Computer Support Forum

Help with malware removal--have performed removal instructions

Question: Help with malware removal--have performed removal instructions

I read and followed precisely "Vista and Win 7 Malware Removal/Cleaning Procedure"

My issue: I was informed my my isp the following: "Mail Log Parsed from Feb 15, 2013 19:47:04 to Feb 16, 2013 19:47:04 User sent approximately 141,801 messages to 136,591 unique recipients. There were 2598 bounces received in this period, 1 percent of the emails sent. "

I have AVG, running constantly. ISP changed my password to stop the mail. I ran AVG in safe mode. Still not sure trojan erradicated. ISP referred me to your site.

I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.

Please advise if you believe my system is clean, or what further I should do. Since I haven't seemed to find anything, it's hard for me to be comfortable that it's clean.

Thank you emmensely!!

Mike Sieber

Relevance 100%
Preferred Solution: Help with malware removal--have performed removal instructions

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Help with malware removal--have performed removal instructions

Welcome to Major Geeks!




mike sieber said:





I performed all steps. I have attached all logs except TDSSKiller. While it ran clean, no apparent log was generated. All except RogueKiller found no issues. RogueKiller found as reflected in log.Click to expand...

Not problems. It is just junk from AVG. All of your logs are clean. Many times when something like this happens, it is not an infection. It is due to a spammer/spammers getting your email login and password and they use it from other PCs to send out their spam. There are cases of infections that can cause spamming ( like some master boot record or partition infections ) but you show no signs of these.


If you are not having any other malware problems, it is time to do our final steps:
We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
Refer to the cleaning procedures pointed to by step 6 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:
How to Protect yourself from malware!

3 more replies
Relevance 104.55%

I posted the software forum yesterday and was instructed to complete the malware removal steps and repost here. I have a new computer running Windows 8.1. When I say new, I mean I started having problems within a couple of hours after turning it on!

I have McAfee antivirus protection and downloaded and installed my MSOffice 2013 Home and Student. All seemed to be fine. The MSOffice was up and running and McAfee said I was protected. Suddenly and I don't remember what I was doing...it said Microsoft something (sounded like an antivirus or firewall something) had detected several problems and I needed to "clean my computer". Oh so ignorant of all that was going on with learning Windows 8.1 after using XP for years I told it to clean. Somewhere in there it suggested I do a system restore. All seemed OK until I realized MSOffice was no longer there. I tried to download it again and reload, but with no luck. It occurred to me it had something to do with the system restore so I tried to undo the restore. That of course didn't help. I'm also now getting messages from McAfee that I am covered and safe but that my firewall is turned off and needs to be turned on. However I can get McAfee to do nothing. I can open a screen, but nothing I do makes it do anything. I tried downloading their "Virtual Technician" before I started the process you recommended and it acted like it was downloading, but 20 minutes later it was still "spin... Read more

Answer:malware removal help - removal instructions attempted

Can you try running the tools that were not working before including Hitman, in safe mode please. Let me know how you get on.
 

16 more replies
Relevance 100.45%

MS Removal Tool is a rogue software. It restricts you from accessing your desktop. You cannot start Task Manager, and you cannot open Internet Explorer or any other programs. This situation is the result of malware (a variant of Win32/Winwebsec) that is infecting your computer.
To remove the MS Removal Tool, follow the steps below: Boot your computer into Safe Mode.
Windows XP and Windows Vista:Start your computer and press and hold the F8 key.A Windows Advanced Options menu will appear. Use your arrow keys to scroll to Safe Mode and click the Enter key.Click the Start button, and then click Run.Type cmd then click OK. A black command prompt window will appear.Locate the affected directories:
Windows XP:Type cd c:\Documents and Settings\All Users\Application Data\ and press the Enter key.Type dir and press the Enter key.
Windows Vista:Type cd c:\ProgramData\ and press the Enter key.Type dir and press the Enter key.Type c:\Users\All Users\ and press the Enter key.Type dir and press the Enter key.Scroll through the list to find directories with random names that contains 18 characters. For example: cHl08200gMhHd08200 , pJg08200fBmPl08200.Type rd /s /q <random name>, and then press the Enter key. Replace <random name> with the 18 character name. Repeat this step for each random name you find.Type reg delete hkcu\software\microsoft\windows\currentversion\run once /v <random name> /f, and then press the Enter key. Replace <random name> with the 18 cha... Read more

More replies
Relevance 98.4%

I still seem to be having issues with pop-ups. I've attached the 5 logs from running the MGtools. Can anyone take a look and tell me if I still have problems that weren't removed?
 

Answer:I performed all the steps following the malware removal guide, but...

Here are the other two logs.
 

13 more replies
Relevance 96.35%

Hi. I recently discovered the pickle.exe virus on my computer. It keeps popping up on every site and attaches itself to words on the screen I am reading. I followed the prompts for removing malware and help on you site. All worked until I downloaded the GMER and got to the scan window. GMER came up with the following boxes already checked; services, registry files, C and ADS. It would not let me check any other boxes. I went ahead and ran the scan. GMER found no system modifications. But again, it was only a limited scan that I could not change in any way. I have copied the DDS.txt file below and attached the Attach. txt files. What do you suggest I do now?

I have

Thanks, Faye

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by 3NICHOLSONS at 10:29:42 on 2011-09-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2202 [GMT -7:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\... Read more

Answer:GMER Performed Limited Scan in Malware Removal Process

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418939 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 93.89%

Yesterday my computer was attacked. I had a black screen with red letters stating "Warning! Your're in danger? Your computer is infected with spyware. Also my one of my icons in the lower right tray kept poping up saying "warning your computer is infected". Then I had popup window keep coming up in the middle of my screen that said "Security monitor warning system detected a potential hazard TrasanSPM/LX". I put my computer in safe mode and ran AVG 8 and Spybot but kept getting the same. I then went through all of steps that you have posted and it seemed to have worked, although I do have one file in add/delete directory that will not delete (My Way Search Assiststant). Also, when I was following your steps, SAS would not complete the scan so I ran MBAM first and then came back to SAS and it scanned okay the second time. I would really appreciate it if you would look through my attached files to insure that all problems have been elimated. Thank You!
 

Answer:Followed Malware Removal Instructions

Welcome to Major Geeks!

You did not attach the requested log from MGtools. We need this to finish your cleanup.
 

5 more replies
Relevance 93.89%

Hi,

I've found the online Malware Removal document to be very helpful... however there are times when I've been at client sites where a PRINTED version of the entire document would be **very** useful. Is it possible to get a complete PDF of this, including the various pages accessed by links within the document? Thanks.
 

Answer:Malware Removal Instructions

Welcome to Major Geeks!

Sorry but no we do not make it available in PDF format. The instructions are constantly changing to keep pace with malware. The tools and links in the READ ME also change over time for the same reason. There are many many links reference in the READ ME, and it would be a ton or work to actually get all of the webpages into PDF form and by the time we did, they would be out of date. In addition, we really have no need for this since the current online copy is always what we want people to use.
 

1 more replies
Relevance 93.89%

Hi Majorgeeks,
I made the Malware Removal/Cleaning Procedure on my computer. All came clean except for RogueKiller which find 4 issues in the registry. Can I delete them? Will this make my computer clean?
Please find attached the 5 requested logs.
Thanks a lot for your help!
Best,
indis07
 

Answer:Help - Malware Removal after following instructions

I am not finding any malware in your logs. What issues are you having?
 

3 more replies
Relevance 93.48%

I have run the malware removal intructions and when through each programs as they did remove some of the malware and virus. The issue that I am having is that when I open the computer under seperate user and try to run the malware removal programs via internet or through USB drive, I keep seeing a window which pops up asking me which program I want to use to open the program. I have run the computer under the adminstrator and do not seem to have problems running the

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log



View attachment hijackthis.log

malware removal steps and have attached the reports from the intructions.

Even when I try to open add or remove programs under control panel- I get the following message: "C\windoesn\system32\rundll32.exe- application not found. I am thinking that It is something to do with AVG and have removed the program with the step.

Please help....

View attachment mbam-log-2011-03-28 (17-02-07).txt



View attachment combofix log.txt



View attachment SUPERAntiSpyware Scan Log - 03-28-2011 - 16-42-24.log
 

Answer:Help with malware removal- have run malware removal instructions

ssmehta007 said:



....try to run the malware removal programs via internet or through USB driveClick to expand...

Specific download and installation instructions are in our R&R ME FIRST guide :
ComboFix
Running from: l:\combifix\ComboFix.exe <--- belongs on your desktop

RootRepeal
Save it to your Desktop

SAS & MBAM
Installed to the Default Location - "C:/Program Files", as we suggest that you keep them after malware removal.

MGTools.zip
Download this file to the root folder of the drive where you have installed Windows (Typically this would be C:\ and thus you would have a C:\MGtools.exe file after downloading). ​
Please make those corrections and attach the missing RRlog.txt (from RootRepeal) and MGlogs.zip - normally it is C:\MGlogs.zip . Please tell me any problems you still have.
 

18 more replies
Relevance 93.07%

Hi! I followed the instructions to delete malware on my computer by installing Adware, Search and Destroy, CCleaner, etc. I have attached the two logs summaries. Can you take a look at them and let me know what to do. Before find this website and the instructions, I would delete them with Windows Defender or Norton Antivirus and they would reappear after a while. Any suggestions?? Thanks again for your help!!
 

Answer:Results after following Malware removal instructions

Welcome to Majorgeeks!

You did not say what it is that you were deleting and what was returning???

Also you forgot to do step 7 of the Read & Run Me. But based on your Panda log it would appear you need to run one of the other sticky threads first before attaching a HijackThis log. Run this: SpywareQuake Removal Procedure
 

1 more replies
Relevance 93.07%

i am running a removal on a family member's comp.

they may have gotten a rather bad one.

occasionally it does not allow OS boot
they booted this morning and their ICQ may have tried(and partially succeeded) in nuking another comp

i followed instructions in read & run, logs are attached

i need to know if anything in the logs are dangerous and need to be removed.
 

Answer:malware removal Read Me First instructions have been followed

and their ICQ may have tried(and partially succeeded) in nuking another compClick to expand...

A chat program almost nuked the machine???

Reviewing the logs now...
 

7 more replies
Relevance 93.07%

Hi,

On this particular machine, I'm running Windows 2000, SP4, with all the latest updates.

Occasionally, while browsing major news sites and reputable online stores, I'll get a short period of IE6 windows automatically opening up that contain unwanted ads. These are not the type of ads that the sites I'm browsing would want to be associated with.

I'd like to get rid of this distraction and make reasonably certain that this machine is generally clean of malware.

The only questionably sane installation I did recently was to try the MaxPCSecure's free Spyware Detector scan. I've since uninstalled that program.

The latest freeware versions of Spybot and Ad-Aware don't pick up anything unusual in this regard.

What's the link on this site to the most current generic malware removal instructions that would apply to Windows 2000? I'm thinking that I could first run through such a set of instructions to see if that would eliminate the pop-up malware.

Thanks
 

Answer:Most Current Malware Removal Instructions?

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide
Note:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
 

3 more replies
Relevance 93.07%

Hello,
I picked up some malware on my desktop. How, I'm not sure, as it was behaving normally, then I unplugged it to move it, tried it out in its new location (without internet access), and when I returned it to its old spot (with internet access) and started it again it was very slow, and pop-ups appeared.

I followed the instructions. Two notes:

*TDSS asked permission to reboot so it could scan more completely. I scanned it without reboot first, then with reboot.

*When I downloaded MG Tools.exe I got a message I could not save it in C drive so I saved it on my desktop and ran it from there. The zipped log appeared in the MG Tools folder and its name is not exactly the same (it's MGlogsR instead of MGlogs) as in the instructions. Now I find I can drag the exe file into my C drive (I'd wrongly assumed I would not be able to do that after downloading).

After following all the Read Me First instructions yesterday, the desktop is running at its usual speed now, but I just encountered another unusual pop-up (a shaking box warning about Java--not legit) so I don't believe my system is totally clean yet. A check of the logs would be much appreciated--Hitman Pro found several Trojans which I ignored per the instructions.

Thank you for your help,
AddyDog
 

Answer:Malware removal help - Read Me First instructions have been followed

Hello, AddyDog

Now shut down your protection software (antivirus, antispyware...etc) to avoid possible conflicts. *Re-enable them before physically reconnecting to your ISP.

*Other than the tools our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ C:\Users\laddison\Desktop ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ApnTBMon] "C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe"
O20 - AppInit_DLLs: c:\progra~3\perfor~1\perfor~1.dll
O23 - Service: Ask Update Service (APNMCP) - APN LLC. - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe

After clicking Fix, exit HJT.

Using "Programs & Features" uninstall: (If you do not find it or it will not uninstall, just keep going.)
Ask Toolbar
Java 7 Update 67
Shoppi... Read more

6 more replies
Relevance 91.84%

Welcome to Tech Support Forum

Virus/Trojan/Spyware Removal Help (formerly Hijackthis Log Help)

* DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. Do not run any specialized tools that you see being used in other threads without direct supervision from one of our trained analysts. Be advised that running any specialized tools not listed in this topic, on your own, is done solely at your own risk * It is also this forum's policy that we only address users with a legal copy of Windows. If during the course of a fix it is determined that the copy is not legal, we must stop the cleansing process.

=============================

How Soon Can I Expect Help?

=============================


Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technician.

If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words "BUMP, please" to move it forward. Do NOT bump the thread unless 72 hours has passed. We try to work from oldest to newest posts so your wait will... Read more

Answer:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

2 more replies
Relevance 91.84%

Just wanted to let people know what happened to me, what I did to recover and to thank MajorGeeks for their helpful instructions.

Prior experience removing spyware: successfully cleared numerous people's computers a couple years ago using tips offered on MajorGeeks.com. Since moving I hadn't had a single problem in nearly 2 years.

What happened: I heard at work that Flash had a recent exploit and I should patch it. I searched on Google for "flash exploit patch" or something very close to that. I clicked one of the links that sounded promising. The website I clicked was a trap! Despite the barricade of (badly non-updated) anti-spyware I have installed I got infected badly. Antivirus XP 2008, Blue eff-with-you background and screensaver, redirecting browser pages, the whole works.

My initial ill-advised attempt to fix it: I updated Adware (sp?) from Lavasoft and ran it. It found all kinds of problems and "fixed" them. And it would work. For about 5 minutes. Then the BS would just re-install itself and take over again. I figured, we'll just go ahead and restart in safe mode and clean up everything. EEEEEET. That was only temporary too.

How MajorGeeks helped: I ran home to mommy (MajorGeeks forum). CCleanered myself, Updated Java and got rid of the old versions, followed all the instructions. This SEEMED to work. It definitely got rid of everything except the browser redirection. I kept hesitating about posting the logs, but if I had... Read more

Answer:Malware instructions followed 100%, removal not initially 100% (details).

Welcome to Major Geeks!

We are happy to hear it helped you.


Now we need to cleanup some items from running ComboFix.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.




REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.


If you are not having any other malware problems, it is time to do our final steps:
You can uninstall SUPERAntiSpyware now.
We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed Com... Read more

1 more replies
Relevance 91.84%

HELLO. I NEED TO GET HELP WITH PC ISSUES. ATTACHED ARE ALL THE LOGS THAT WERE SPECIFIED IN THE INSTRUCTIONS. I DO HAVE ACCESS TO A BOOT DISK/INSTALL DISK FOR MY SYSTEM. PLEASE HELP!!!!



DDS (Ver_10-03-17.01) - NTFSx86
Run by jason.bartram at 8:17:30.33 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1551 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jason.bartram\Local Settings\Temporary Internet Files\Content.IE5\7KAKFFY0\dds[1].pif

============== Pseudo HJT Report ===============

uSearch Bar =
uStart Page = hxxp://google.com/
BHO: Adobe PDF Reader Li... Read more

Answer:HELP! RE:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help (HELP)

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

I see no sign of infection in your logs. What issues are you experiencing?

------------------------------------------------------

4 more replies
Relevance 91.84%

I believe I still have root kit or something else. I can't connect to wireless and If it helps the big problems began when I downloaded a media codecs file and AVG from CNET website. Neither file worked at all and C:\$AVG file keeps returning no matter how many times I delete it. Also After I downloaded AVG and was trying to run it my comodo firewall went nuts and was allowing everything. And I keep blue screening when I start sorting through files.

I followed the instructions to, "The NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help" And here are the Logs...



.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 19:53:39 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1007.493 [GMT -6:00]
.
FW: COMODO Firewall *Disabled*
.
============== Running Processes ===============
.
C:\Windows\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\Windows\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report =============== ... Read more

Answer:RE:NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Hi,

Please do the following:
Please download aswMBR.exe and save it to your desktop.
Double click aswMBR.exe to start the tool. (Vista/Windows 7 users - right click to run as administrator)
Click Scan
Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

2 more replies
Relevance 91.84%

Hello,

Sorry for the length of this post, but I try to describe in detail what I've done. I have used the instructions in the "READ & RUN ME FIRST. Malware Removal Guide".

The reason I have done this is, because Avast On access scanner periodically alerted me to trojans in the temporary internet folder for the past two weeks. I instruct Avast to delete these files but the messages always come back a short while later. Two days ago it started alerting me of blocking access to a malicious site (the url for this site is garbled and ends in .cn). This message would pop up every 5 to 10 seconds. So I attempted to remove the malware on the pc with the help of the instructions of this forum yesterday night.

I am not sure where the trojan/malware originated from, as I am not the only user of this computer (my parents also use it). Around the time that the problems started, I visited a reputable (or so I thought) job site (engineeringcareers.co.za) - upon visiting Avast alerted me to a trojan attempting to download and gave me the option to block the connection to the site, so I did so.

Now, on to how I followed the instructions in your guide and the problems that I encountered:

I followed all the instructions to the letter, up to and including the Malwarebytes' Anti-Malware. Super antispyware had to be renamed to SAS.exe to run, as the explorer window crashed if I tried to run it normally. After MBAB finished, I could not connect to the interne... Read more

Answer:following malware removal instructions - MGTools not working

Hello again,

Here are the combofix and rootrepeal logs I intended to post. I wanted to post them directly after my earlier post, but real life interfered in the time between posting and my post showing up in the forum. This will probably be seen as a bump, but oh well - so far it looks like my problems are sorted out, so far Avast has not given me any more alerts to trojans/rootkits.

Thanks again,

Z.
 

8 more replies
Relevance 91.84%

Over at the Software forum (see my thread "suddenly lost an application; plus, can't download anything" at http://forums.majorgeeks.com/showthread.php?t=286066), Administrator DavidGP recommended I follow the instructions in the Malware Removal Guide and then start a new thread here in the Malware Forum.

But I have to ask three questions before I can follow those instructions. I'm sorry if I'm posting these questions in the wrong forum, but I asked the first two of these questions over at the Software forum, but didn't get a response.

A little background: My brother's computer runs Windows 7 Professional with Service Pack 1, and Mozilla Firefox 29.0.1. His current security software is StopZilla AVM 2013 (product version: 6.0.0.0, file version 6.0.3.61), and of course Windows Defender and Windows Firewall.

Question 1:

Both StopZilla and Windows Defender run real-time protection, but somehow don't collide with each other.

Nonetheless, I guess I'll have to uninstall StopZilla in order to run the programs referenced in the Malware Removal Guide, rather than just disable it, right?

(Incidentally, full scans done by both StopZilla and Defender found no threat.)

Question 2:

Step 4 of MajorGeeks' Malware Removal Guide says to disable any disk emulation software.

I don't know anything about disk emulation software, but I can tell you this:

My brother was running the now mysteriously disappeared prog... Read more

Answer:questions before following instructions in the Malware Removal Guide

Nonetheless, I guess I'll have to uninstall StopZilla in order to run the programs referenced in the Malware Removal Guide, rather than just disable it, right?Click to expand...

I wouldn't actually ever recommend anyone use Stopzilla. There are FAR more superior products out there.





Is VirtualBox disk emulation software? If so, I can disable it with DeFogger.Click to expand...

Yes you should be able to.





Someone told me they thought it might not be a good idea to disable disk emulation software before running diagnostic software because the malware might be on an emulated drive. Any comments on this?Click to expand...

You should always disable disk emulation softwares before beginning our procedures, this link explains why: http://www.bleepingcomputer.com/for...lation-when-receiving-malware-removal-advice/
 

1 more replies
Relevance 91.84%

Hello,I recently got infected with Malware Defense. I went to the following link:http://www.bleepingcomputer.com/virus-remo...malware-defenseFollowed the instructions, and it did stop all of the popups. Unfortunately, I cannot install any antivirus or run antimalware software. I double click the icons but nothing comes up. Also, my internet explorer window will randomly close for no reason. I ran DrWeb CureIt in safe mode but it didn't identify or fix anything.Do you have any suggestions?Thanks for your time

Answer:Had Malware Defense, followed removal instructions, still have issues

Okay, as I follow-up, I followed removal instructions again and ran Malwarebyte's Anti Malware. It had 5 objects infected. Upon restart my computer locked up when I clicked run for the MBAM prompt. Here is the log:

Malwarebytes' Anti-Malware 1.43
Database version: 3502
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/6/2010 7:16:12 PM
mbam-log-2010-01-06 (19-16-12).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184387
Time elapsed: 27 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\H8SRTbrsbpfukie.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\H8SRTbrsbpfukie.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\P... Read more

1 more replies
Relevance 91.84%

Please find attached the logs from the scans in the Windows XP Cleaning Procedures. I followed the Cleaning Procedures but still have a problem. The problems can be pinpointed to yesterday when I surfed to a web site without having an up-to-date Anti-Virus definition files. Before I knew it, I had an infected machine.
There seems to be 2 problems.

(1) After restarting the computer, Windows File Protection gives following message.

Windows File Protection
Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. Insert your Windows XP Profession CD2 now.

I have Dell OEM Windows XP Media Center 2005 installed on my Dell Dimension 5150/E510. Problem is, Dell has a Windows XP re-installation CD but Dell states there is no 'CD2'.

(2) I keep getting pop ups every time Internet Explorer is open. The pop ups occur on their own.

Hopeful you can help me to fix the problem. :confused
Thanks,
Ankur

p.s. Please note, the AVG Anti-spyware log is not attached because it was not generated by the tool. I scanned my computer using Trend Micro (after updating virus definition files) and I can provide the logs if you need.
 

Answer:Malware problem not fixed with Malware Removal instructions

Welcome to Major Geeks!

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
Java 2 Runtime Environment, SE v1.4.2_03

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\mlljg.exe
O2 - BHO: (no name) - {3F7BDD0B-0462-4F19-8B87-54D83601B87C} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: (no name) - {B8AFD866-6B8B-490E-DA2E-39E671810F96} - C:\WINDOWS\system32\mknamps.dll (file missing)
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop
Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the Quote box below, and paste it in the box that opens:




Files to delete:
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\mlljg.exe
C:\WINDOWS\system3... Read more

9 more replies
Relevance 91.43%

The latest: Removal Tool from Symantec:

http:[email protected]html
EDIT:
PLEASE NOTE: Since Symantec did a major change on how to handle this worm from their first instructions, (and my first post) I have totally modified this post, as of 0326 EDT Sept 20, 2003, to reflect those changes. This should avoid the problem that Alison had and was most likely the reason for Symantec's change.

You have been bitten by the latest worm, [email protected], and want to know what to do and how to get rid of it.

We here at TSG want to make that process easier for you.

The following is a short(er) version of what can be found at Symantec?s site.
http:[email protected]

Please go to the above link and read and understand about the Swen worm first, then return and follow the short version.

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec and Norton AntiVirus product lines.

1. Disable System Restore (Windows Me/XP).

How to disable or enable System Restore in Windows ME

How to disable or enable System Restore in Windows XP

2. Modify the association for Registration Entries ( .reg files).
3. Create a repair.reg file on Desktop, double-click on repair.reg file to fix association settings for other file types.
4. Update the virus definitions.

5. Do one of the following:
a. Windows 95/98/Me: Restart the computer in Safe mode.
b. Windows NT/2000/XP: End the Trojan process.
6. ... Read more

Answer:[email protected] Worm Removal instructions + New Removal Tool

16 more replies
Relevance 91.02%

Here is the issue I was having prior to the "read me first" steps:

1) Search engine redirect: where I search for something via google, bing, or yahoo and when i click on the results it sends me to some unrelated website

Here are the issues i am having after "read me first" steps:

1) Search engine redirect: where I search for something via google, bing, or yahoo and when i click on the results it sends me to some unrelated website

2) I am having trouble opening file folders. I get an error message the windows has stopped working and then it searches for a solution and shuts down. I cannot even open up the file folder.

3) When I right click a file or folder, a windows installer window appears and attempts to either download something or install something. It seems to have something to do with Adobe.

I have no clue what all these logs mean. I just followed the steps and retrieved these logs.


View attachment combofix log.txt



View attachment 140457



View attachment defogger_disable.log



View attachment hijackthis.log



View attachment mbam-log-2010-07-02 (03-36-52).txt

[/ATTACH]
 

Answer:Malware Removal Instructions Complete... Problems still exist

View attachment MGlogs.zip



View attachment RRlog.txt
 

11 more replies
Relevance 88.97%

Very Important: Malware infections can possibly lead to identity theft, stolen bank funds, misuse of credit card information etc. Therefore we strongly encourage you to read this thread before deciding what course of action to take regarding your infection.

If after reading the above you wish to clean your system, please follow the steps below and create new topic HERE

NOTE: This thread is a work in progress. As malware evolves, so must the programs that find the bad entries and remove them. Thanks to all the members who have kept this progress going.

These steps are NOT meant to be a ONE-STOP-FIX-ALL.
If your computer cannot stay running, as in it either cannot boot, or, it is automatically restarting after a certain amount of time, then just start a new thread and ask for help.
They only serve to help you produce some logs, so we can see if your system needs further attention and cleaning.
Please make sure to complete ALL the steps in this thread, in the order that they are listed BEFORE you post the requested log files.
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it into a couple of replies.
Please run all scans in Normal Mode unless instructed otherwise. If you are not able to access Normal mode, please let us know.
Do NOT perform a System Restore while we are cleaning, as this can reinfect the system.
Please stay with your thread. We usually mark your thread inactive after five days, to help maintain the list of active topics... Read more

Answer:UPDATED 4-Step Viruses/Spyware/Malware Removal Preliminary Instructions

Instructions have been shortened and updated for future convenience towards users as well as helpers.
Credits to originator, Blind Dragon, and a few others, namely - kimsland, xxdanielxx, CCT, and Bobbye for their input.
 

2 more replies
Relevance 88.97%

This is what I came up with:
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-08-2015
Ran by Intel (administrator) on INTEL-PC (01-09-2015 12:30:20)
Running from C:\Users\Intel\Desktop
Loaded Profiles: Intel (Available Profiles: Intel)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser not detected!)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Wacom Technology, Corp.) C:\Program Files\Tablet\Pen\WTabletServiceCon.exe
(Teruten) C:\Windows\System32\FsUsbExService.Exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
(NVIDIA Corporation) C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe
(Hewlett-Packard) C:\Program Files\HP\HP Software Update\hpwuschd2.exe
() C:\Program Files\Bamboo Dock\BambooCore.exe
(Akamai Technologies, Inc.) C:\Users\Intel\AppData\Local\Akamai\netsess... Read more

Answer:Followed the UPDATED 4-Step Viruses/Spyware/Malware Removal Preliminary Instructions

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-09-01 12:29 - 2015-01-02 14:57 - 00000000 ____D C:\Windows\system32\vbox
2015-09-01 12:15 - 2014-08-25 11:37 - 01996509 _____ C:\Windows\WindowsUpdate.log
2015-09-01 12:11 - 2015-07-31 16:24 - 00065536 _____ C:\Windows\system32\Ikeext.etl
2015-09-01 12:11 - 2015-06-17 09:07 - 00036937 _____ C:\Windows\setupact.log
2015-09-01 12:11 - 2012-12-05 19:32 - 00000000 ____D C:\Users\Intel\AppData\Roaming\Skype
2015-09-01 12:10 - 2014-08-25 14:00 - 01129030 _____ C:\Windows\PFRO.log
2015-09-01 12:10 - 2012-11-18 23:06 - 00000000 ____D C:\ProgramData\NVIDIA
2015-09-01 12:10 - 2009-07-14 07:53 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-09-01 12:10 - 2009-07-14 07:33 - 00433760 _____ C:\Windows\system32\FNTCACHE.DAT
2015-09-01 12:09 - 2009-07-14 07:34 - 00030848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-09-01 12:09 - 2009-07-14 07:34 - 00030848 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-09-01 12:08 - 2012-10-15 19:50 - 00000000 ____D C:\Users\Intel\AppData\Local\Deployment
2015-09-01 12:08 - 2012-10-15 19:50 - 00000000 ____D C:\Program Files\Google
2015-09-01 12:01 - 2012-10-15 14:01 - 00116056 _____ C:\Users\Intel\AppData\Local\GDIPFONTCACHEV1.DAT
2015-09-01 12:00 - 2012-11-04 16:24 - 00000000 ____D C:\User... Read more

3 more replies
Relevance 88.15%

Apple has finally accepted that there is a malware problem affecting many of its customers and plans to stop it with an upcoming system update.

The problems began earlier this month with a black hat search engine optimization campaign launched by scareware distributors on Google Images.

Such campaigns are common and one can pretty much expect to find rogue links among the top search results for all hot topics at any given time.

However, this time it was different because the cyber crooks also targeted Mac OS X users via a piece of scareware called Mac Defender that was specifically designed for Apple's platform.

Scareware, or rogueware, are terms that refer to fake applications that trick victims into paying for licenses in order to fix fictitious problems on their computer, usually malware infections.

Ironically, for a user base that largely doesn't trust antivirus programs and believes that Macs are malware-free, a lot of people ended up installing Mac Defender.

By extrapolating from tech support call figures related to this issue, ZDNet recently estimated that between 60,000 and 125,000 Mac users were affected by this piece of scareware.

What's worse, Apple apparently prevented its tech support operators from telling users how to remove the malicious program on their own.

However, after the issue got significant press coverage Apple published a knowledge base article of its own, which includes manual removal instructions.

The company makes some mist... Read more

Answer:Apple Late to Anti-Malware Party, Issues Alert and Removal Instructions

Good to see that they are taking actions, since malwares are now quite more appearance in Mac.
 

1 more replies
Relevance 87.33%

hello, a friend has droped off a broken windows xp computer with me for repair. The followed http://www.bleepingcomputer.com/virus-remo...-security-suite this guide section 'automated removal section and now the PC bluescreen's on both normal and safemode. Looking for guidance as to what they might have broken. Thoughts? The BSOD is a stop c000021a - windows logon process system process terminated unexpectedly with a status of 0xc00000005 (0x00000000 0x00000000).

Answer:BSOD after following "automated removal instructions for security suite using malwarebytes anti-malware guide

Hi .The majority of references I see for this...are for Win 2K. XP users who have this error...don't really seem to get a resolution of any sort that I can see.From looking at the Win 2K references, I'd say that the registry is jumbled. A repair install effort would be worth a try...but I suspect that a clean install will be the ultimate resolution.Some Google Links.Louis

1 more replies
Relevance 81.59%

This morning, I got spyware and that took me to needupdate.com and used a bunch of spyware removal programs but only Spybot S&D found 6 entires for Smitfraud-c. I have since followed your special removal directions for Smitfraud-c. I no longer go to needupdate.com when launching IE. However, when I ran the PandaScan, it found 3 entries which appear to be quarantined. Afterwards, I ran Spybot S&D and again, and it found 5 entries for Smitfraud-c this time.

Should I just run the special removal procedure 5 more times or until they entries dissapear? I assume the next step would be to use the READ & RUN ME FIRST PROCESS. The PC seems to run well as of this posting. The smitfiles.txt says it is clean but those 5 Smitfraud-c entries worry me. Thank you very much for your time!!

Inline logs attached!
 

Answer:Performed the Special Removal Procedure

Post the log from Spybot
 

14 more replies
Relevance 79.54%

Staff Advisory: This post needs to remain here until one of the malware team advise that it can be moved. This member cannot access our malware forums due to their infection. ~ Animal----------------------------------------------------------------------------------------------------------------------Hello, I got some help from some nice people in the live chat. I have made a log with your hijackprogram and am posting it at the bottom. It created two .txt files so there are two reports. I am unable to open ANY link that has the words anti-spyware anywhere on the page or in the address bar so unfortunately I cannot post this in the malware removal forum because the internet window closes every time. I am in dire need of some help! I have a subscription to spy sweeper and it is keeping things out but I was infected with Antivirus xp 2008 and possibly some viruses because the computer was un-protected for about a month while I was in the hospital..I run with Windows XP and a wireless connection. If someone could take the time to look at this for me I would be so incredibly thankful! I offer my services as a photographer/graphic artist/professional gift shopper/myspace designer/beginner web designer. You can see what I do at www.perfectionpictures.com and contact me if you need anything at all!Current Symptoms (in the order of appearance)Random Total system crash then restart then blue screen then back to windows. msvcp71.exe is missing so a program is being prevented ... Read more

Answer:Antivirus Xp 2008 Removal Help/am I Infected? Can't Open Malware Removal Forum

Hi & welcome,I would like to try a couple things before we go much further so I have a bit better picture of what is happening and can take the needed cautions.1.) click start> run> type msconfig and hit enter.click "boot.ini" tabCheckmark /bootlogClick "apply" and "close"Reboot when askedLocate and delete this file:C:\windows\ntbtlog.txt (in case your extensions don't show it looks like a notepad)RebootLocate & post:C:\windows\ntbtlog.txt2.) Click start> run> type: cmd.exe and hit enter.type the following commands exactly as you see em & hit enter after each one:cd c:\windows\system32dir userinit.exeNote the file size please & report that back to me. Leave cmd open a sec.Back at the cmd window...Type:cd dllcachedir userinit.exedir spoolsv.exeNote file sizes & report that back to me.Type exit in the CMD window & hit enter. (this closes it)3.) Can you see also if you can get this program installed please:http://download.bleepingcomputer.com/hijac.../HJTInstall.exeSave file> run it> follow prompts to install excepting defaults.Allow it to "launch" hijackthis.Click the "Do a System Scan and Save a Log File" optionSave the log file and then it should open with NotepadGo to Edit, Select All and then Edit, Paste to paste the contents of the log hereLet me know if you had any problems with the above please.I advise keeping the system offline as much as possib... Read more

3 more replies
Relevance 79.13%

Apologies, but i'm a bit of a novice. my computer did a scan when i started it and came up with some trojans. when i tried to delete them, a malware removal programme tried to install itself so i closed the download dialog box. unfortunately, i cannot remember the name of the software that was trying to install itself. please would you review my log below and help me clean my computer?

many thanks
---------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86
Run by 0 at 19:57:35.67 on 02/01/2010
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.44.1033.18.3000.1826 [GMT 0:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows&... Read more

Answer:attempted removal of trojans try to install "malware removal software

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 78.31%

Hi,I have tried many ways to get rid of some Malware that has only recently infected my PV. I hope someone can help me as this is my work PC and I need to plug back into my office network in a few days, but think this would be a bad idea at the moment.The problem first showed itself by insisting I had many viruses etc, and I should install Internet Security 2010. I have installed Malware Bytes removal tool, and installed as instructed. It found the above, said it was removed, but still it appears to exist, although the name of the infection has changed a few times, and is currently redirecting my brower to a similar page to the above malware. A popup now shows that I should install Cyber Security to remove the infections. This is obviously another malicious antivirus/malware program.I have McAfee Enterprise installed (which I can't seem to disable)I have also run SuperAntiSpywarePlus, which did the trick removing a similar problem about a year ago on a different PC. However, although this program also finds problems, and supposedly removes t5hem, the problem is still there.Please help. I have shown Hijackthis log below.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:58:42 PM, on 29/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16945)Boot mode: NormalRunning processes:C:\windows\system32\csrss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\... Read more

Answer:Cyber Security removal; Malware removal not working

Hi,I have tried everything I know of to remove this pesky piece of malware. It seems to keep changing names, starting out as Internet Security 2010, and redirecting me on a google search to a webpage trying to convince I was riddled with viruii and malware, and then trying to sell me thier software, which is really just a scam. I ended up here after a few days of tearing my hair out, almost beaten. I went through the tutorials, but unfortunately that was before I fired off a post in desperation. Please delete my previous post, as I have now followed the suggested path, and run the utilities to help diagnose my problems. The resulting files are attached.Please help. I hope the files uploaded can provide an insight into whats happening.Apologies for jumping right in and posting a Hijackthis log before I had read the tutorials.ntents belowDDS.txt contents pasted belowDDS (Ver_09-12-01.01) - NTFSx86 Run by Greg.Middleton at 15:30:23.26 on Tue 29/12/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3063.2330 [GMT 9.5:30]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\windows\system32\svchost -k DcomLaunchC:\windows\system32\svchost -k rpcssC:\windows\Syst... Read more

3 more replies
Relevance 76.67%

Hello!
In reading more of these threads I can see Im not the only one with the iexplore issue.
Glad to know it can be corrected!!!!

I have multiple pop-ups and my computer is as slow as dirt.
When I get home at 3:30 Calif time I will do the HJTInstall.exe thing and post the results.
Would the results of one that was done two days ago help? Yes I was having the issue then and another company did one and told me to email it to someone, which I did but I havent heard anything back and my computer is close to useless at this point.
Can MFDnNC or anyone else help?
Thanks!!!!
Ginny
 

Answer:malware removal/popup/iexplore removal

16 more replies
Relevance 76.67%

Since the ComboFix will not run on Vista or Windows 7 64-bit, I have to look for new malware/virus removal apps... It was good while it lasted. So what tools do people use for Vista these days when the computer says: "WARNING! YOURS COMPUTER IS AN INFECTED BY HARMFUL VIRUS!!!!"

Answer:64-Bit Virus Removal & Malware Removal Tools?

64-bit Anti-Virus:List of 64-bit Anti-Virus For VistaAnti-virus protection in 64-bit environmentsFree Anti-virus:avast! Free Antivirus Avira AntiVir Personal - Free AntivirusAVG Anti-Virus Free Edition 8.5Microsoft Security EssentialsPanda Cloud AntivirusKingsoft Free Antivirus (Cloud Scan)Paid for Anti-virus:NOD32 Anti-Virus PersonalMcAfee AntiVirus PlusTrend Micro AntiVirus plus AntiSpywareNorman Antivirus & AntispywareCA Anti-Virus Plus Anti-Spyware64-bit Anti-Malware tools:Malwarebytes Anti-MalwareSUPERAntiSpywareKaspersky Virus Removal Tool - How to install and use documentationSpyware TerminatorWindows Defender (64-bit)PrevxSpybot S&DAd-AwareNorman Malware CleanerSunbelt Counterspy (free Trial)Comodo BOClean Anti-MalwareSophos Anti-rootkitSanityCheck Advanced Rootkit and Malware DetectorESET Online Antiivirus ScannerESET SysInspectorAnVir Task Manager FreeWinPatrolStart with these:How to use Malwarebytes' Anti-Malware to scan and remove malware from your computerHow to use SUPERAntiSpyware to scan and remove malware from your computer

3 more replies
Relevance 76.67%

I Followed the instructions on this website (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010) and everything progressed very normally. When i was done with the malwarebytes scan and removed all of the infected files Malwarebytes asked me to restart my computer to apply the changes so i said yes. That was the last time my computer worked. Now durring the boot screen i get the blue screen of death. I dont have the Windows Vista Instal disk to repair the computer (the version is home premium and all i had was ultimate) when I tried the ultimate version of windows vista cd to boot and repair from, it found a problem but couldnt fix it.Looking at the log the root cause was unkown bugcheck called bugcheck7e and the window repair failed because of the error code 0x490I really dont know if that information helps but i hope it does.I think what I am looking for is maybe an ISO of widows vista home premium because maybe the different versions caused my windows repair to fail but I could really use some help

Answer:BSD after following removal instructions

Hello, OK this file is big Print these instruction out so that you know what you are doingTwo programs to downloadFirst ISOBurner this will allow you to burn OTLPE ISO to a cd and make it bootable. Just install the program, from there on in it is fairly automatic. Instructions SecondDownload OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 292Mb in size so it may take some time to download.When downloaded double click and this will then open ISOBurner to burn the file to CDReboot your system using the boot CD you just created.Note : If you do not know how to set your computer to boot from CD follow the steps hereYour system should now display a REATOGO-X-PE desktop.Double-click on the OTLPE icon.When asked "Do you wish to load the remote registry", select YesWhen asked "Do you wish to load remote user profile(s) for scanning", select YesEnsure the box "Automatically Load All Remaining Users" is checked and press OKOTL should now start. Change the following settingsChange Drivers to Use SafelistPress Run Scan to start the scan.When finished, the file will be saved in drive C:\OTL.txtCopy this file to your USB drive if you do not have internet connection on this systemPlease post the contents of the OTL.txt file in your reply.

2 more replies
Relevance 76.67%

I have completed the Malware Removal Guide, ran CCCleaner, CounterSpy, BitDefender,PandaActiveScan, GetRunKey, ShowNew, Hijackthis. I just need to know if I have cleaned this computer. Can you tell by looking at my logs?? I will attache the other files on another post.

Thanks!
 

Answer:Followed the removal instructions, what's next?

Additional files to my previous post.
 

4 more replies
Relevance 75.85%

Hi,
My thanks to all who have played a role in the creation of the Home Search Assistant/CWS_NS3 Removal Guide. I followed the steps contained therein and I no longer have a hijacked browser or any adware/spyware running. I have one side effect however. Whenever I try to launch IE or any other office product, a Windows installer launches and attempts to configure Microsoft Office XP Professional. It dies while looking for the file PRO.MSI from the network host where it installed from initially, which is no longer connected or around at all. Oddly enough, cancelling out of the install window allows the app to launch without any problems.. Apparently the removal process I undertook wound up deleting a file that when missing tells Windows to reinstall and configure Microsoft Office XP Professional. Any ideas on how to fix this?
Thanks in advance

Answer:Removal instructions worked, but..

Hello and welcome to BleepingComputer. I hope you enjoy your stay.

We had the exact same problem at school and reinstalling Office worked fine.

You can also try disabling Windows Installer. It is not often needed and can just be enabled again.

If you need anything else feel free to ask.

1 more replies
Relevance 75.85%

hello, first i was hoping to get one of two fragged comps working perfect (well close to it) by removing freeze.com from popping up randomly when i am surfing the web. I had the instructions once before, but i can't find them any more. I have ran hijackthis and nothing odd popped up there. well i remember it was fairly simple if you knew what you were doing, but i don't remember. thanks for any help you can offer.

Answer:freeze.com removal instructions

Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.alternate download linkSave any unsaved work. TFC will close ALL open programs including your browser!Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator. Click the Start button to begin the cleaning process and let it run uninterrupted to completion.TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.Please download Malwarebytes Anti-Malware (v1.46) and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any c... Read more

1 more replies
Relevance 75.85%

Hi All
I have found an effective way to get rid of this virus that has been fraudulently attached to an otherwise trustworthy program.
This will work for windows vista users with system restore only
Go to start and type in the search box “system restore”, if a security window pops up just click continue.
Select the recommended restore radio button and then click next. then confirm by clicking finish.
Then wait for your computer to go through the restore process.
as soon as it restarts boot up your favorite anti virus and scan for any leftover filed, remove them and enjoy a working pc
Hope this helps

Admins: I am an ex security worker for a british broadband company and found a way to deactivate and remove this trojan that is being attatched to WINrar off cnet's website. this kind of needed a home as most places where prompting people to go into registries and such which could damage the machine if done by the wrong people
 

More replies
Relevance 75.85%

Hello; Many thanks in advance - here's the main:

Deckard's System Scanner v20071014.68
Run by Maria on 2008-01-30 16:24:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-30 16:30:11
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\RTHDCPL.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\WINDOWS\vsn... Read more

More replies
Relevance 75.85%

I recently infected my computer with Aurora to see if I could remove it as kind of a challenge. I did it and I'd just like to help out those perplexed souls looking for answers.

To some this is a step-by-step guide to removing Aurora. To others it is a reference for removing any malware. And to others still, this is just a document that contains useful information. The sections are titled, to make it easier to find information on specific tasks.

I haven't come across any real instructions for removing Aurora in any forum post or website yet, except of course for the myPCtuneup.com uninstaller. That uninstaller will be sufficient for some, who don't mind swallowing their pride and clicking "I Agree" to a statement saying they wanted Aurora on their computers to begin with. I am not one of those people, and if you consider yourself an advanced ("power") user, you probably aren't either. I'm also sure the various malware removers will catch up to Aurora eventually. This obviously is for those who would rather not wait.

These instructions should ONLY be carried out if you have advanced knowledge of computers and Windows XP, are familiar and comfortable with modifying and deleting registry entries, system files, and services (processes). DO NOT TAKE THIS STATEMENT LIGHTLY. These instructions really are intended solely for very advanced users.

Many people with advanced knowledge will be able to remove Aurora without my help - if so, kudos. But this i... Read more

Answer:Aurora Removal Instructions

nice job. it's kind of ironic because i just wiped my other computer's hard drive less than 2 hours ago because i couldn't figure out how to get rid of Aurora lol. wish i would of checked here first now.

1 more replies
Relevance 75.85%

Hey there forums. I have a bit of a problem. I seemed to have caught the SMART HDD virus on my laptop and am having problems getting rid of it.

When I realised that the laptop had contracted something I out of habit did a Malwarebytes scan and then rebooted when prompted. After reboot the problem still persisted so I ran a ESET scan to see if some infections were left behind. After that scan the problem still existed so I then did a Google search leading me to some instructions from the site on how to get rid of SMART HDD.

I've followed these instructions here: http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd but no luck. When I boot back into windows normal I get the error message: A Write command during the test has failed to complete", the SMART Repair Pop Up, black background and the lack of onscreen icons.

At this point I'm out of ideas and am looking for guidance. I followed all of the steps, 1-19 but by the time I got to 19 I saw that the pop ups still appeared. Any help would be appreciated. I am using an HP G62 Laptop with Windows 7 Home Premium. Thanks in advance.

Answer:S.M.A.R.T HDD is resisting removal instructions

Looks loke we need to get deeper.. Can you do this...Please go here....Preparation Guide ,do steps 6-9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If GMER won't (May not ob 64 bit)run skip it and move on.Let me know if that went well.

5 more replies
Relevance 75.85%

I have followed the instructions for the removal of AntvirGear Removal (Free) (Automated).I am unable to proceed beyond para 6 of this instruction.I get the credit screen but when I press 'any' button the screen freezes.I have deleted the SmitfraudFix program twice and reloaded but to no avail. I must have tried at least 12 times but every time it freezes at the same point. Any suggestions please ?

Answer:Antivirgear Removal |(instructions)

I suggest you try doing it in safe mode if you have not already have.Get to Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

8 more replies
Relevance 75.85%

I followed the instructions in the Malware removal guide. I was unable to start up in safe mode (only shows F1 and F10 (setup and recover) at start-up). I was in normal start-up for removals and on-line scans. Bit-Defender found nothing, so I've not attached notes from that. I will attach results from Counter Spy, PandaActiveScan, and GetRun Key to this note and send a second note with Show New and HJT files attached.

Any Help and Instructions would be appreciated. At moment, issues seem to be following: (1) Following any long period of time (hours, usually) I will find my screen scrambled with the "start and bottom icon" line reduced in size and at the top left. Touching mouse changes screen and freezes it. Only fix is to shut off computer using 'on-off' button on CPU and restart. (2) When trying to move or find files when I click on 'computer' system takes forever (minutes) to display the drives attached to computer and shows a little flashlight looking for them. This is a recent phenomenon. (3) I use Flasser program to get rid of Lasser worm following installation of NetGear WG111 v2 wireless adapter (USB) with its security issue. Have service pack 2 but still have to re-run Flasser on fairly often basis (every few days).

Thanks for any help,

AUTiger
 

Answer:Followed Removal Guide Instructions - Now What?

Followed Malware Removal Guidline- Now What? 2nd Note with 2 more attachments

Attached are the Show New and HJT files.

Thanks,
AUTiger
 

11 more replies
Relevance 75.85%

I've seen some posts here about removing Spy Axe but it seems like everybody's case might be a little bit different. What should I do and/or what information do you need?

Keep in mind; I have no idea how to obtain my Hijack Log.
 

Answer:Solved: Spy Axe Removal Instructions?

16 more replies
Relevance 75.85%

Hello,I asked to post sent here from the "Am I infected? What do I do?" forum regarding S.M.A.R.T HHD resisting the removal steps.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64 MINIMAL
Internet Explorer: 9.0.8112.16421
Run by Michael at 0:06:26 on 2009-07-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2811.2384 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe... Read more

Answer:S.M.A.R.T HDD is resisting removal instructions

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

71 more replies
Relevance 75.85%

I have or had the about:blank spyware on my system. Here are the steps I have taken so far:

A. Followed your READ and RUN ME FIRST instructions, as well as I could.
B. Followed special removal instructions for about: Blank, simplified.

Attached are the logs requested (I hope!)

Thank you so much for your help in cleaning my computer! I appreciate it greatly and look forward to your reply.

jody
 

Answer:following about:blank removal instructions

More log attachments....the bdscan file will not upload...I tried twice.

Again.....thanks so much for your help and detailed instructions.

jody
 

5 more replies
Relevance 75.85%

For trojan.attack. Can anyone advise me? Thanks!
 

Answer:Looking for manual removal instructions

Are you having problems with this? Are you getting any messages about having to pay a couple hundred dollars to remove malware from your PC? Are you files being held for randsom?
 

5 more replies
Relevance 75.85%

Hi

I'm having problems with Spyware, mainly in the form of pop-ups (888.com, dell, various casinos etc). I've followed your instructions but still haven't solved the problem. The tools (Spybot, MicrosoftAS etc) have improved the situation but it has not gone away completely. Occasionally (very) I have system freezes and I couldn't follow your instructions 100% as MicrosoftAS wouldn't work in safe mode. I ran this in normal mode, but whenever I do this, the system freezes after the scan (incidentally, the scan results were clear).

The problems seem to have started since I started using Limewire version 4.9.33. Do I need to uninstall this? I've also received various invitations to download Winfix and have followed the sticky thread on this, but HTF doesn't show up any bad files.

I attach my HTF, BitDefender, and Pandascan logs. The Bitdefender log seems to indicate a problem. Your assistance is much appreciated.

MonkeyCat
 

Answer:Spyware removal - I've followed your instructions

Please do not use the paper clip to attach links in line. That makes them harder to read because you must login again. Just attach them like I did in your message. (I changed them.) Looks like you ran Panda before BitDefender. Is that correct?

I'm also surprise that the below still are found. Did you run Ccleaner on this account or a different account name?
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\3NPDHPL6\toolbar2[1].htm
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\F37BVQPL\bridge-c24[1].cab
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\F37BVQPL\bridge-c24[1].cab[MediaGatewayX.dll]
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\GTYZSXUN\xml_istbar[1].xml
C:\Documents and Settings\James Heseltine\Local Settings\Temporary Internet Files\Content.IE5\YB4BEHOR\uninstaller.prod.24oct2005.exe[1].67ed8085ef4da0dd46732bc56aa91a66

Either delete the files manually or run Ccleaner on James Heseltine and make sure that the Temporary Internet Folder is selected for cleaning.
 

49 more replies
Relevance 75.85%

Several days ago my computer was infected with Spylocked. I tried to remove it by deleting from Programs, Startup, and Add/Remove Programs, and although some items were deleted, I still get the flashing little icon in the screens lower right panel. So I guess that I am still infected. I'm not too smart on this stuff, so instructions should be simple enough.
Thanks very much.
Larry Opheim
 

Answer:Spylocked-Need Removal Instructions

9 more replies
Relevance 75.85%

Please advise, I don't know what to do.

I ran a symantec online virus scan and came up with the following infected files:

C:\WINDOWS\system32\plvovafv.dll is infected with Trojan.Vundo
C:\WINDOWS\system32\pilsympw.dll is infected with Trojan.Vundo
C:\WINDOWS\system32\bodqvcvg.dll is infected with Trojan.Vundo
I tried using a couple of programs, VundoFix and FixVundo, but neither detected these files.

Here is my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:26 AM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program fi... Read more

Answer:Need Instructions for Vundo Removal

Hi and welcome

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
 

3 more replies
Relevance 75.85%

i cant remove this software, i want to install iolo antivirus and iolo keeps tell me to remove threatfire , i cant what can i do
 

Answer:Threatfire pro removal instructions

This is not a malware issue so I moved it to the Software Forum for you.
 

3 more replies
Relevance 75.85%

I am a little confused by the Automated Removal Instructions for SPYDAWN posted herehttp://www.bleepingcomputer.com/forums/t/81275/how-to-remove-spydawn-removal-instructions/ at the end of STEP # 8 Disk Cleanup. Its says to go to Step # 11?Does this mean you should not complete steps 9&10 ?????This is confusing to me or I'm reading too far into it.Could I get some input on thisThanks

Answer:Spydawn Removal Instructions

Steps 9 and 10 are providing some specific information of what to do while in the process of doing disk cleanup. It is after disk clean-up is completed that you do step 11.I hope this clarifies things for you.Orange Blossom

3 more replies
Relevance 75.03%

Hi, I've followed the Virusburst removal instructions up until item 13.16 which asks me to open the SmitRem folder I previously created on my own user desktop. But in the safemode and logged in as administrator this folder doesn't appear on the desk top. What should I do now please? Thanks

Answer:Using 'how To Remove Virusburst (removal Instructions)'

Hi I found the only way I could remove VirusBurst was to run Prevx1, all other ways failed

3 more replies
Relevance 75.03%

Hi there, thanks in advance for any help. I appreciate there must be so many requests for help about removing this pain in the proverbial malware but I wanted to post my own thread so you could check out my Hijack This log - which I will post shortly.

Bit of Background:

SpyBot picks up Zlob DNSChanger everytime I run it. Also, PCTools 'Spyware Doctor' has also been picking up various other Zlob infections over the last week or so (since I downloaded it) which keep coming back, which I guess it expected behaviour.

This malware is giving me intermittant access to websites and also preventing me from downloading updates to Spyware Doctor (unless I get lucky after 'Fixing' the latest Zlob find in SpyBot!). Windows Updates also are impossible and Zone Alarm went up the swanny too so I have uninstalled that for the time being.

When I fix the infections found with Spyware Doctor I generally lose access to webpages and I have to reboot. I then have to wait ten minutes for my account to log in (it just sits on a blank screen and services take ages to kick in). Once logged on I can then gain web access again but...you guess it...the zlob infections are found on next scan (both SpyBot & Spyware Doctor).

Oh yes - I get the unwanted adverts too on websites i.e. Do I Want a Bigger Penis, Vimax adverts etc etc. Boo!

So there is a bit of background - I will now go off and get my Hijack this log and hope that someone can let me know what to do step by step to tr... Read more

Answer:Zlob.DnsChanger Removal Instructions

16 more replies
Relevance 75.03%

Symantec has the removal instructions up.

HOW TO REMOVE W32.SPYBOT.WORM

=========================================
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the startup folder.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the ... Read more

Answer:W32.spybot.worm REMOVAL INSTRUCTIONS!

13 more replies
Relevance 75.03%

Somehow my wife spilled a small glass of juice on my new SL400 keyboard. The laptop still works OK except that several useful keys on the right side of the keyboard are slow to bounce back, not to mention "crunchy". I'm fairly adept at computer repairs but I'm hoping to find some instructions on how to remove, clean and reinstall the keyboard. Thank you.

Answer:SL400 - Instructions for keyboard removal?

Thinkpads have a great resource in the series of Hardware Maintenance Manuals (HMM). There's detailed instructions on how to take apart your system and the part numbers associated with each major component. You can download a copy (Adobe Acrobat format - .PDF) for the SL400 from here:http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-69929The one extra piece of advice that you need is to have a system in place where you can accurately keep track of the different screws that are removed and know exactly where they go back into the laptop. In some cases you can cause some damage to the laptop if you are not careful and end up installing a long screw in a short hole. With only the removal of the keyboard, you're probably looking at half-a-dozen screws, with three different lengths so it shouldn't be too bad.

1 more replies
Relevance 75.03%

I have been looking into this little bugger for a while and have compiled what I hope is generic removal instructions that should help rid people of this nasty little parasite once and for all.
http://www.techmonkeys.co.uk/viewtopic.php?p=2968#2968
 

Answer:Aurora and Nail.exe removal instructions.

7 more replies
Relevance 75.03%

i ran an ewido scan in normal bootup and it picked up "trojan.pakes" but it could not delete it and encountered an error......... plz help me get rid of this thing !

Answer:Trojian.pakes, Removal Instructions Plz

What file did it find? PLease give detailed information as to what ewido found.

11 more replies
Relevance 75.03%

Security Tool Removal Instructions
Security Tool is a so called rogue antivirus software that is distributed by various means including malicious software like trojans but also popups on the Internet which will display a fake message that the computer is infected and needs to be secured by downloading the rogue security program. Security Tool will perform a series of tasks once it is running on a computer system. This includes blocking legit software from being executed and displaying false security warnings to promote a ?full? version of the program that the PC user should buy to protect the computer system. The files that it displays as malicious or infected are not in fact which can be proven by testing them with a legit antivirus software.
Security Tool will add itself to the list of autostart programs in Windows. It will automatically perform a scan upon startup that will display the fake infections in the end. The ?make money? part comes into play when the user tries to remove the infections with the rogue program. The rogue AV will notify the user that a license needs to be purchased before the infections can be removed.

Answer:Security Tool Removal Instructions

I just ridded this ***** from my wife's computer a few minutes ago. It was located in the Windows/Prefetch folder and am running Malware Bytes to make sure all traces are gone.

1 more replies
Relevance 75.03%

Scammers Are Using a Fake Version of AdwCleaner to Trick People
Lowell Heddings
11 Feb 2015







Lowell Heddings, the How-to Geek said:

The latest trend in the awful Windows ecosystem is pretty ridiculous ? scammers have a fake version of the reputable AdwCleaner tool, which is a real tool for Windows experts. And this one pretends your computer is infected and tries to make you pay them to remove it.

AdwCleaner is indeed a real freeware tool, with a good reputation for removing spyware and adware. It?s not as well known as MalwareBytes because it?s not all that user friendly, since it is meant for Windows experts rather than regular users. And the scammers have tried to mimic the interface, stealing the logo, and even ripping out the icon (badly) for their fake version.


image: How-to-Geek
The ironic thing is that this is getting on people?s PCs that are already infected with adware or spyware of some type, which then keep popping up windows to a page that looks like this one? which tells you that adware is detected. Which is surprisingly accurate, although the fake app isn?t going to remove that adware.

Once you click through that dialog, it?ll give you a scary message like this, telling you to download AdwCleaner. Since you?ve probably heard your geeky friends talking about AdwCleaner, a normal user might be tempted to download it.

...more



Only download software from reputable websites !!Author (Xplode) ... Read more

Answer:Fake AdwCleaner: with removal instructions

Thanks for the heads up.

3 more replies
Relevance 75.03%

Scammers Are Using a Fake Version of AdwCleaner to Trick People
Lowell Heddings
11 Feb 2015







Originally Posted by Lowell Heddings, the How-to Geek


The latest trend in the awful Windows ecosystem is pretty ridiculous ? scammers have a fake version of the reputable AdwCleaner tool, which is a real tool for Windows experts. And this one pretends your computer is infected and tries to make you pay them to remove it.

AdwCleaner is indeed a real freeware tool, with a good reputation for removing spyware and adware. It?s not as well known as MalwareBytes because it?s not all that user friendly, since it is meant for Windows experts rather than regular users. And the scammers have tried to mimic the interface, stealing the logo, and even ripping out the icon (badly) for their fake version.


image: How-to-Geek
The ironic thing is that this is getting on people?s PCs that are already infected with adware or spyware of some type, which then keep popping up windows to a page that looks like this one? which tells you that adware is detected. Which is surprisingly accurate, although the fake app isn?t going to remove that adware.

Once you click through that dialog, it?ll give you a scary message like this, telling you to download AdwCleaner. Since you?ve probably heard your geeky friends talking about AdwCleaner, a normal user might be tempted to download it.

...more



Only download software from reputable websit... Read more

Answer:Fake AdwCleaner: with removal instructions

Google's blocking most if not all of Filehippo downloads. At least, that was the case in the very recent past.

2 more replies
Relevance 75.03%

Spybot S&D has identified but cannot remove SmitFraud. After a bit of searching, found this forum with the help I needed under USER SELF HELP MALWARE REMOVAL GUIDE / SMITFRAUD and It's Variants Removal Guide. I have followed the "5 Steps before Posting a Log" and began the SmitFraud removal procedure, but came to an abrupt halt after installing AVG Anti Spyware. The procedure references AVG ver 7.5.1.36. I have installed AVG ver 7.5.5.03 and instructions don't match what I see. I was able to make Resident Shield inactive and get an Update (w/o the progress bar), but the last six instructions have me baffled... which is not all that hard to do! Things kept going south... somehow AVG ran a scan, I think it was scheduled. I hope someone can find out where I am and get me pointed in the right direction.

Answer:Is there an update for SmitFraud removal instructions?

Thought about it / got bored and ran DSS. I will attempt to paste and attach resulting files.

Deckard's System Scanner v20071014.68
Run by JR on 2007-12-16 09:24:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
24: 2007-12-16 15:24:28 UTC - RP1088 - Deckard's System Scanner Restore Point
23: 2007-12-16 13:59:52 UTC - RP1087 - Spybot-S&D Spyware removal
22: 2007-12-16 13:20:57 UTC - RP1086 - System Checkpoint
21: 2007-12-15 12:57:24 UTC - RP1085 - Spybot-S&D Spyware removal
20: 2007-12-14 21:00:56 UTC - RP1084 - Installed AVG 7.5


-- First Restore Point --
1: 2007-12-05 20:08:56 UTC - RP1065 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3 GiB (less than 15%) free.


-- HijackThis (run as JR.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:50 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
... Read more

19 more replies
Relevance 75.03%

On my new Lenovo laptop (Win 10), I read the conditions carefully and found that Trovi.com was was required to accept. All I have read re Trovi has been negative, and I want it off my machine.

I've followed Malwaretips.com's removal instructions, but none of the recommended scans can identify any Trovi threats. I know it could be called "Search Protector," but nothing shows under that name. Hitmanpro has no Win10 version.

HELP! Am I worrying needlessly or should I pursue this?
 

More replies
Relevance 75.03%

The ?Votre ordinateur est bloque? lock screen is a computer virus (Trojan:W32/Reveton), which will display a bogus notification, that pretends to be from the French police (Ministère de L?intérieur) and states that your computer has been blocked due to it being involved with the distribution of pornographic material, SPAM and copyrighted content.

The ?Votre ordinateur est bloque? virus will lock your computer and applications, so whenever you?ll try to log on into your Windows operating system or Safe Mode with Networking, it will display instead a lock screen asking you to pay a non-existing fine of 100 Euro in the form of a Ukash or PaySafeCard code.

Furthermore, to make this alert seem more authentic, this virus also has the ability to access your installed webcam ,so that the bogus ?Votre ordinateur est bloque? notification shows what is happening in the room.

To the ?Votre ordinateur est bloque? lock screen remove the follow this guide: http://malwaretips.com/blogs/votre-ordinateur-est-bloque-virus/
 

More replies
Relevance 75.03%

Hi everyone
Have you ever tried to get rid of a spy ware program only to find weeks later the programme was still on your computer? Well this link will help you to uninstall some of the worst offenders on the INTERNET. Please don't forget to post back and let us know how you got on
http://www.pchell.com/support/bonzibuddy.shtml
 

Answer:Removal Instructions for spy ware Programs

Hi Nick, I stopped by the link and it looked to be a friendly and usefull site. No need for the site today, but thanks. May come in handy later though.
 

4 more replies
Relevance 75.03%

Symantec has the removal instructions up.

HOW TO REMOVE W32.SPYBOT.WORM

=========================================
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
Disable System Restore (Windows Me/XP).
Update the virus definitions.
Restart the computer in Safe mode.
Run a full system scan and delete all the files detected as W32.Spybot.Worm.
Delete the value that was added to the registry.
Delete any zero-byte files in the startup folder.

For specific details on each of these steps, read the following instructions.

1. Disabling System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the ... Read more

Answer:W32.spybot.worm REMOVAL INSTRUCTIONS!

14 more replies
Relevance 75.03%

I am continuing to have popup problems after following all of the steps at http://forums.majorgeeks.com/showthread.php?t=35407

Firstly, within those instructions I had the following problems:

When running Trend MicroHousecall all 13 files that were discovered were unable
to be cleaned, including a variety of Trojan files.

I could not run the Symantec Security Check, it says "redirection for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked." I tried going to the Symantec website to find a security check and run it myself but the links wouldn't work correctly.


Among the popups I am getting are some error windows including the following:

An error has occurred in the script on this page
Line: 92
Char: 4
Error: Access is denied
Code: 0
URL: http://xadsj.offeroptimizer.com/imp...ttp://forums.majorgeeks.com/showthread.php?t%
Do You Want to continue running scripts on this page? (Yes/No)

And multiple advertising based popups by "Aurora - Part of the ABI Network" which cannot be stopped using popup blocking software.

Please help!
 

Answer:PopUp Problems After Following Removal Instructions

Somehow it never seems to fail that when I post here I have to boost my thread because it goes overlooked while other people who don't even follow the rules get responses. *sigh*

ANY-how, could someone pretty pretty please help me out?
 

10 more replies
Relevance 75.03%

Hi, I'm running through the steps as you outlined before submitting a HiJack This Log. I installed Spybot and began running it... it closed my Adware and then proceeded. Then a window popped up during scanning asking if I would allow a change to the registry and naming BM33e63ece and another registry key - both which had previously by flagged by my Trojan Remover. So I hit deny changes thinking it was trying to rename itself, now windows are popping up all over like so:Now I'm not so sure if I blocked Spybot from removing it (was this the change?) or the program itself from changing its value and I don't know what to do. Could someone possibly help and direct me on what to do? Do I allow these registry changes by the programs which were flagged as components of Vundo before? I'm so unfamiliar with Spybot and none of my reading so far has turned up guidance.Thank you so much for any help.

Answer:Using Spybot As Per Instructions For Vundo Removal And..

When I denied it in Spybot my whole screen filled up with those boxes but terribly annoying.Have you read How To Remove Winfixer / Virtumonde / Msevents / Trojan.vundo.b?This should fix all cases of Virtumonde/Trojan.Vundo

3 more replies
Relevance 74.21%

hello

So i ran a scan on norton 360 it said i have 2 virtumonde adware and a downloader virus thing. I know this is a long process to remove it but i urgently need help on how to remove all of them i would kindly appreciate it if you would be as quick as possible thanks guys for all your contribution
 

Answer:Urgent Help Needed Please! Adware Removal Instructions!?

7 more replies
Relevance 74.21%

Windows Privacy Module is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Privacy Module and stealing your personal financial information.

As part of its self-defense mechanism, Windows Privacy Module has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Privacy Module is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Privacy Module virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 key as your computer restarts... Read more

More replies
Relevance 74.21%

Windows Active Guard is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Active Guard and stealing your personal financial information.

As part of its self-defense mechanism,Windows Active Guard has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Active Guard is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Active Guard virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 key as your computer restarts.Please keep i... Read more

More replies
Relevance 74.21%

I am copying and pasting the 3 logs created when I followed the directions "Read this before requesting malware removal help."  My problem started with somehow getting ask.com as my browser instead of internet explorer.  A few days later a screen pop-up in red saying Access File is infected" and Trojan Horse Injector.GJ.  It didn't look like my anti-virus program so I didn't do anything about it.  I then tried to get rid of ask.com which I did, but I couldn't get internet explorer back.  My son did some things to it and when I started it back up, I got the exe.bad image messages which led me to search for a resolution which led me to your page.  I followed the instructions exactly and after doing Step 4 (Malwarebytes) scan, the Trojan.vrondo (I didn't write it down at the time) was found and after that was removed the exe. bad image messages stopped.  The computer seems to be working properly now--maybe a little slower. Following are the logs:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 11/07/2009 at 09:45 PMApplication Version : 4.29.1004Core Rules Database Version : 4245Trace Rules Database Version: 2138Scan type       : Complete ScanTotal Scan Time : 02:24:14Memory items scanned      : 518Memory threats detected   : 0Registry items scanned    : 6120Registry threats detected : 2File items scanned        : 10729... Read more

Answer:Sending Logs after following your infection removal instructions

you seem to have 2 anti-virus installed you should have only one , there could be issues , but wait for an expert

1 more replies
Relevance 74.21%

I followed the instructions here:http://www.bleepingcomputer.com/virus-remo...irus-system-pro...but it didn't work. Every time I reboot my pc, the stupid virus comes back, and I have to repeatedly run rKill.com a bunch of times to stop it. I also looked for the following files and reg keys on my system:Associated Antivirus System Pro Files: c:\WINDOWS\sysguard.exe c:\WINDOWS\system32\iehelper.dll C:\Documents and Settings\<UserProfile>\<random characters>\<4 random chars>sysguard.exeAssociated Antivirus System Pro Windows Registry Information: HKEY_CURRENT_USER\Software\AvScan HKEY_CLASSES_ROOT\CLSID\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BAD4551D-9B24-42cb-9BCD-818CA2DA7B63} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "<random characters>" ...but none of the above were on my system.I have no idea what else I should do. Please help! Any advice would be greatly appreciated...Thanks in advanceJoey

Answer:virus removal instructions didn't work - please help!

I figured out why it didn't work - when you kill the process with rKill.com and then turn off the proxy setting in IE, I had to leave IE open for some reason in order to update Malware bytes, otherwise I got an error message and couldn't update it - if you don't update malware bytes definitions after you install it, then it won't totally get rid of the virus.

2 more replies
Relevance 74.21%

Windows Efficiency Reservoir is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Efficiency Reservoir and stealing your personal financial information.

As part of its self-defense mechanism, Windows Efficiency Reservoir has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Efficiency Reservoir is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Efficiency Reservoir virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 ke... Read more

More replies
Relevance 74.21%

What is System Fix ?

System Fix is a fake system security software that is considered as rogue.
Rogues are malicious programs that cyber criminals use to trick users by displaying false threats and problems that it claims to have detected. In reality, none of the issues are real and are only used to convince the user into buying their software and stealing their personal financial information.
As this program is a scam do not be scared into purchasing the program when you see its alerts. You are strongly advised to follow our removal instructions below.

Am I infected?

This is how the main screen of the rogue application looks:

System Fix Removal Instructions
(If you experience any problems completing these instructions, please start a new thread here)

STEP 1 : Start your computer in Safe Mode with Networking
Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.
Do one of the following:
If your computer has a single operating system installed, press and hold the F8 key as your computer restarts. You need to press F8 before the Windows logo appears. If the Windows logo appears, you will need to try again by waiting until the Windows logon prompt appears, and then shutting down and restarting your computer.
If your computer has more than one operating system, use the arrow keys to highlight the operating system you want to start in safe mode, and then press F8.

On the Advanced Boot Options screen, use the arrow keys to highlight... Read more

More replies
Relevance 74.21%

Hi,

I was fortunate enough to contract the wonderful "Antiviris Live". I followed all of the instructions here at Bleeping Computer to remove this, but after running rkill and installing MalwareBytes I am unable to get MalwareBytes to open and do a scan. Any help with this would be most appreciated. This "Antivirus Live" is one nasty son-of -a gun! Thanks in advance for your help with this.

Monty Robison

Edit: Running rkill never does get Antivirus Live to stop. I've run it at least 50 times or more.
Edit: One more thing. When following the instructions and going to the Internet Explorer Tools>Internet Options>Connections>Lan Settings and unchecking the "Use a proxy server for your LAN" I never have the ability to "Apply" the new setting. The "Apply" option is greyed out.

Answer:Instructions for removal of Antivirus Live not working - Help!!!!!

To all,

I tried booting into Safe Mode on a chance which was sucessful. I then was able to open Malwarebytes and run a Full Scan. The scan found 5 infections which I removed. Booted back into Windows and the nasty Antivirus Live was removed. I just wanted to let you all know that in case you're having trouble like I did to reboot into Safe Mode and try the fix from there. Hope this helps!

Monty Robison

2 more replies
Relevance 74.21%

Windows Antivirus Patch is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Antivirus Patch and stealing your personal financial information.

As part of its self-defense mechanism, Windows Antivirus Patch has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Antivirus Patch is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Antivirus Patch virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 key as your computer restar... Read more

More replies
Relevance 74.21%

I found this ultra defragger on my computer and I followed the instructions including using rkill and the download from malwarebytes to remove it. It appeared to remove the program, but my computer is still running extremely slowly and when I try to open a webpage, it redirects me to some strange webpage. After clicking back and retrying several times it will let me through, but obviously it is still messing with my computer. Is there something else I can do? Thank you in advance for your help.

More replies
Relevance 74.21%

Windows Component Protector is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Component Protector and stealing your personal financial information.

As part of its self-defense mechanism, Windows Component Protector has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Component Protector is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Component Protector virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 key as ... Read more

More replies
Relevance 74.21%

Hi, I have a non-tech savy friend who's managed to infect her computer with an Antivermins (amongst many, many other things, no idea how she managed it) and was just reading through Grinler's removal instructions. I was wondering, since the manual removal instructions include all of the auto removal instructions plus additional steps, is the auto removal likely not to work without those extra steps? Also, my friend apparently last night, after telling me she was too wary to download files like SmitFraudFix without being 100% sure they weren't just other infections, she went ahead and got something called NoSnoopWare (again, no idea where from or why) which scanned, found the infection but then demanded a registration fee to fix things. So, are Grinler's instructions and the files involved all free?

Answer:Question On Grinler's Antivermins Removal Instructions

to BC. Yes they are free.. It is best advised you ask your friend to join up herself and post HJT log following these instructions. The files presented here for downloading are 100% safe.

1 more replies
Relevance 74.21%

I apologize if I am posting this in the wrong place, but I am not really sure where to post it. I downloaded a fake virus protection program, antivirussoft platinum, and you guys directed me to the New Instructions for Virus/Trojan/Spyware Removal thread. I backed up my documents and changed passwords, I downloaded and ran DDS, and I downloaded GMER, but when I tried to run GMER it shut my computer down, four different times. Each time my compter went to a blue screen with the message:

Stop: c000021a {Fatal System Error}
The windows Logon Process system process terminated unexpectedly with a status of 0x0000005 (0x00000000 0x00000000).
The system has been shut down.

Any idea what is going on there?

Also, please direct me to the appropriate place to post such questions so that I don't post in the wrong place next time I hit a wall.

Answer:Using Instructions for Virus/Trojan/Spyware Removal Help

Post what logs you can in your new thread (not here) and explain the situation.

I'm wondering...is gmer causing the bsod when it first starts? Did you see this part of the instructions:

Quote:




Please note:

If (and only if) there are problems using gmer as indicated above, save a scan from the initial startup scan.




Something else you may be able to try is run the scan in Safe Mode.

Restart your computer and boot into Safe Mode by tapping the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account.

1 more replies
Relevance 74.21%

Hi,I got infected with the Security Tool virus.I'm following the instructions "Automated Removal Instructions for Security Tool using Malwarebytes' Anti-Malware"http://www.bleepingcomputer.com/virus-removal/remove-security-tool I'm using Windows 7 Ultimate.I made it to #23 regarding the HOSTS file. I deleted it as instructed.I then right clicked the link:Windows 7 HOSTS File Download LinkI did Save Target As.But.....When I tried to save it in the etc folder here C:\Windows\System32\drivers\etc The etc folder was gone.It now ended with the drivers folder. So there was nowhere to save your HOSTS file to.ps. I know I didn't delete the etc folder in the previous step. All I did was delete the HOSTS file that was in the etc folder - as per the instructions.Any help would be much appreciated.Thanks.

Answer:Security Tool Removal Instructions #23 Problem

Hello, Please go here....Preparation Guide . Create a DDS log and post it in this topic,thanks.

3 more replies
Relevance 74.21%

Windows Processes Accelerator is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Processes Accelerator and stealing your personal financial information.

As part of its self-defense mechanism, Windows Processes Accelerator has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Processes Accelerator is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Processes Accelerator virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the ... Read more

More replies
Relevance 74.21%

Windows Antibreaking System is a rogue security software which will report that malware has been detected on your computer in an attempt to scare you into buying this malicious software.
In reality, none of the reported issues are real, and are only used to scare you into buying Windows Antibreaking System and stealing your personal financial information.

As part of its self-defense mechanism, Windows Antibreaking System has installed a rootkit on your computer,which will disable the Windows Task Manager and will block you from running any program that could lead to its removal.

Windows Antibreaking System is a scam and you should ignore any alerts that this malicious software might generate.
Under no circumstance should you buy this rogue security software as this could lead to identity theft,and if you have, you should contact your credit card company and dispute the charge stating that the program is a scam and a computer virus.
Removal instructions for Windows Antibreaking System virus​This is a self-help guide, use at your own risk.
If you experience problems completing this guide, or the problem persists after following the instructions below or would like to have one of our staff members guide you through the process, please start a new thread in our Malware Removal Assistance forum.
STEP 1 : Start your computer in Safe Mode with Networking

Remove all floppy disks, CDs, and DVDs from your computer, and then restart your computer.

Press and hold the F8 key as ... Read more

More replies
Relevance 74.21%

Hi,

this is my first post, I hope it's posted in the right forum.

Well, I seem to have been infected with spydawn and also did read the removal instructions, but before I start with that I still would like to ask a question.

On the site where you can download the SmitFraudFix program it says "I do not recommend using the tool without guidance from a qualified malware removal specialist!" and since I would call myself a computer newbie, at least when it comes to solving problems, I would like to know how risky it is to use that program, or do the removal instructions count as "guidance from a qualified malware removal specialist" ?

And that guide is also for windows XP, isn't it?

Thanks in advance.

Answer:Question Regarding The "spydawn Removal Instructions" Thread

Good questions. With the images along with the written instructions, I would feel safe in using the fix. If you have any problem or want to clarify a step, please ask. I always recommend using Super Antispyware along with the Smitfraudfix. Super Antispyware has had success in removing Spydawn and because there is always a good chance that you have other malware. Yes, Smitfraudfix is for XP. I don't think it works with Vista, though..Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds. http://www.superantispyware.com/

13 more replies
Relevance 74.21%
Answer:CoreFlood!Mem trojan (new variant) removal instructions

dhondi:

I've removed your data, please leave the malware assistance to the trained professionals.

Thanks ,

v
 

1 more replies
Relevance 74.21%

I wanted to post information about an issue I had after using the VirusBurst Automatic removal instructions.Forum topic located here http://www.bleepingcomputer.com/forums/t/63896/how-to-remove-virusburst-removal-instructions/After completing the removal process and launching Outlook 2003 on Windows XP I received an error stating that file mscoree.dll was missing and to try and reinstall MS Outlook. After further research I discovered that the mscoree.dll file actually comes from the .NET framework.What I did was reinstall .NET located here http://www.microsoft.com/downloads/details...;DisplayLang=enEverything works great now.FYI. in case some else has the same issue.

Answer:Missing Mscoree.dll After Virusburst (removal Instructions)

I have not heard of any similar reports. The instructions in the tutorial should not have deleted that file so it appears to have been a coincidence that you found it missing afterwards.

Anyway, I'm glad to hear that you resolved the problem.

3 more replies
Relevance 74.21%

I am following your removal guide for this virus, but everytime I run Malware Bytes, the laptop shuts off. Its not THAT hot for it to overheat...but maybe it is, I dunno.
Is this a known symptom of this stupid virus? Anyone got any input?

Answer:Following Antivirus Soft removal instructions...PC shuts down

Try running SAS first then rerun MBAM. Please post back both logs.Download and scan with SUPERAntiSpyware Free for Home UsersDouble-click SUPERAntiSpyware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the Scanning Control tab.Under Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen.Back on the main screen, under "Scan for Harmful Software" click Scan your computer.On the left, make sure you check C:\Fixed Drive.On the right, under "Complete Scan", choose Perform Complete Scan.Click "Next" to start the scan. Please be patient while it scans your computer.After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click &quo... Read more

3 more replies
Relevance 74.21%

Been a lot of these around recently in their different guises so here's the links to the removal instructions for them:-Antivirus 2008 or Antivirus2008 Removal Instructionsclick hereAntivirus 2009 or Antivirus2009 Removal Instructionsclick hereXP Antivirus or XPAntivirus Removal Instructionsclick hereXP Antivirus 2008 or XPAntivirus 2008 Removal Instructionsclick hereXP Antivirus 2009 or XPAntivirus 2009 Removal Instructions click here

Answer:(XP) Antivirus 2008 2009 Removal Instructions

Or download and run a quick scan with Malwarebytes' Anti-Malware {free}click here

1 more replies
Relevance 74.21%

I unfortunately installed Adware Alert (*not" Ad-Aware by Lavasoft) as a spyware scanning program back in February. I have since learned that it appears to be a rogue anti-spyware program.

I tried uninstalling it, but when I do, it seems to corrupt my operating system's startup. After uninstalling Adware Alert, I am prompted to restart, but then my system gets caught in a loop, where it displays the first few startup screens repeatedly and will not re-boot.

I have been able to get back in by hitting F8 during the startup and manually selecting to start using the last known good configuration. I tried starting in Safe Mode, but this did not work. Once I'm back in, I can do a system restore to get it functioning again, but only if I restore it to when Adware Alert was still installed.

I use McAfee, and have uninstalled & re-installed this as well. McAfee is not recognizing Adware Alert as malware.

I feel like I've been hijacked! How do I get this garbage off my computer and still get it to operate correctly?

Answer:Adware Alert--need instructions for safe removal

Welcome to BC.. Use the restore to get on then Run this SAS scan. It will probably take more than an hour.Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program.Do not run a scan just yet.Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option t... Read more

1 more replies