Enter key. Replace <random name> with the 18 character name. Repeat this step for each random name you find.Type reg delete hkcu\software\microsoft\windows\currentversion\run once /v <random name> /f, and then press the Enter key. Replace <random name> with the 18 cha... Read more

More replies
Relevance 97.58%

i got a virus(http://www.bleepingcomputer.com/forums/topic108871.html) and all the steps provided to me were ineffective, so i decided to go into safe mode and delete some sht myselfanyways, i need someone to review my HJT log and make sure i got it all, and possibly help me fix some system errorsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:27:28 AM, on 9/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\TGTSoft\StyleXP\StyleXPService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\acs.exeC:\Program Files\CA\SharedComponents\Alert\ALERT.EXEC:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exeC:\Program Files\CA\SharedComponents\iTechnology\igateway.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\MSN Messenger\MsnMsgr.ExeC:\Program Files\Belki... Read more

Answer:Attempted Malware Removal

Hello RevoZ,

Welcome to Bleeping Computer

Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea

2 more replies
Relevance 96.35%

Hi,
my Windows XP Pro. Sp 3 desktop Super Antivirus Checker detected a trojan and tried to remove it and then boot up in safe mode. Just after boot into SAFE mode a message appeared " No keyboard" or similar message. At the user login stage, the keyboard and mouse(PS/2) is disabled preventing any progress. The machine will boot into Windows normally with everything working but tries unauthorized port access to the internet. Re-running a virus scan with Avira or malware Bytes does not detect any problems.
Unfortunately, I have lost the trojan details, there is no log found, but I remember it was a file with the word 'Restore' at the end of the file locaton string.
The malware also prevents any Win XP updates and also prevents the installation of Windows defender.

Please find enclosed logs. I hope you can help with this problem, I have XP install disk if needed, thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Internet at 20:38:47 on 2011-09-01
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1358 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Table... Read more

Answer:Malware still active after attempted removal

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

One or more of the identified infections is a backdoor trojan/rootkit.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

-------------------------------------... Read more

9 more replies
Relevance 95.53%

Hello all,

I looked through the other threads, and my problem seemed to be slightly different.

I was infected with Allureon and TDL4.mbr. I couldn't remove them until i used this special avast tool. Well, after using it, i have the BSOD that arises everytime i try to boot windows7 (32 bit) ("0x0000007B (0x80786B58, 0xC000000D, 0x00000000, 0x00000000)". I cannot boot in safe mode. I tried the startup repair function several times, one after another, and also with restarts in between, but it always cannot repair the problem.

I have also tried several bootsector recovery commands (bootsect.exe /nt60 c: AND bootsect.exe /nt60 all). They each did not change the situation, but perhaps i used them incorrectly...

I have a windows7 upgrade kit, and one of the CDs appears to contain a "boot" folder that in theory could help me...

Basically, it is clear to me that I could use expert help to continue before i screw things up even worse ;-).

Thank you in advance!
 

Answer:Windows 7 BSOD after attempted malware removal

Welcome to Majorgeeks

So I guess you used aswMBR to reset the MBR to standard, yes?

My guess is that fixing the MBR broke the malware's ability to trigger a rootkit, Windows is still looking for it on boot but fails and errors out. Or, the rootkit/malware itself is blocking Safe Mode.

I don't think there's any easy fix except a nuke and reload. You could try to gain access via a PE CD like UBCD and use that to try to discover what's happening, fix the Registry manually, etc.

You might want to try the new anti-malware CD from MSFT, it might help, it's new so I haven't tried it out yet.
 

3 more replies
Relevance 95.53%

This is the third post trying to fix this problem: First Post to Am I Infected Forum:http://www.bleepingcomputer.com/forums/t/601413/dchp-and-dns-issues-after-removing-trojan/#entry3907418Second Post to Networking Forum:http://www.bleepingcomputer.com/forums/t/602425/dns-issues-after-virus-removal/page-2#entry3932653 Which leads me to here.  Quick Summary of events.  Microsoft Security Essentials warns me that computer has been infected with Trojan:Win64/Patched.AZ.gen!dll virus. I managed to remove it (or so I thought) using a combination of Spybot, and Malware Bytes, and some manual replacement of files.  After the Trojan was removed I could not connect to the internet and the DNS and DCHP services would not start. I eventually repaired those two services from starting by using the Windows 7 Install disc and running the repair console, however that still didn't fit my internet issues.  The weird part is that the computer connects to the internet just fine. I can ping Google/yahoo successfully, but when I open a web browser (IE, Firefox, Chrome) I can not connect to any websites. The other day I was surprised to see that Adobe was able to download updates to Adobe Reader without any issues. Yes, I have restarted the computer/modem/router/Switch multiple times.  FRST Log As Follows:Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:10-01-2015 01Ran by editor (administrator) on EDITING (13-02... Read more

Answer:Internet Blocked after Attempted Malware Removal

Greetings Belwell and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems... Read more

55 more replies
Relevance 94.3%

Hi,
my Windows XP Pro. Sp 3 desktop Super Antivirus Checker detected a trojan and tried to remove it and then boot up in safe mode. Just after boot into SAFE mode a message appeared " No keyboard" or similar message. At the user login stage, the keyboard and mouse(PS/2) is disabled preventing any progress. The machine will boot into Windows normally with everything working but tries unauthorized port access to the internet. Re-running a virus scan with Avira or malware Bytes does not detect any problems.
Unfortunately, I have lost the trojan details, there is no log found, but I remember it was a file with the word 'Restore' at the end of the file locaton string.
The malware also prevents any Win XP updates and also prevents the installation of Windows defender.

Please find enclosed logs. I hope you can help with this problem, thanks.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by Internet at 20:38:47 on 2011-09-01
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1358 [GMT 1:00]
.
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Tablet\Pen\Pen_TouchService.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kodak\AiO\Center\EKAiOHostService.exe
C:\Program Files\Tablet\Pen\Pen_TouchUser.exe
C:\WINDO... Read more

Answer:[SOLVED] Trojan/Malware operating after attempted removal

Hi, can someone (admin/moderator) move this post to virus/trojan/malware help.

Thanks.

1 more replies
Relevance 93.89%

Yesterday my computer was attacked. I had a black screen with red letters stating "Warning! Your're in danger? Your computer is infected with spyware. Also my one of my icons in the lower right tray kept poping up saying "warning your computer is infected". Then I had popup window keep coming up in the middle of my screen that said "Security monitor warning system detected a potential hazard TrasanSPM/LX". I put my computer in safe mode and ran AVG 8 and Spybot but kept getting the same. I then went through all of steps that you have posted and it seemed to have worked, although I do have one file in add/delete directory that will not delete (My Way Search Assiststant). Also, when I was following your steps, SAS would not complete the scan so I ran MBAM first and then came back to SAS and it scanned okay the second time. I would really appreciate it if you would look through my attached files to insure that all problems have been elimated. Thank You!
 

Answer:Followed Malware Removal Instructions

Welcome to Major Geeks!

You did not attach the requested log from MGtools. We need this to finish your cleanup.
 

5 more replies
Relevance 93.89%

Hi,

I've found the online Malware Removal document to be very helpful... however there are times when I've been at client sites where a PRINTED version of the entire document would be **very** useful. Is it possible to get a complete PDF of this, including the various pages accessed by links within the document? Thanks.
 

Answer:Malware Removal Instructions

Welcome to Major Geeks!

Sorry but no we do not make it available in PDF format. The instructions are constantly changing to keep pace with malware. The tools and links in the READ ME also change over time for the same reason. There are many many links reference in the READ ME, and it would be a ton or work to actually get all of the webpages into PDF form and by the time we did, they would be out of date. In addition, we really have no need for this since the current online copy is always what we want people to use.
 

1 more replies
Relevance 93.89%

Hi Majorgeeks,
I made the Malware Removal/Cleaning Procedure on my computer. All came clean except for RogueKiller which find 4 issues in the registry. Can I delete them? Will this make my computer clean?
Please find attached the 5 requested logs.
Thanks a lot for your help!
Best,
indis07
 

Answer:Help - Malware Removal after following instructions

I am not finding any malware in your logs. What issues are you having?
 

3 more replies
Relevance 93.48%

I have run the malware removal intructions and when through each programs as they did remove some of the malware and virus. The issue that I am having is that when I open the computer under seperate user and try to run the malware removal programs via internet or through USB drive, I keep seeing a window which pops up asking me which program I want to use to open the program. I have run the computer under the adminstrator and do not seem to have problems running the

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log



View attachment hijackthis.log

malware removal steps and have attached the reports from the intructions.

Even when I try to open add or remove programs under control panel- I get the following message: "C\windoesn\system32\rundll32.exe- application not found. I am thinking that It is something to do with AVG and have removed the program with the step.

Please help....

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log
 

Answer:Help with malware removal- have run malware removal instructions

ssmehta007 said:



....try to run the malware removal programs via internet or through USB driveClick to expand...

Specific download and installation instructions are in our R&R ME FIRST guide :
ComboFix
Running from: l:\combifix\ComboFix.exe <--- belongs on your desktop

RootRepeal
Save it to your Desktop

SAS & MBAM
Installed to the Default Location - "C:/Program Files", as we suggest that you keep them after malware removal.

MGTools.zip
Download this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading). ​
Please make those corrections and attach the missing RRlog.txt (from RootRepeal) and MGlogs.zip - normally it is C:\MGlogs.zip . Please tell me any problems you still have.
 

18 more replies
Relevance 93.07%

Hi! I followed the instructions to delete malware on my computer by installing Adware, Search and Destroy, CCleaner, etc. I have attached the two logs summaries. Can you take a look at them and let me know what to do. Before find this website and the instructions, I would delete them with Windows Defender or Norton Antivirus and they would reappear after a while. Any suggestions?? Thanks again for your help!!
 

Answer:Results after following Malware removal instructions

Welcome to Majorgeeks!

You did not say what it is that you were deleting and what was returning???

Also you forgot to do step 7 of the Read & Run Me. But based on your Panda log it would appear you need to run one of the other sticky threads first before attaching a HijackThis log. Run this: SpywareQuake Removal Procedure
 

1 more replies
Relevance 93.07%

Hi,

On this particular machine, I'm running Windows 2000, SP4, with all the latest updates.

Occasionally, while browsing major news sites and reputable online stores, I'll get a short period of IE6 windows automatically opening up that contain unwanted ads. These are not the type of ads that the sites I'm browsing would want to be associated with.

I'd like to get rid of this distraction and make reasonably certain that this machine is generally clean of malware.

The only questionably sane installation I did recently was to try the MaxPCSecure's free Spyware Detector scan. I've since uninstalled that program.

The latest freeware versions of Spybot and Ad-Aware don't pick up anything unusual in this regard.

What's the link on this site to the most current generic malware removal instructions that would apply to Windows 2000? I'm thinking that I could first run through such a set of instructions to see if that would eliminate the pop-up malware.

Thanks
 

Answer:Most Current Malware Removal Instructions?

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide
Note:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
 

3 more replies
Relevance 93.07%

i am running a removal on a family member's comp.

they may have gotten a rather bad one.

occasionally it does not allow OS boot
they booted this morning and their ICQ may have tried(and partially succeeded) in nuking another comp

i followed instructions in read & run, logs are attached

i need to know if anything in the logs are dangerous and need to be removed.
 

Answer:malware removal Read Me First instructions have been followed

and their ICQ may have tried(and partially succeeded) in nuking another compClick to expand...

A chat program almost nuked the machine???

Reviewing the logs now...
 

7 more replies
Relevance 93.07%

Hello,
I picked up some malware on my desktop. How, I'm not sure, as it was behaving normally, then I unplugged it to move it, tried it out in its new location (without internet access), and when I returned it to its old spot (with internet access) and started it again it was very slow, and pop-ups appeared.

I followed the instructions. Two notes:

*TDSS asked permission to reboot so it could scan more completely. I scanned it without reboot first, then with reboot.

*When I downloaded MG Tools.exe I got a message I could not save it in C drive so I saved it on my desktop and ran it from there. The zipped log appeared in the MG Tools folder and its name is not exactly the same (it's MGlogsR instead of MGlogs) as in the instructions. Now I find I can drag the exe file into my C drive (I'd wrongly assumed I would not be able to do that after downloading).

After following all the Read Me First instructions yesterday, the desktop is running at its usual speed now, but I just encountered another unusual pop-up (a shaking box warning about Java--not legit) so I don't believe my system is totally clean yet. A check of the logs would be much appreciated--Hitman Pro found several Trojans which I ignored per the instructions.

Thank you for your help,
AddyDog
 

Answer:Malware removal help - Read Me First instructions have been followed

Hello, AddyDog

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

*Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Users\laddison\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
O20 - AppInit_DLLs: c:\progra~3\perfor~1\perfor~1.dll
O23 - Service: Ask Update Service (APNMCP) - APN LLC. - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe

After clicking Fix, exit HJT.

Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
Ask Toolbar
Java 7 Update 67
Shoppi... Read more

6 more replies
Relevance 91.84%

Welcome to Tech Support Forum

Virus/Trojan/Spyware Removal Help (formerly Hijackthis Log Help)

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. Do not run any specialized tools that you see being used in other threads without direct supervision from one of our trained analysts. Be advised that running any specialized tools not listed in this topic, on your own, is done solely at your own risk * It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

=============================

How Soon Can I Expect Help?

=============================


Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technician.

If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words "BUMP, please" to move it forward. Do NOT bump the thread unless 72 hours has passed. We try to work from oldest to newest posts so your wait will... Read more

Answer:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

2 more replies
Relevance 91.84%

Just wanted to let people know what happened to me, what I did to recover and to thank MajorGeeks for their helpful instructions.

Prior experience removing spyware: successfully cleared numerous people's computers a couple years ago using tips offered on MajorGeeks.com. Since moving I hadn't had a single problem in nearly 2 years.

What happened: I heard at work that Flash had a recent exploit and I should patch it. I searched on Google for "flash exploit patch" or something very close to that. I clicked one of the links that sounded promising. The website I clicked was a trap! Despite the barricade of (badly non-updated) anti-spyware I have installed I got infected badly. Antivirus XP 2008, Blue eff-with-you background and screensaver, redirecting browser pages, the whole works.

My initial ill-advised attempt to fix it: I updated Adware (sp?) from Lavasoft and ran it. It found all kinds of problems and "fixed" them. And it would work. For about 5 minutes. Then the BS would just re-install itself and take over again. I figured, we'll just go ahead and restart in safe mode and clean up everything. EEEEEET. That was only temporary too.

How MajorGeeks helped: I ran home to mommy (MajorGeeks forum). CCleanered myself, Updated Java and got rid of the old versions, followed all the instructions. This SEEMED to work. It definitely got rid of everything except the browser redirection. I kept hesitating about posting the logs, but if I had... Read more

Answer:Malware instructions followed 100%, removal not initially 100% (details).

Welcome to Major Geeks!

We are happy to hear it helped you.


Now we need to cleanup some items from running ComboFix.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.




REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


If you are not having any other malware problems, it is time to do our final steps:
You can uninstall SUPERAntiSpyware now.
We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed Com... Read more

1 more replies
Relevance 91.84%

Hello,I recently got infected with Malware Defense. I went to the following link:http://www.bleepingcomputer.com/virus-remo...malware-defenseFollowed the instructions, and it did stop all of the popups. Unfortunately, I cannot install any antivirus or run antimalware software. I double click the icons but nothing comes up. Also, my internet explorer window will randomly close for no reason. I ran DrWeb CureIt in safe mode but it didn't identify or fix anything.Do you have any suggestions?Thanks for your time

Answer:Had Malware Defense, followed removal instructions, still have issues

Okay, as I follow-up, I followed removal instructions again and ran Malwarebyte's Anti Malware. It had 5 objects infected. Upon restart my computer locked up when I clicked run for the MBAM prompt. Here is the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3502
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/6/2010 7:16:12 PM
mbam-log-2010-01-06 (19-16-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184387
Time elapsed: 27 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTbrsbpfukie.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTbrsbpfukie.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\P... Read more

1 more replies
Relevance 91.84%

HELLO. I NEED TO GET HELP WITH PC ISSUES. ATTACHED ARE ALL THE LOGS THAT WERE SPECIFIED IN THE INSTRUCTIONS. I DO HAVE ACCESS TO A BOOT DISK/INSTALL DISK FOR MY SYSTEM. PLEASE HELP!!!!



DDS (Ver_10-03-17.01) - NTFSx86
Run by jason.bartram at 8:17:30.33 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1551 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jason.bartram\Local Settings\Temporary Internet Files\Content.IE5\7KAKFFY0\dds[1].pif

============== Pseudo HJT Report ===============

uSearch Bar =
uStart Page = hxxp://google.com/
BHO: Adobe PDF Reader Li... Read more

Answer:HELP! RE:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help (HELP)

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I see no sign of infection in your logs. What issues are you experiencing?

------------------------------------------------------

4 more replies
Relevance 91.84%

I believe I still have root kit or something else. I can't connect to wireless and If it helps the big problems began when I downloaded a media codecs file and AVG from CNET website. Neither file worked at all and C:\$AVG file keeps returning no matter how many times I delete it. Also After I downloaded AVG and was trying to run it my comodo firewall went nuts and was allowing everything. And I keep blue screening when I start sorting through files.

I followed the instructions to, "The NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help" And here are the Logs...



.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 19:53:39 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.493 [GMT -6:00]
.
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report =============== ... Read more

Answer:RE:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Hi,

Please do the following:
Please download aswMBR.exe and save it to your desktop.
Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
Click Scan
Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

2 more replies
Relevance 91.84%

Hello,

Sorry for the length of this post, but I try to describe in detail what I've done. I have used the instructions in the "READ & RUN ME FIRST. Malware Removal Guide".

The reason I have done this is, because Avast On access scanner periodically alerted me to trojans in the temporary internet folder for the past two weeks. I instruct Avast to delete these files but the messages always come back a short while later. Two days ago it started alerting me of blocking access to a malicious site (the url for this site is garbled and ends in .cn). This message would pop up every 5 to 10 seconds. So I attempted to remove the malware on the pc with the help of the instructions of this forum yesterday night.

I am not sure where the trojan/malware originated from, as I am not the only user of this computer (my parents also use it). Around the time that the problems started, I visited a reputable (or so I thought) job site (engineeringcareers.co.za) - upon visiting Avast alerted me to a trojan attempting to download and gave me the option to block the connection to the site, so I did so.

Now, on to how I followed the instructions in your guide and the problems that I encountered:

I followed all the instructions to the letter, up to and including the Malwarebytes' Anti-Malware. Super antispyware had to be renamed to SAS.exe to run, as the explorer window crashed if I tried to run it normally. After MBAB finished, I could not connect to the interne... Read more

Answer:following malware removal instructions - MGTools not working

Hello again,

Here are the combofix and rootrepeal logs I intended to post. I wanted to post them directly after my earlier post, but real life interfered in the time between posting and my post showing up in the forum. This will probably be seen as a bump, but oh well - so far it looks like my problems are sorted out, so far Avast has not given me any more alerts to trojans/rootkits.

Thanks again,

Z.
 

8 more replies
Relevance 91.84%

Over at the Software forum (see my thread "suddenly lost an application; plus, can't download anything" at http://forums.majorgeeks.com/showthread.php?t=286066), Administrator DavidGP recommended I follow the instructions in the Malware Removal Guide and then start a new thread here in the Malware Forum.

But I have to ask three questions before I can follow those instructions. I'm sorry if I'm posting these questions in the wrong forum, but I asked the first two of these questions over at the Software forum, but didn't get a response.

A little background: My brother's computer runs Windows 7 Professional with Service Pack 1, and Mozilla Firefox 29.0.1. His current security software is StopZilla AVM 2013 (product version: 6.0.0.0, file version 6.0.3.61), and of course Windows Defender and Windows Firewall.

Question 1:

Both StopZilla and Windows Defender run real-time protection, but somehow don't collide with each other.

Nonetheless, I guess I'll have to uninstall StopZilla in order to run the programs referenced in the Malware Removal Guide, rather than just disable it, right?

(Incidentally, full scans done by both StopZilla and Defender found no threat.)

Question 2:

Step 4 of MajorGeeks' Malware Removal Guide says to disable any disk emulation software.

I don't know anything about disk emulation software, but I can tell you this:

My brother was running the now mysteriously disappeared prog... Read more

Answer:questions before following instructions in the Malware Removal Guide

Nonetheless, I guess I'll have to uninstall StopZilla in order to run the programs referenced in the Malware Removal Guide, rather than just disable it, right?Click to expand...

I wouldn't actually ever recommend anyone use Stopzilla. There are FAR more superior products out there.





Is VirtualBox disk emulation software? If so, I can disable it with DeFogger.Click to expand...

Yes you should be able to.





Someone told me they thought it might not be a good idea to disable disk emulation software before running diagnostic software because the malware might be on an emulated drive. Any comments on this?Click to expand...

You should always disable disk emulation softwares before beginning our procedures, this link explains why: http://www.bleepingcomputer.com/for...lation-when-receiving-malware-removal-advice/
 

1 more replies
Relevance 91.84%

Please find attached the logs from the scans in the Windows XP Cleaning Procedures. I followed the Cleaning Procedures but still have a problem. The problems can be pinpointed to yesterday when I surfed to a web site without having an up-to-date Anti-Virus definition files. Before I knew it, I had an infected machine.
There seems to be 2 problems.

(1) After restarting the computer, Windows File Protection gives following message.

Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Profession CD2 now.

I have Dell OEM Windows XP Media Center 2005 installed on my Dell Dimension 5150/E510. Problem is, Dell has a Windows XP re-installation CD but Dell states there is no 'CD2'.

(2) I keep getting pop ups every time Internet Explorer is open. The pop ups occur on their own.

Hopeful you can help me to fix the problem. :confused
Thanks,
Ankur

p.s. Please note, the AVG Anti-spyware log is not attached because it was not generated by the tool. I scanned my computer using Trend Micro (after updating virus definition files) and I can provide the logs if you need.
 

Answer:Malware problem not fixed with Malware Removal instructions

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O2 - BHO: (no name) - {3F7BDD0B-0462-4F19-8B87-54D83601B87C} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: (no name) - {B8AFD866-6B8B-490E-DA2E-39E671810F96} - C:\WINDOWS\system32\mknamps.dll (file missing)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and paste it in the box that opens:




Files to delete:
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system3... Read more

9 more replies
Relevance 91.43%

The latest: Removal Tool from Symantec:

http:[email protected]html
EDIT:
PLEASE NOTE: Since Symantec did a major change on how to handle this worm from their first instructions, (and my first post) I have totally modified this post, as of 0326 EDT Sept 20, 2003, to reflect those changes. This should avoid the problem that Alison had and was most likely the reason for Symantec's change.

You have been bitten by the latest worm, [email protected], and want to know what to do and how to get rid of it.

We here at TSG want to make that process easier for you.

The following is a short(er) version of what can be found at Symantec?s site.
http:[email protected]

Please go to the above link and read and understand about the Swen worm first, then return and follow the short version.

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP

2. Modify the association for Registration Entries ( .reg files).
3. Create a repair.reg file on Desktop, double-click on repair.reg file to fix association settings for other file types.
4. Update the virus definitions.

5. Do one of the following:
a. Windows 95/98/Me: Restart the computer in Safe mode.
b. Windows NT/2000/XP: End the Trojan process.
6. ... Read more

Answer:[email protected] Worm Removal instructions + New Removal Tool

16 more replies
Relevance 91.02%

Here is the issue I was having prior to the "read me first" steps:

1) Search engine redirect: where I search for something via google, bing, or yahoo and when i click on the results it sends me to some unrelated website

Here are the issues i am having after "read me first" steps:

1) Search engine redirect: where I search for something via google, bing, or yahoo and when i click on the results it sends me to some unrelated website

2) I am having trouble opening file folders. I get an error message the windows has stopped working and then it searches for a solution and shuts down. I cannot even open up the file folder.

3) When I right click a file or folder, a windows installer window appears and attempts to either download something or install something. It seems to have something to do with Adobe.

I have no clue what all these logs mean. I just followed the steps and retrieved these logs.


View attachment combofix log.txt



View attachment 140457



View attachment defogger_disable.log



View attachment hijackthis.log



View attachment mbam-log-2010-07-02 (03-36-52).txt

[/ATTACH]
 

Answer:Malware Removal Instructions Complete... Problems still exist

View attachment MGlogs.zip



View attachment RRlog.txt
 

11 more replies
Relevance 88.97%

Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore we strongly encourage you to read this thread before deciding what course of action to take regarding your infection.

If after reading the above you wish to clean your system, please follow the steps below and create new topic HERE

NOTE: This thread is a work in progress. As malware evolves, so must the programs that find the bad entries and remove them. Thanks to all the members who have kept this progress going.

These steps are NOT meant to be a ONE-STOP-FIX-ALL.
If your computer cannot stay running, as in it either cannot boot, or, it is automatically restarting after a certain amount of time, then just start a new thread and ask for help.
They only serve to help you produce some logs, so we can see if your system needs further attention and cleaning.
Please make sure to complete ALL the steps in this thread, in the order that they are listed BEFORE you post the requested log files.
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it into a couple of replies.
Please run all scans in Normal Mode unless instructed otherwise. If you are not able to access Normal mode, please let us know.
Do NOT perform a System Restore while we are cleaning, as this can reinfect the system.
Please stay with your thread. We usually mark your thread inactive after five days, to help maintain the list of active topics... Read more

Answer:UPDATED 4-Step Viruses/Spyware/Malware Removal Preliminary Instructions

Instructions have been shortened and updated for future convenience towards users as well as helpers.
Credits to originator, Blind Dragon, and a few others, namely - kimsland, xxdanielxx, CCT, and Bobbye for their input.
 

2 more replies
Relevance 88.97%

This is what I came up with:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-08-2015
Ran by Intel (administrator) on INTEL-PC (01-09-2015 12:30:20)
Running from C:\Users\Intel\Desktop
Loaded Profiles: Intel (Available Profiles: Intel)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(Teruten) C:\Windows\System32\FsUsbExService.Exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
() C:\Program Files\Bamboo Dock\BambooCore.exe
(Akamai Technologies, Inc.) C:\Users\Intel\AppData\Local\Akamai\netsess... Read more

Answer:Followed the UPDATED 4-Step Viruses/Spyware/Malware Removal Preliminary Instructions

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-01 12:29 - 2015-01-02 14:57 - 00000000 ____D C:\Windows\system32\vbox
2015-09-01 12:15 - 2014-08-25 11:37 - 01996509 _____ C:\Windows\WindowsUpdate.log
2015-09-01 12:11 - 2015-07-31 16:24 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-09-01 12:11 - 2015-06-17 09:07 - 00036937 _____ C:\Windows\setupact.log
2015-09-01 12:11 - 2012-12-05 19:32 - 00000000 ____D C:\Users\Intel\AppData\Roaming\Skype
2015-09-01 12:10 - 2014-08-25 14:00 - 01129030 _____ C:\Windows\PFRO.log
2015-09-01 12:10 - 2012-11-18 23:06 - 00000000 ____D C:\ProgramData\NVIDIA
2015-09-01 12:10 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-01 12:10 - 2009-07-14 07:33 - 00433760 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-01 12:09 - 2009-07-14 07:34 - 00030848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-01 12:09 - 2009-07-14 07:34 - 00030848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-01 12:08 - 2012-10-15 19:50 - 00000000 ____D C:\Users\Intel\AppData\Local\Deployment
2015-09-01 12:08 - 2012-10-15 19:50 - 00000000 ____D C:\Program Files\Google
2015-09-01 12:01 - 2012-10-15 14:01 - 00116056 _____ C:\Users\Intel\AppData\Local\GDIPFONTCACHEV1.DAT
2015-09-01 12:00 - 2012-11-04 16:24 - 00000000 ____D C:\User... Read more

3 more replies
Relevance 88.15%

Apple has finally accepted that there is a malware problem affecting many of its customers and plans to stop it with an upcoming system update.

The problems began earlier this month with a black hat search engine optimization campaign launched by scareware distributors on Google Images.

Such campaigns are common and one can pretty much expect to find rogue links among the top search results for all hot topics at any given time.

However, this time it was different because the cyber crooks also targeted Mac OS X users via a piece of scareware called Mac Defender that was specifically designed for Apple's platform.

Scareware, or rogueware, are terms that refer to fake applications that trick victims into paying for licenses in order to fix fictitious problems on their computer, usually malware infections.

Ironically, for a user base that largely doesn't trust antivirus programs and believes that Macs are malware-free, a lot of people ended up installing Mac Defender.

By extrapolating from tech support call figures related to this issue, ZDNet recently estimated that between 60,000 and 125,000 Mac users were affected by this piece of scareware.

What's worse, Apple apparently prevented its tech support operators from telling users how to remove the malicious program on their own.

However, after the issue got significant press coverage Apple published a knowledge base article of its own, which includes manual removal instructions.

The company makes some mist... Read more

Answer:Apple Late to Anti-Malware Party, Issues Alert and Removal Instructions

Good to see that they are taking actions, since malwares are now quite more appearance in Mac.
 

1 more replies
Relevance 87.33%

hello, a friend has droped off a broken windows xp computer with me for repair. The followed http://www.bleepingcomputer.com/virus-remo...-security-suite this guide section 'automated removal section and now the PC bluescreen's on both normal and safemode. Looking for guidance as to what they might have broken. Thoughts? The BSOD is a stop c000021a - windows logon process system process terminated unexpectedly with a status of 0xc00000005 (0x00000000 0x00000000).

Answer:BSOD after following "automated removal instructions for security suite using malwarebytes anti-malware guide

Hi .The majority of references I see for this...are for Win 2K. XP users who have this error...don't really seem to get a resolution of any sort that I can see.From looking at the Win 2K references, I'd say that the registry is jumbled. A repair install effort would be worth a try...but I suspect that a clean install will be the ultimate resolution.Some Google Links.Louis

1 more replies
Relevance 84.46%

I am not sure what the current issue is, but I am thinking there is still some remnants of the FBI ransomware. I would like to use your expertise to help solve/resolve this problem.

There are no logs attached as I canot even boot up.
 

Answer:Malware Removal Attempted: Kaspersky Database Update Failure - "Databases Corrupted"

Hi, what is the version of your system?
 

11 more replies
Relevance 79.54%

Staff Advisory: This post needs to remain here until one of the malware team advise that it can be moved. This member cannot access our malware forums due to their infection. ~ Animal----------------------------------------------------------------------------------------------------------------------Hello, I got some help from some nice people in the live chat. I have made a log with your hijackprogram and am posting it at the bottom. It created two .txt files so there are two reports. I am unable to open ANY link that has the words anti-spyware anywhere on the page or in the address bar so unfortunately I cannot post this in the malware removal forum because the internet window closes every time. I am in dire need of some help! I have a subscription to spy sweeper and it is keeping things out but I was infected with Antivirus xp 2008 and possibly some viruses because the computer was un-protected for about a month while I was in the hospital..I run with Windows XP and a wireless connection. If someone could take the time to look at this for me I would be so incredibly thankful! I offer my services as a photographer/graphic artist/professional gift shopper/myspace designer/beginner web designer. You can see what I do at www.perfectionpictures.com and contact me if you need anything at all!Current Symptoms (in the order of appearance)Random Total system crash then restart then blue screen then back to windows. msvcp71.exe is missing so a program is being prevented ... Read more

Answer:Antivirus Xp 2008 Removal Help/am I Infected? Can't Open Malware Removal Forum

Hi & welcome,I would like to try a couple things before we go much further so I have a bit better picture of what is happening and can take the needed cautions.1.) click start> run> type msconfig and hit enter.click "boot.ini" tabCheckmark /bootlogClick "apply" and "close"Reboot when askedLocate and delete this file:C:\windows\ntbtlog.txt (in case your extensions don't show it looks like a notepad)RebootLocate & post:C:\windows\ntbtlog.txt2.) Click start> run> type: cmd.exe and hit enter.type the following commands exactly as you see em & hit enter after each one:cd c:\windows\system32dir userinit.exeNote the file size please & report that back to me. Leave cmd open a sec.Back at the cmd window...Type:cd dllcachedir userinit.exedir spoolsv.exeNote file sizes & report that back to me.Type exit in the CMD window & hit enter. (this closes it)3.) Can you see also if you can get this program installed please:http://download.bleepingcomputer.com/hijac.../HJTInstall.exeSave file> run it> follow prompts to install excepting defaults.Allow it to "launch" hijackthis.Click the "Do a System Scan and Save a Log File" optionSave the log file and then it should open with NotepadGo to Edit, Select All and then Edit, Paste to paste the contents of the log hereLet me know if you had any problems with the above please.I advise keeping the system offline as much as possib... Read more

3 more replies
Relevance 79.13%

Hi, I'm new to this forum. Like many others, unfortunately my first post is regarding trojan removal.

I've d/loaded the DDS tool and pasted the DDS.txt below.

Being a proactive guy, and before finding this site, I attempted to remove the trojan - but with limited success. Here's a summary of what happened:

AVG Free started to detect Generic14.DYJ, whenever I started IE or Firefox. Both would randomly redirect webpages.
No amount of healing as Power User helped, neither did full scans in normal or safe mode
Read some help pages and downloaded Malwarebytes Anti-Malware, which wouldn't run
Neither would HijackThis
Neither would the Microsoft's Malicious Software Removal Tool
PC Tools Spyware Doctor was the only thing that worked, but was also unsuccesful inremoving the trojan
So I read something where someone cleared it using Avenger.exe. I downloaded this and changed the details (long strings of letters in the dodgy filenames) to match mine, and it kind of worked (see Log2.txt). There were no more (or considerably less) AVG warnings, but the PC still locks up during random things. Thic can happen in any given webpage, whilst opening window explorer or when simply copying files to a memory stick. So I'm worried that something is still lingering... I appreciate what I've done isn't the correct procedure, but you learn from your mistakes right?

Hope someone can help.

Here is the DDS log...

DDS (Ver_09-06-26.01) - NTFSx86
Run by Andrew at 18:57:46.71 on 27/07/2009
I... Read more

Answer:Generic14.DYJ, attempted removal

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

3 more replies
Relevance 78.31%

I found the instructions to remove Security Tool here. I downloaded the program rkill.com, but it's not working. The black window just pops up and then in a flash, it's gone. It seems as if Security Tool is shooting it down. All the icons on my desktop are completely gone, I can't right click on my desktop to refresh, it's all disappeared. Every new program I try to install to delete this, they close in less than a second. And then a pop up "warning" from Security Tool comes up. I leave it there and everything, but it still closes itself. Nothing is working! Help, please!

Edit:
This is a Sony Vaio laptop with Windows 7. I currently have AVG Free as my anti-virus software.

2nd Edit:
The black window does indeed pop up. This time it closed in 2 seconds (give or take). I then tried to use the Malwarebytes software, but it wouldn't open. So I'm guessing that rkill did not fully do its job when it closed.

3rd Edit:
I have not "activated" it. I did not enter any credit card information, but it is, in a way, installed onto my computer.

Answer:Attempted Removal of Security Tool

Did you try all of the different links?It may take several times to get it to workAlso run this scanWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

1 more replies
Relevance 78.31%

hi. i have recently been effected (and infected) by the above trojan (Win32:Trojan-gen {VB}) and attempted to remove it. HJT log is posted below. was wondering if someone could take a quick look and make sure theres nothing there that shouldnt be? Thanks in advance. Logfile of HijackThis v1.99.1Scan saved at 17:44:40, on 20/08/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\RTHDCPL.EXEC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Saitek\Software\Profiler.exeC:\Program Files\Saitek\Software\SaiSmart... Read more

Answer:Hjt Log After Attempted Removal Of Win32:trojan-gen {vb}

Hi sharko, If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you. A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log. Thanks for your patience!

5 more replies
Relevance 78.31%

Hi,I have tried many ways to get rid of some Malware that has only recently infected my PV. I hope someone can help me as this is my work PC and I need to plug back into my office network in a few days, but think this would be a bad idea at the moment.The problem first showed itself by insisting I had many viruses etc, and I should install Internet Security 2010. I have installed Malware Bytes removal tool, and installed as instructed. It found the above, said it was removed, but still it appears to exist, although the name of the infection has changed a few times, and is currently redirecting my brower to a similar page to the above malware. A popup now shows that I should install Cyber Security to remove the infections. This is obviously another malicious antivirus/malware program.I have McAfee Enterprise installed (which I can't seem to disable)I have also run SuperAntiSpywarePlus, which did the trick removing a similar problem about a year ago on a different PC. However, although this program also finds problems, and supposedly removes t5hem, the problem is still there.Please help. I have shown Hijackthis log below.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:58:42 PM, on 29/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\windows\system32\csrss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\... Read more

Answer:Cyber Security removal; Malware removal not working

Hi,I have tried everything I know of to remove this pesky piece of malware. It seems to keep changing names, starting out as Internet Security 2010, and redirecting me on a google search to a webpage trying to convince I was riddled with viruii and malware, and then trying to sell me thier software, which is really just a scam. I ended up here after a few days of tearing my hair out, almost beaten. I went through the tutorials, but unfortunately that was before I fired off a post in desperation. Please delete my previous post, as I have now followed the suggested path, and run the utilities to help diagnose my problems. The resulting files are attached.Please help. I hope the files uploaded can provide an insight into whats happening.Apologies for jumping right in and posting a Hijackthis log before I had read the tutorials.ntents belowDDS.txt contents pasted belowDDS (Ver_09-12-01.01) - NTFSx86 Run by Greg.Middleton at 15:30:23.26 on Tue 29/12/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3063.2330 [GMT 9.5:30]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\windows\system32\svchost -k DcomLaunchC:\windows\system32\svchost -k rpcssC:\windows\Syst... Read more

3 more replies
Relevance 77.49%

Hi there. I ran ComboFix to remove a virus on my laptop and it found rootkit activity. It stated that it needed to reboot but has not been able to successfully get past the Windows loading screen since.I have gone into the Recovery Console and and tried going into cd erdnt\hiv-backup and then performed the command batch erdnt.con but it still comes back with a BSOD when I set it to "Disable Automatic Restart on System Failure". dir c:\qoobox\quarantine\c shows DelUS.bat.vir but it was from 10/10/08 and this problem occured on 2/13/10BSOD stop code is 0x0000007BCan anyone help me with this? Thank you

Answer:PC reboots after combofix attempted rootkit removal

Hi,We need to create an OTL ReportPlease download OTLPE-ISO from one of these locations:http://oldtimer.geekstogo.com/OTLPE.isohttp://ottools.noahdfear.net/OTLPE.isoSave it to the desktop of a functional computer.Download BurnCDCChttp://www.hiren.info/download/freeware/BurnCDCC.zipUnzip and run BurnCDCCSelect "Browse" and choose the OTLPE ISOCheck "Read verify", "Finalize" and "Auto eject"Choose 32x speed and press "Start"After you have successfully burned the OTLPE ISO to disc you will need to transfer the disc to the CD drive of your sick computer and boot from it. Insert the CD-ROM into the CD-ROM drive, and then restart the computer.If your PC is not booting from the CD, you need to change the boot order:Restart your PC As soon as you get an image, press the Setup key. This is usually F2, or Del. On some machines the key can also be a different one. It should, however, be stated on the screen which key is the setup key. Once you enter the computer's BIOS, use the arrow keys and tab key to move between elements. Press enter to select an item to change. Navigate to the tab, where you can set the boot order. It should be called Boot or Boot order The tab should now show your current boot order.If the CD-drive is not at the top, please navigate to the CD-Rom drive with the keys arrows. Then move it to the top of the list. The keys for switching boot position are usually + to move up and - to move down. However they can be ... Read more

46 more replies
Relevance 76.67%

Since the ComboFix will not run on Vista or Windows 7 64-bit, I have to look for new malware/virus removal apps... It was good while it lasted. So what tools do people use for Vista these days when the computer says: "WARNING! YOURS COMPUTER IS AN INFECTED BY HARMFUL VIRUS!!!!"

Answer:64-Bit Virus Removal & Malware Removal Tools?

64-bit Anti-Virus:List of 64-bit Anti-Virus For VistaAnti-virus protection in 64-bit environmentsFree Anti-virus:avast! Free Antivirus Avira AntiVir Personal - Free AntivirusAVG Anti-Virus Free Edition 8.5Microsoft Security EssentialsPanda Cloud AntivirusKingsoft Free Antivirus (Cloud Scan)Paid for Anti-virus:NOD32 Anti-Virus PersonalMcAfee AntiVirus PlusTrend Micro AntiVirus plus AntiSpywareNorman Antivirus & AntispywareCA Anti-Virus Plus Anti-Spyware64-bit Anti-Malware tools:Malwarebytes Anti-MalwareSUPERAntiSpywareKaspersky Virus Removal Tool - How to install and use documentationSpyware TerminatorWindows Defender (64-bit)PrevxSpybot S&DAd-AwareNorman Malware CleanerSunbelt Counterspy (free Trial)Comodo BOClean Anti-MalwareSophos Anti-rootkitSanityCheck Advanced Rootkit and Malware DetectorESET Online Antiivirus ScannerESET SysInspectorAnVir Task Manager FreeWinPatrolStart with these:How to use Malwarebytes' Anti-Malware to scan and remove malware from your computerHow to use SUPERAntiSpyware to scan and remove malware from your computer

3 more replies
Relevance 76.67%

Hello!
In reading more of these threads I can see Im not the only one with the iexplore issue.
Glad to know it can be corrected!!!!

I have multiple pop-ups and my computer is as slow as dirt.
When I get home at 3:30 Calif time I will do the HJTInstall.exe thing and post the results.
Would the results of one that was done two days ago help? Yes I was having the issue then and another company did one and told me to email it to someone, which I did but I havent heard anything back and my computer is close to useless at this point.
Can MFDnNC or anyone else help?
Thanks!!!!
Ginny
 

Answer:malware removal/popup/iexplore removal

16 more replies
Relevance 76.67%

Hi, my new laptop was infected with "Antivirus System Pro" fake anti-spyware. After following instructions from a co-worker, I attempted to remove using Malwarebytes, r-kill, and Hijack This...I also ran a registry cleaner. Although Antivirus system Pro seems to be gone...my laptop has slowed to a crawl...especially when downloading email (Thunderbird) or browsing the internet (Firefox).

System specs: Windows 7 64 bit / Intel Core i3 M440 3.13 GHz
Antvirus: Spyware Doctor w/Antivirus

Thanks for any help you can give!

Here is DDS.txt:
DDS (Ver_10-10-21.02) - NTFS_AMD64
Run by colleen at 6:41:38.00 on Wed 10/27/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_11
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3767.2027 [GMT -4:00]
============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Amazon\Amazon Unbox Video\ADVWindowsClientService.exe
C:\Program Files (x86)\PC Tools Security\BDT\BDTUpdateService.exe
C:\Progr... Read more

Answer:New laptop slowed to a halt after attempted virus removal :(

BUMP, please

1 more replies
Relevance 76.67%

Hi, I am having trouble getting my computer back to running correctly after I had encountered a pretty bad virus of sorts. I am constantly getting random pop-ups in IE and my entire system is super slow. I have ran Malwarebytes and Superantispyware and seem tohave gotten rid of most of the virus. Windows update will not run, I get a error message saying the service is not running, the service is not present  in services.msc.  Im still in need of prefessional help. Thanks in advance.

Answer:windows update not running after attempted virus removal

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************Please download AdwCleaner by Xplode onto your Desktop.Double click on AdwCleaner.exe to run the tool.Click on Search.A l... Read more

5 more replies
Relevance 76.67%

Heya!

The other night I removed (or at least tired to) a virus from my computer. All seemed well until I went to start up my computer the next morning and received the dreaded blue screen with the error: STOP: C0000135 The program can't start because %hs is missing. I've been googling around to see if I can resolve the issue and initially I though I might have found the fix at the following link: http://blog.crosbydrive.com/?p=245 but it turns out I didn't need to edit anything in the registry. My next attempt to fix the issue was to run Farbar Recovery Scan Tool (x64) ...now I'm stuck and could really use assistance. I have the Farbar log, I'll post it below

Thanks in advance!
Scan result of Farbar Recovery Scan Tool Version: 15-03-2012
Ran by SYSTEM at 01-04-2012 13:55:30
Running from F:\
Windows 7 Ultimate (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s [11860072 2011-06-08] (Realtek Semiconductor)
HKLM\...\Run: [AdobeAAMUpdater-1.0] "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [499608 2011-03-30] (Adobe Systems Incorporated)
HKLM\...\Run: [npawmp] rundll32.exe "C:\Users\Brianne\AppData\Local\Temp ... Read more

Answer:receiving STOP C0000135 - attempted virus removal

SubSystems: [Windows] ==> ZeroAccess

This can be easily fixed.Let me ask someone to assist you

good luck

25 more replies
Relevance 76.67%

Hello, I would like to first of all thank anyone who is willing to help me. In the past 4-5 weeks there has been some malware on my computer causing things like: Random IE pop-ups, random audio Ads and automatically changing of volume. Recently I have noticed that the IE window pop ups have ceased whilst the ads and volume changing has continued. Previous attempts at removal has failed with GMER giving me a BSOD or freezing the program.

Possible relevant information:

-using windows xp
-using mozilla firefox as my browser
-using AVG-anti virus

Any help would be much appreciated
 

Answer:Random Audio Ads playing on my computer (2nd attempted removal)

Hi, stompydon

Welcome.

Please download and run Rkill by Grinler from any of the following locations (Vista and Win7: to run the application, right click on Rkill and choose Run as an Administrator):

rkill.exe
rkill.com
rkill.scr
rkill.pif
[/QUOTE]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------​
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------​

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after runn... Read more

1 more replies
Relevance 76.67%
Answer:No internet access following attempted removal of Optimiser Pro and Reimage

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

6 more replies
Relevance 76.67%

Hello all,

First, as the name suggests I am a complete technophobe so apologies in advance for the stupid and/or dense nature of my questions and enquiries.

Second, thanks to whoever takes the time to have a look at this for me, very much appreciated.

So, recently I decided I wanted to remove Doubleclick and other spy/malware from my laptop. I was advisd to download Spybot Search and Destroy and let it get to work. I did so and ran the program a couple of times, making the fixes and deletions it recommended.

Around this time, the computer started acting strangely when i was attempting to use the internet. Speed of accessing sites is incredibly slow and some sites it wont load at all. On Firefox, when i click off one tab onto another, then return to the original tab, nine times out of ten that tab will now be blank. Sites that used to be very quick to use are now painfully slow, others i cannot access or just get the loading symbol infinitely.

So I uninstalled Spybot Search and Destroy and now if anything performance has deteriorated further. Very confused. I am blaming this program because i cannot think of anything else i have downloaded recently that may have caused an upset to my computer's sytem.

I have browsed these forums but saw that the fixes and solutions offered are done so subjectively based on the logfile of the individual, so I have prepared one here; again, my thanks in advance:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 21:20:48,... Read more

Answer:Firefox/IE etc behaving strangely following attempted spyware removal

sites that wont load include Tweetdeck.com and Tweetedeck the application, which i was using fine until now, plus several forums that i use regularly are now going slooooooooooow to the point that they are basically unusable.

Tried system restore this morning and ran CC Cleaner; no effect on internet performance whatsoever.

Please help!
 

1 more replies
Relevance 76.67%

I have completed the Malware Removal Guide, ran CCCleaner, CounterSpy, BitDefender,PandaActiveScan, GetRunKey, ShowNew, Hijackthis. I just need to know if I have cleaned this computer. Can you tell by looking at my logs?? I will attache the other files on another post.

Thanks!
 

Answer:Followed the removal instructions, what's next?

Additional files to my previous post.
 

4 more replies
Relevance 76.67%

I Followed the instructions on this website (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010) and everything progressed very normally. When i was done with the malwarebytes scan and removed all of the infected files Malwarebytes asked me to restart my computer to apply the changes so i said yes. That was the last time my computer worked. Now durring the boot screen i get the blue screen of death. I dont have the Windows Vista Instal disk to repair the computer (the version is home premium and all i had was ultimate) when I tried the ultimate version of windows vista cd to boot and repair from, it found a problem but couldnt fix it.Looking at the log the root cause was unkown bugcheck called bugcheck7e and the window repair failed because of the error code 0x490I really dont know if that information helps but i hope it does.I think what I am looking for is maybe an ISO of widows vista home premium because maybe the different versions caused my windows repair to fail but I could really use some help

Answer:BSD after following removal instructions

Hello, OK this file is big Print these instruction out so that you know what you are doingTwo programs to downloadFirst ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions SecondDownload OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.When downloaded double click and this will then open ISOBurner to burn the file to CDReboot your system using the boot CD you just created.Note : If you do not know how to set your computer to boot from CD follow the steps hereYour system should now display a REATOGO-X-PE desktop.Double-click on the OTLPE icon.When asked "Do you wish to load the remote registry", select YesWhen asked "Do you wish to load remote user profile(s) for scanning", select YesEnsure the box "Automatically Load All Remaining Users" is checked and press OKOTL should now start. Change the following settingsChange Drivers to Use SafelistPress Run Scan to start the scan.When finished, the file will be saved in drive C:\OTL.txtCopy this file to your USB drive if you do not have internet connection on this systemPlease post the contents of the OTL.txt file in your reply.

2 more replies
Relevance 75.85%

Dear forum pros,
 
My Dell laptop running Windows XP was recently hit with a ransomware virus - the kind that locks the whole machine and won't allow you to boot to safe mode.  My internet research led me to try to repair my machine by running Kaspersky Rescue Disk from a USB.  I did this (apparently) successfully by letting the Kaspersky scan everything that was an option (including ticking the check box next to the C: drive) and then after the scan was complete and files had been moved to quaranteen I restarted my computer.
 
This is where I ran into problems.  Booting without the USB now yields a black screen that says "Missing operating system".  If I reboot to the Kaspersky USB again I have the same choices to scan and repair but notice that this time the C: drive does not appear in the list of items that can be scanned.
 
If you can provide any ideas as to how I can recover from this I would appreciate it.  Unfortunately I don't have the original Windows disks because the laptop was a work-provided machine that I purchased when I left my last job.
 
With thanks in advance,
 
Phil

Answer:Missing OS after attempted removal of ransomware using Kaspersky Rescue Disk

Hi Phil,
 
do you have a log file from your run with the Kaspersky Rescue Disk that shows what was found and deleted? If yes, please post it up.
Did you change back the boot order in BIOS so that the hard drive has first priority? Are all USB sticks and other flash drives disconnected from your computer when you try to boot into Windows?

6 more replies
Relevance 75.85%

Hi all. It seems i have the epxonwo toolbar infection on my computer (pretty sure I got it after installing a video codec I obviously shouldn't have installed).

I've followed the 5 steps and here are my logs.

Deckard's System Scanner v20071014.68
Run by Jono on 2008-01-13 04:13:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
66: 2008-01-12 20:13:45 UTC - RP343 - Deckard's System Scanner Restore Point
65: 2008-01-12 19:18:40 UTC - RP342 - Software Distribution Service 3.0
64: 2008-01-12 13:24:12 UTC - RP341 - System Checkpoint
63: 2008-01-10 02:20:20 UTC - RP340 - Restore Operation
62: 2008-01-10 02:13:44 UTC - RP339 - Restore Operation


-- First Restore Point --
1: 2007-10-15 18:25:34 UTC - RP278 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jono.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:46 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS... Read more

Answer:Attempted epxonwo toolbar removal - 5 Steps: Posting of Logs

Hello Jono21, and welcome to TSF,

We'll begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

7 more replies
Relevance 75.85%

I have a roughly 10-year old Dell Win XP-pro sp3 32-bit machine that I suspect has a rootkit virus that runs the cpu at 100%. (That virus appears to be under the name svchost.exe. Process Explorer shows this as its only name. There are other svchost.exe files running as well,  and when I stop this file from running the machine runs ok for a while but eventually the virus creeps back in to run the cpu at 100% cpu again. My MS security update is turned off so I don't think it is due to the Windows xp update screwup - but who knows? The problem seemed to begin after an update but I wasn't there when the automatic update occurred.) This is the root problem I had been working on for a while but now I have a start up problem that is either due to virus or hardware. 
 
Today, after running Malawarebyte's special rootkit virus removal program it won't boot up. It gives the message "DCOM server process launcher service terminated unexpectedly. Shutdown initiated..."
 
The start up problem had symptoms earlier. I had run a variety of antivirus programs - malawarebytes, superantivirus, hitmanpro and some others - and yesterday a new message said on startup- "Windows could not start due to computer disk hardware config problem... could not read from the selected boot disk...check boot path and disk hardware." I then created a windows recovery disk and ran it and it seemed to clean the boot up files, but the main p... Read more

Answer:Virus removal attempted.Unable to boot up.Rootkit suspected

Hi Phil another will respond here that handles these. It may not be tonight.You will probably need a Flash drive or CD drive and access to another computer.

19 more replies
Relevance 75.85%

Hello,

I discovered my laptop was infected with a Trojan Zefarch and took a couple steps in an attempt to remove it. I ran scans with Symantec, Spybot S&D, and Malwarebytes, ran RegistryCleaner, and deleted a couple suspicious-looking folders in my AppData folder. After doing all this and at least one restart, I discovered that the touchpad and built-in keyboard on my laptop were not working. I'm currently using an external USB mouse and keyboard until I can figure this out. I'm running Windows 7 on an hp dv6.

Here are the results from HiJackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:24:29 PM, on 8/13/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\ProtectionUtilSurrogate.exe
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe
C:\Program Files (x86)\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files (x86)\iTunes\iTunesHelper.e... Read more

More replies
Relevance 75.85%

Please advise, I don't know what to do.

I ran a symantec online virus scan and came up with the following infected files:

C:\WINDOWS\system32\plvovafv.dll is infected with Trojan.Vundo
C:\WINDOWS\system32\pilsympw.dll is infected with Trojan.Vundo
C:\WINDOWS\system32\bodqvcvg.dll is infected with Trojan.Vundo
I tried using a couple of programs, VundoFix and FixVundo, but neither detected these files.

Here is my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:26 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program fi... Read more

Answer:Need Instructions for Vundo Removal

Hi and welcome

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

3 more replies
Relevance 75.85%

I've seen some posts here about removing Spy Axe but it seems like everybody's case might be a little bit different. What should I do and/or what information do you need?

Keep in mind; I have no idea how to obtain my Hijack Log.
 

Answer:Solved: Spy Axe Removal Instructions?

16 more replies
Relevance 75.85%

hello, first i was hoping to get one of two fragged comps working perfect (well close to it) by removing freeze.com from popping up randomly when i am surfing the web. I had the instructions once before, but i can't find them any more. I have ran hijackthis and nothing odd popped up there. well i remember it was fairly simple if you knew what you were doing, but i don't remember. thanks for any help you can offer.

Answer:freeze.com removal instructions

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.alternate download linkSave any unsaved work. TFC will close ALL open programs including your browser!Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any c... Read more

1 more replies
Relevance 75.85%

I recently infected my computer with Aurora to see if I could remove it as kind of a challenge. I did it and I'd just like to help out those perplexed souls looking for answers.

To some this is a step-by-step guide to removing Aurora. To others it is a reference for removing any malware. And to others still, this is just a document that contains useful information. The sections are titled, to make it easier to find information on specific tasks.

I haven't come across any real instructions for removing Aurora in any forum post or website yet, except of course for the myPCtuneup.com uninstaller. That uninstaller will be sufficient for some, who don't mind swallowing their pride and clicking "I Agree" to a statement saying they wanted Aurora on their computers to begin with. I am not one of those people, and if you consider yourself an advanced ("power") user, you probably aren't either. I'm also sure the various malware removers will catch up to Aurora eventually. This obviously is for those who would rather not wait.

These instructions should ONLY be carried out if you have advanced knowledge of computers and Windows XP, are familiar and comfortable with modifying and deleting registry entries, system files, and services (processes). DO NOT TAKE THIS STATEMENT LIGHTLY. These instructions really are intended solely for very advanced users.

Many people with advanced knowledge will be able to remove Aurora without my help - if so, kudos. But this i... Read more

Answer:Aurora Removal Instructions

nice job. it's kind of ironic because i just wiped my other computer's hard drive less than 2 hours ago because i couldn't figure out how to get rid of Aurora lol. wish i would of checked here first now.

1 more replies
Relevance 75.85%

For trojan.attack. Can anyone advise me? Thanks!
 

Answer:Looking for manual removal instructions

Are you having problems with this? Are you getting any messages about having to pay a couple hundred dollars to remove malware from your PC? Are you files being held for randsom?
 

5 more replies
Relevance 75.85%

I have followed the instructions for the removal of AntvirGear Removal (Free) (Automated).I am unable to proceed beyond para 6 of this instruction.I get the credit screen but when I press 'any' button the screen freezes.I have deleted the SmitfraudFix program twice and reloaded but to no avail. I must have tried at least 12 times but every time it freezes at the same point. Any suggestions please ?

Answer:Antivirgear Removal |(instructions)

I suggest you try doing it in safe mode if you have not already have.Get to Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

8 more replies
Relevance 75.85%

Hey there forums. I have a bit of a problem. I seemed to have caught the SMART HDD virus on my laptop and am having problems getting rid of it.

When I realised that the laptop had contracted something I out of habit did a Malwarebytes scan and then rebooted when prompted. After reboot the problem still persisted so I ran a ESET scan to see if some infections were left behind. After that scan the problem still existed so I then did a Google search leading me to some instructions from the site on how to get rid of SMART HDD.

I've followed these instructions here: http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd but no luck. When I boot back into windows normal I get the error message: A Write command during the test has failed to complete", the SMART Repair Pop Up, black background and the lack of onscreen icons.

At this point I'm out of ideas and am looking for guidance. I followed all of the steps, 1-19 but by the time I got to 19 I saw that the pop ups still appeared. Any help would be appreciated. I am using an HP G62 Laptop with Windows 7 Home Premium. Thanks in advance.

Answer:S.M.A.R.T HDD is resisting removal instructions

Looks loke we need to get deeper.. Can you do this...Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't (May not ob 64 bit)run skip it and move on.Let me know if that went well.

5 more replies
Relevance 75.85%

Several days ago my computer was infected with Spylocked. I tried to remove it by deleting from Programs, Startup, and Add/Remove Programs, and although some items were deleted, I still get the flashing little icon in the screens lower right panel. So I guess that I am still infected. I'm not too smart on this stuff, so instructions should be simple enough.
Thanks very much.
Larry Opheim
 

Answer:Spylocked-Need Removal Instructions

9 more replies
Relevance 75.85%

I am a little confused by the Automated Removal Instructions for SPYDAWN posted herehttp://www.bleepingcomputer.com/forums/t/81275/how-to-remove-spydawn-removal-instructions/ at the end of STEP # 8 Disk Cleanup. Its says to go to Step # 11?Does this mean you should not complete steps 9&10 ?????This is confusing to me or I'm reading too far into it.Could I get some input on thisThanks

Answer:Spydawn Removal Instructions

Steps 9 and 10 are providing some specific information of what to do while in the process of doing disk cleanup. It is after disk clean-up is completed that you do step 11.I hope this clarifies things for you.Orange Blossom

3 more replies
Relevance 75.85%

Hi

I'm having problems with Spyware, mainly in the form of pop-ups (888.com, dell, various casinos etc). I've followed your instructions but still haven't solved the problem. The tools (Spybot, MicrosoftAS etc) have improved the situation but it has not gone away completely. Occasionally (very) I have system freezes and I couldn't follow your instructions 100% as MicrosoftAS wouldn't work in safe mode. I ran this in normal mode, but whenever I do this, the system freezes after the scan (incidentally, the scan results were clear).

The problems seem to have started since I started using Limewire version 4.9.33. Do I need to uninstall this? I've also received various invitations to download Winfix and have followed the sticky thread on this, but HTF doesn't show up any bad files.

I attach my HTF, BitDefender, and Pandascan logs. The Bitdefender log seems to indicate a problem. Your assistance is much appreciated.

MonkeyCat
 

Answer:Spyware removal - I've followed your instructions

Please do not use the paper clip to attach links in line. That makes them harder to read because you must login again. Just attach them like I did in your message. (I changed them.) Looks like you ran Panda before BitDefender. Is that correct?

I'm also surprise that the below still are found. Did you run Ccleaner on this account or a different account name?
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\3NPDHPL6\toolbar2[1].htm
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\F37BVQPL\bridge-c24[1].cab
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\F37BVQPL\bridge-c24[1].cab[MediaGatewayX.dll]
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\GTYZSXUN\xml_istbar[1].xml
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\YB4BEHOR\uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66

Either delete the files manually or run Ccleaner on James Heseltine and make sure that the Temporary Internet Folder is selected for cleaning.
 

49 more replies
Relevance 75.85%

I followed the instructions in the Malware removal guide. I was unable to start up in safe mode (only shows F1 and F10 (setup and recover) at start-up). I was in normal start-up for removals and on-line scans. Bit-Defender found nothing, so I've not attached notes from that. I will attach results from Counter Spy, PandaActiveScan, and GetRun Key to this note and send a second note with Show New and HJT files attached.

Any Help and Instructions would be appreciated. At moment, issues seem to be following: (1) Following any long period of time (hours, usually) I will find my screen scrambled with the "start and bottom icon" line reduced in size and at the top left. Touching mouse changes screen and freezes it. Only fix is to shut off computer using 'on-off' button on CPU and restart. (2) When trying to move or find files when I click on 'computer' system takes forever (minutes) to display the drives attached to computer and shows a little flashlight looking for them. This is a recent phenomenon. (3) I use Flasser program to get rid of Lasser worm following installation of NetGear WG111 v2 wireless adapter (USB) with its security issue. Have service pack 2 but still have to re-run Flasser on fairly often basis (every few days).

Thanks for any help,

AUTiger
 

Answer:Followed Removal Guide Instructions - Now What?

Followed Malware Removal Guidline- Now What? 2nd Note with 2 more attachments

Attached are the Show New and HJT files.

Thanks,
AUTiger
 

11 more replies
Relevance 75.85%

I have or had the about:blank spyware on my system. Here are the steps I have taken so far:

A. Followed your READ and RUN ME FIRST instructions, as well as I could.
B. Followed special removal instructions for about: Blank, simplified.

Attached are the logs requested (I hope!)

Thank you so much for your help in cleaning my computer! I appreciate it greatly and look forward to your reply.

jody
 

Answer:following about:blank removal instructions

More log attachments....the bdscan file will not upload...I tried twice.

Again.....thanks so much for your help and detailed instructions.

jody
 

5 more replies
Relevance 75.85%

Hi,
My thanks to all who have played a role in the creation of the Home Search Assistant/CWS_NS3 Removal Guide. I followed the steps contained therein and I no longer have a hijacked browser or any adware/spyware running. I have one side effect however. Whenever I try to launch IE or any other office product, a Windows installer launches and attempts to configure Microsoft Office XP Professional. It dies while looking for the file PRO.MSI from the network host where it installed from initially, which is no longer connected or around at all. Oddly enough, cancelling out of the install window allows the app to launch without any problems.. Apparently the removal process I undertook wound up deleting a file that when missing tells Windows to reinstall and configure Microsoft Office XP Professional. Any ideas on how to fix this?
Thanks in advance

Answer:Removal instructions worked, but..

Hello and welcome to BleepingComputer. I hope you enjoy your stay.

We had the exact same problem at school and reinstalling Office worked fine.

You can also try disabling Windows Installer. It is not often needed and can just be enabled again.

If you need anything else feel free to ask.

1 more replies
Relevance 75.85%

Hello,I asked to post sent here from the "Am I infected? What do I do?" forum regarding S.M.A.R.T HHD resisting the removal steps.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421
Run by Michael at 0:06:26 on 2009-07-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.2384 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe... Read more

Answer:S.M.A.R.T HDD is resisting removal instructions

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

71 more replies
Relevance 75.85%

Hi All
I have found an effective way to get rid of this virus that has been fraudulently attached to an otherwise trustworthy program.
This will work for windows vista users with system restore only
Go to start and type in the search box “system restore”, if a security window pops up just click continue.
Select the recommended restore radio button and then click next. then confirm by clicking finish.
Then wait for your computer to go through the restore process.
as soon as it restarts boot up your favorite anti virus and scan for any leftover filed, remove them and enjoy a working pc
Hope this helps

Admins: I am an ex security worker for a british broadband company and found a way to deactivate and remove this trojan that is being attatched to WINrar off cnet's website. this kind of needed a home as most places where prompting people to go into registries and such which could damage the machine if done by the wrong people
 

More replies
Relevance 75.85%

Hello; Many thanks in advance - here's the main:

Deckard's System Scanner v20071014.68
Run by Maria on 2008-01-30 16:24:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-30 16:30:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\RTHDCPL.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\vsn... Read more

More replies
Relevance 75.85%

i cant remove this software, i want to install iolo antivirus and iolo keeps tell me to remove threatfire , i cant what can i do
 

Answer:Threatfire pro removal instructions

This is not a malware issue so I moved it to the Software Forum for you.
 

3 more replies
Relevance 75.03%

I found my computer to be infected with the "vista antivirus 2012" malware and attempted to remove it by following the instructions in this Bleeping Computer guide:

http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

After following all of the steps, I restarted my computer. During the start-up, windows titled "blank window2" began popping up and disappearing very quickly. This is causing my computer to run very slowly. I have seen error messages regarding "hello4.exe" while attempting to close programs and have had windows pop up saying that my browsing history is being deleted. I have also noticed in the task manager that there are many applications running titled "QTTask.exe" and "scvhost.exe" . I have seen other postings describing similar problems, but I do not want to attempt another fix without personalized instructions. What should I do?

Answer:blank window2 and hello4 after attempted removal of vista antivirus 2012

I am running windows vista, by the way, and I believe my computer troubles started when I opened a website about treating yellow jacket stings. An additional tab opened, and when I tried to close it, I encountered pop-ups. I ended all tasks in the task manager, and restarted my computer. It was then that I began receiving the "vista antivirus 2012" warnings and decided to follow the removal instructions in the link posted above, which has left me with my current problem.

phil

2 more replies
Relevance 75.03%

Hi everyone
Have you ever tried to get rid of a spy ware program only to find weeks later the programme was still on your computer? Well this link will help you to uninstall some of the worst offenders on the INTERNET. Please don't forget to post back and let us know how you got on
http://www.pchell.com/support/bonzibuddy.shtml
 

Answer:Removal Instructions for spy ware Programs

Hi Nick, I stopped by the link and it looked to be a friendly and usefull site. No need for the site today, but thanks. May come in handy later though.
 

4 more replies
Relevance 75.03%

i ran an ewido scan in normal bootup and it picked up "trojan.pakes" but it could not delete it and encountered an error......... plz help me get rid of this thing !

Answer:Trojian.pakes, Removal Instructions Plz

What file did it find? PLease give detailed information as to what ewido found.

11 more replies
Relevance 75.03%

The ?Votre ordinateur est bloque? lock screen is a computer virus (Trojan:W32/Reveton), which will display a bogus notification, that pretends to be from the French police (Ministère de L?intérieur) and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM and copyrighted content.

The ?Votre ordinateur est bloque? virus will lock your computer and applications, so whenever you?ll try to log on into your Windows operating system or Safe Mode with Networking, it will display instead a lock screen asking you to pay a non-existing fine of 100 Euro in the form of a Ukash or PaySafeCard code.

Furthermore, to make this alert seem more authentic, this virus also has the ability to access your installed webcam ,so that the bogus ?Votre ordinateur est bloque? notification shows what is happening in the room.

To the ?Votre ordinateur est bloque? lock screen remove the follow this guide: http://malwaretips.com/blogs/votre-ordinateur-est-bloque-virus/
 

More replies
Relevance 75.03%

Symantec has the removal instructions up.

HOW TO REMOVE W32.SPYBOT.WORM

=========================================
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the startup folder.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the ... Read more

Answer:W32.spybot.worm REMOVAL INSTRUCTIONS!

13 more replies
Relevance 75.03%

Spybot S&D has identified but cannot remove SmitFraud. After a bit of searching, found this forum with the help I needed under USER SELF HELP MALWARE REMOVAL GUIDE / SMITFRAUD and It's Variants Removal Guide. I have followed the "5 Steps before Posting a Log" and began the SmitFraud removal procedure, but came to an abrupt halt after installing AVG Anti Spyware. The procedure references AVG ver 7.5.1.36. I have installed AVG ver 7.5.5.03 and instructions don't match what I see. I was able to make Resident Shield inactive and get an Update (w/o the progress bar), but the last six instructions have me baffled... which is not all that hard to do! Things kept going south... somehow AVG ran a scan, I think it was scheduled. I hope someone can find out where I am and get me pointed in the right direction.

Answer:Is there an update for SmitFraud removal instructions?

Thought about it / got bored and ran DSS. I will attempt to paste and attach resulting files.

Deckard's System Scanner v20071014.68
Run by JR on 2007-12-16 09:24:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
24: 2007-12-16 15:24:28 UTC - RP1088 - Deckard's System Scanner Restore Point
23: 2007-12-16 13:59:52 UTC - RP1087 - Spybot-S&D Spyware removal
22: 2007-12-16 13:20:57 UTC - RP1086 - System Checkpoint
21: 2007-12-15 12:57:24 UTC - RP1085 - Spybot-S&D Spyware removal
20: 2007-12-14 21:00:56 UTC - RP1084 - Installed AVG 7.5


-- First Restore Point --
1: 2007-12-05 20:08:56 UTC - RP1065 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3 GiB (less than 15%) free.


-- HijackThis (run as JR.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:50 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
... Read more

19 more replies
Relevance 75.03%

Hi there, thanks in advance for any help. I appreciate there must be so many requests for help about removing this pain in the proverbial malware but I wanted to post my own thread so you could check out my Hijack This log - which I will post shortly.

Bit of Background:

SpyBot picks up Zlob DNSChanger everytime I run it. Also, PCTools 'Spyware Doctor' has also been picking up various other Zlob infections over the last week or so (since I downloaded it) which keep coming back, which I guess it expected behaviour.

This malware is giving me intermittant access to websites and also preventing me from downloading updates to Spyware Doctor (unless I get lucky after 'Fixing' the latest Zlob find in SpyBot!). Windows Updates also are impossible and Zone Alarm went up the swanny too so I have uninstalled that for the time being.

When I fix the infections found with Spyware Doctor I generally lose access to webpages and I have to reboot. I then have to wait ten minutes for my account to log in (it just sits on a blank screen and services take ages to kick in). Once logged on I can then gain web access again but...you guess it...the zlob infections are found on next scan (both SpyBot & Spyware Doctor).

Oh yes - I get the unwanted adverts too on websites i.e. Do I Want a Bigger Penis, Vimax adverts etc etc. Boo!

So there is a bit of background - I will now go off and get my Hijack this log and hope that someone can let me know what to do step by step to tr... Read more

Answer:Zlob.DnsChanger Removal Instructions

16 more replies
Relevance 75.03%

Somehow my wife spilled a small glass of juice on my new SL400 keyboard. The laptop still works OK except that several useful keys on the right side of the keyboard are slow to bounce back, not to mention "crunchy". I'm fairly adept at computer repairs but I'm hoping to find some instructions on how to remove, clean and reinstall the keyboard. Thank you.

Answer:SL400 - Instructions for keyboard removal?

Thinkpads have a great resource in the series of Hardware Maintenance Manuals (HMM). There's detailed instructions on how to take apart your system and the part numbers associated with each major component. You can download a copy (Adobe Acrobat format - .PDF) for the SL400 from here:http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-69929The one extra piece of advice that you need is to have a system in place where you can accurately keep track of the different screws that are removed and know exactly where they go back into the laptop. In some cases you can cause some damage to the laptop if you are not careful and end up installing a long screw in a short hole. With only the removal of the keyboard, you're probably looking at half-a-dozen screws, with three different lengths so it shouldn't be too bad.

1 more replies
Relevance 75.03%

I am continuing to have popup problems after following all of the steps at http://forums.majorgeeks.com/showthread.php?t=35407

Firstly, within those instructions I had the following problems:

When running Trend MicroHousecall all 13 files that were discovered were unable
to be cleaned, including a variety of Trojan files.

I could not run the Symantec Security Check, it says "redirection for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked." I tried going to the Symantec website to find a security check and run it myself but the links wouldn't work correctly.


Among the popups I am getting are some error windows including the following:

An error has occurred in the script on this page
Line: 92
Char: 4
Error: Access is denied
Code: 0
URL: http://xadsj.offeroptimizer.com/imp...ttp://forums.majorgeeks.com/showthread.php?t%
Do You Want to continue running scripts on this page? (Yes/No)

And multiple advertising based popups by "Aurora - Part of the ABI Network" which cannot be stopped using popup blocking software.

Please help!
 

Answer:PopUp Problems After Following Removal Instructions

Somehow it never seems to fail that when I post here I have to boost my thread because it goes overlooked while other people who don't even follow the rules get responses. *sigh*

ANY-how, could someone pretty pretty please help me out?
 

10 more replies
Relevance 75.03%

I have been looking into this little bugger for a while and have compiled what I hope is generic removal instructions that should help rid people of this nasty little parasite once and for all.
http://www.techmonkeys.co.uk/viewtopic.php?p=2968#2968
 

Answer:Aurora and Nail.exe removal instructions.

7 more replies
Relevance 75.03%

Hi, I'm running through the steps as you outlined before submitting a HiJack This Log. I installed Spybot and began running it... it closed my Adware and then proceeded. Then a window popped up during scanning asking if I would allow a change to the registry and naming BM33e63ece and another registry key - both which had previously by flagged by my Trojan Remover. So I hit deny changes thinking it was trying to rename itself, now windows are popping up all over like so:Now I'm not so sure if I blocked Spybot from removing it (was this the change?) or the program itself from changing its value and I don't know what to do. Could someone possibly help and direct me on what to do? Do I allow these registry changes by the programs which were flagged as components of Vundo before? I'm so unfamiliar with Spybot and none of my reading so far has turned up guidance.Thank you so much for any help.

Answer:Using Spybot As Per Instructions For Vundo Removal And..

When I denied it in Spybot my whole screen filled up with those boxes but terribly annoying.Have you read How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b?This should fix all cases of Virtumonde/Trojan.Vundo

3 more replies
Relevance 75.03%

Hi, I've followed the Virusburst removal instructions up until item 13.16 which asks me to open the SmitRem folder I previously created on my own user desktop. But in the safemode and logged in as administrator this folder doesn't appear on the desk top. What should I do now please? Thanks

Answer:Using 'how To Remove Virusburst (removal Instructions)'

Hi I found the only way I could remove VirusBurst was to run Prevx1, all other ways failed

3 more replies
Relevance 75.03%

Symantec has the removal instructions up.

HOW TO REMOVE W32.SPYBOT.WORM

=========================================
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the startup folder.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the ... Read more

Answer:W32.spybot.worm REMOVAL INSTRUCTIONS!

14 more replies
Relevance 75.03%

Scammers Are Using a Fake Version of AdwCleaner to Trick People
Lowell Heddings
11 Feb 2015







Lowell Heddings, the How-to Geek said:

The latest trend in the awful Windows ecosystem is pretty ridiculous ? scammers have a fake version of the reputable AdwCleaner tool, which is a real tool for Windows experts. And this one pretends your computer is infected and tries to make you pay them to remove it.

AdwCleaner is indeed a real freeware tool, with a good reputation for removing spyware and adware. It?s not as well known as MalwareBytes because it?s not all that user friendly, since it is meant for Windows experts rather than regular users. And the scammers have tried to mimic the interface, stealing the logo, and even ripping out the icon (badly) for their fake version.


image: How-to-Geek
The ironic thing is that this is getting on people?s PCs that are already infected with adware or spyware of some type, which then keep popping up windows to a page that looks like this one? which tells you that adware is detected. Which is surprisingly accurate, although the fake app isn?t going to remove that adware.

Once you click through that dialog, it?ll give you a scary message like this, telling you to download AdwCleaner. Since you?ve probably heard your geeky friends talking about AdwCleaner, a normal user might be tempted to download it.

...more



Only download software from reputable websites !!Author (Xplode) ... Read more

Answer:Fake AdwCleaner: with removal instructions

Thanks for the heads up.

3 more replies
Relevance 75.03%

Scammers Are Using a Fake Version of AdwCleaner to Trick People
Lowell Heddings
11 Feb 2015







Originally Posted by Lowell Heddings, the How-to Geek


The latest trend in the awful Windows ecosystem is pretty ridiculous ? scammers have a fake version of the reputable AdwCleaner tool, which is a real tool for Windows experts. And this one pretends your computer is infected and tries to make you pay them to remove it.

AdwCleaner is indeed a real freeware tool, with a good reputation for removing spyware and adware. It?s not as well known as MalwareBytes because it?s not all that user friendly, since it is meant for Windows experts rather than regular users. And the scammers have tried to mimic the interface, stealing the logo, and even ripping out the icon (badly) for their fake version.


image: How-to-Geek
The ironic thing is that this is getting on people?s PCs that are already infected with adware or spyware of some type, which then keep popping up windows to a page that looks like this one? which tells you that adware is detected. Which is surprisingly accurate, although the fake app isn?t going to remove that adware.

Once you click through that dialog, it?ll give you a scary message like this, telling you to download AdwCleaner. Since you?ve probably heard your geeky friends talking about AdwCleaner, a normal user might be tempted to download it.

...more



Only download software from reputable websit... Read more

Answer:Fake AdwCleaner: with removal instructions

Google's blocking most if not all of Filehippo downloads. At least, that was the case in the very recent past.

2 more replies
Relevance 75.03%

Security Tool Removal Instructions
Security Tool is a so called rogue antivirus software that is distributed by various means including malicious software like trojans but also popups on the Internet which will display a fake message that the computer is infected and needs to be secured by downloading the rogue security program. Security Tool will perform a series of tasks once it is running on a computer system. This includes blocking legit software from being executed and displaying false security warnings to promote a ?full? version of the program that the PC user should buy to protect the computer system. The files that it displays as malicious or infected are not in fact which can be proven by testing them with a legit antivirus software.
Security Tool will add itself to the list of autostart programs in Windows. It will automatically perform a scan upon startup that will display the fake infections in the end. The ?make money? part comes into play when the user tries to remove the infections with the rogue program. The rogue AV will notify the user that a license needs to be purchased before the infections can be removed.

Answer:Security Tool Removal Instructions

I just ridded this ***** from my wife's computer a few minutes ago. It was located in the Windows/Prefetch folder and am running Malware Bytes to make sure all traces are gone.

1 more replies
Relevance 75.03%

On my new Lenovo laptop (Win 10), I read the conditions carefully and found that Trovi.com was was required to accept. All I have read re Trovi has been negative, and I want it off my machine.

I've followed Malwaretips.com's removal instructions, but none of the recommended scans can identify any Trovi threats. I know it could be called "Search Protector," but nothing shows under that name. Hitmanpro has no Win10 version.

HELP! Am I worrying needlessly or should I pursue this?
 

More replies
Relevance 74.21%

I have a client who brought me their Dell Dimension 2400 desktop for a virus removal. Normally I don't have any problems getting a machine cleaned up and back to business, but this has me stumped. When the machine was first brought to me, I used UBCD4WIN to scan for malware with Spybot S&D. After updating and scanning with SB S&D, Virtumunde was found along with the koobface worm. Both seemed to be removed with the scan. After removing the UBCD disk and rebooting the computer, I attempted to go online, and a popup occurred notifying of a $1,000.00 Walmart gift card. Also, any Google search got redirected to crazy sites... I downloaded ComboFix, and scanned. It found TDL3 rootkit. I removed ComboFix and all logs. Rebooted machine. Browser still hijacked. Downloaded SB S&D and installed on infected machine. After update and scan, the program found no infection. Machine already had MBAM installed, so updated and scanned with MBAM, found nothing. Used my computer to search for Google Redirect Virus, and found information regarding TDSSKiller, downloaded it and it found TDSS.TDL4, and I made sure "Cure" was selected, and allowed TDSSKiller to do its thing.I then put ComboFix back on the "infected" machine, and attempted a scan. It came back clear, so I uninstalled CF and deleted all logs.I was going to install Comodo Internet Security (CIS) on the machine. After downloading and installing CIS, the machine reboots, and Windows installer star... Read more

Answer:Strange behavior after TDSS.TDL4 rootkit/Virtumunde/koobface attempted removal

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic and do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for postin... Read more

2 more replies
Relevance 74.21%

Attached and pasted below are the outputs from following Ried's Malware removal guide. All I can tell you about my issue is that Ad-Aware identifies the virus as Virtumonde and that it is located in my registry. It has no uninstaller and replicates once it is deleted using Ad-Aware or any other malware removing software that i have tried. My McAfee doesn't even recognize that it is there.


**Output from DDS**

DDS (Version 1.1.0) - NTFSx86
Run by Jesse Ide at 14:12:47.93 on Wed 12/24/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1464 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\Pmxmiced.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelp... Read more

Answer:Trojan Issue - Following Ried's removal instructions

Hello and welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.

Please print out or save the following instructions in Notepad. Please also stay with me until I declare you clean.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

---------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt y... Read more

7 more replies
Relevance 74.21%
Answer:CoreFlood!Mem trojan (new variant) removal instructions

dhondi:

I've removed your data, please leave the malware assistance to the trained professionals.

Thanks ,

v
 

1 more replies
Relevance 74.21%

This is what I hv on my S100 laptop... Can anybody help? 


























Doc1.docx ?109 KB

More replies