Computer Support Forum

AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

Question: AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

Hi and thanks for a very helpful forum. I read through all the malware removal instructions and have completed the step-by-step cleaning process (which seems to have worked) and now would like to confirm that my system is actually clean. Please see attached logs. Note: ComboFix did run but then froze during the "preparing log report" phase, so the attached ComboFix log is just the txt I found in the folder, not the full zip log. Also, RootRepeal failed to run at all (in normal or safe mode).

More infor about infection:

AVG found Crypt.AQLW but couldn't fully clean it
CPU & HD constantly at 100%, firewall had been disabled, internet traffic going mad & link redirection - immediately disconnected from internet
SUPERAntiSpyware found and cleaned Trojan.Agent/Gen-Loader
MalwareBytes Anti-Malware found and cleaned Exploit.Drop.CFG
ComboFix found and cleaned Rootkit.ZeroAccess ... but failed to generate full report. CPU dropped to normal after this!
RootRepeal failed to run
MGTools ran normally

Note: Before finding this forum, I also found advice to run Kaspersky TDSSKiller which I did, and it did find something, but didn't fix the issue. Log for that attached as well.

Relevance 100%
Preferred Solution: AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

More logs ...

Note: It says in the ComboFix.txt that AVG was still enabled (and it also gave me that warning message) but I had already used the recommended AVG removal tool and AVG was no longer installed or running at the time.

I've now updated my OS and all my software, have switched to MS Security Essentials and re-enabled firewall etc.

17 more replies
Relevance 94.25%

Hello,

I've read through a lot of the forum threads of other people having the same infection and gone ahead and followed the READ & RUN ME FIRST guide:
http://forums.majorgeeks.com/showthread.php?t=35407

Also the Windows XP Malware Removal Procedure
http://forums.majorgeeks.com/showthread.php?t=35407

AVG had originally detected the virus Crypt.AQLW and was periodically removing .DLL files up until I had to uninstall it for ComboFix. I maintained internet connection and Google search abilities the whole time, but I kept my wireless off as much as possible and used another computer to look up instructions and download the removal applications, then transferred them over with a usb drive.

I installed COMODO immediately after removing AVG in order to keep some kind of protection, but I disabled it when the instructions said to and hope it doesn't complicate anything.

Attached are the logs listed in order for:
SUPERAntiSpyware
MalwareBytes
COMODO
ComboFix
RootRepeal
MGtools
TDSSKiller

So far the computer seems to be working okay, but I would love some kind of verification, any response is greatly appreciated!
 

Answer:Crypt AQLW / Rootkit ZeroAccess Infection

(attachments continued)

Oh and also I ran TDSSKiller at the end for good measure. The log is attached.

Thank You!
 

4 more replies
Relevance 98.81%

 This is what came up after using RKILL
 
* ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\L\ [ZA Dir]
     * C:\Windows\Installer\{b93732d6-b308-ce93-f8e0-3f457f76a2f2}\U\ [ZA Dir]
 
I have followed the instructions for downloading and running DDS.  I hope the files attach ok ( I am a complete novice)
 
I would be so grateful if you could help me with this problem. Many thanks in advance x

Answer:Zeroaccess rootkit found

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

58 more replies
Relevance 98.81%

I was given this Dell laptop (windows 7 premium SP1) to work on because the owner couldn't even get windows to start. While playing around with it, I found that it wouldn't even start up in safe mode. So, I finally got it to boot up with an earlier restore point and man this thing is messed up. I noticed right off that the desktop was littered with the users icons including pdf files, shortcuts and leftovers from install packages. The first windows problem I noticed was that the mousepad lost it's buttons abilities. No drag and drop/resize with left button, no right click for anything else. I also noticed no ability to do a windows update, for which an error message stated the service not started. I looked at windows services and update wasn't even available. I compared windows services with those at Black Viper and saw that many would not start or were not even listed. Very few programs would load up, no firefox or chrome browser working and mcafee seemed to be getting in the way of everything. Everything I tried issued a popup of some sort with an error.

I got IE to run and logged into majorgeeks but any download was deemed a virus and deleted! Upon further investigation, I found this to be a characteristic of the ZeroAccess rootkit so I renamed the windows defender folder to defender_old and headed over here to run the "Read & Run Me". I'm posting the log files from the scans but you must keep in mind, without the use of the mouse... Read more

Answer:ZeroAccess rootkit found

...and here's MGlogs.zip!
 

15 more replies
Relevance 98.81%

ZeroAccess Rootkit found. Combofix repaired Internet access issue.

I just need help to find any leftover issues. I was able to run all progams, and get logs.


Any help would be greatly appreciated.


Viking62
 

Answer:ZeroAccess rootkit found.

Second batch of logs.
 

2 more replies
Relevance 97.99%

Basic help found Zeroaccess rootkit after running Adware Cleaner, Rkill, Est.  I am running Windows XP SP3.  They referred me to you through the Preparation Guide.
 
Please let me know if you need anything else to help with virus.
 
Thank you.
 
Sandhill
 
Follows is DDS.txt:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.40.2
Run by Jeff at 20:10:53 on 2014-04-24
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3070.1998 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\P... Read more

Answer:Zeroaccess rootkit found by helper

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Lets get going now
==========================
 
Hi sandhill,
I must give you this warning:
 
Looking through your logs, one or more of your infections has been identified as a Backdoor Trojan. These threats have backdoor functionality which allows hackers to remotely control your computer, ... Read more

12 more replies
Relevance 97.99%

I ran Malware, Spybot, SpyHunter, TDSSKiller, Crap Cleaner,
Malicious Software Removal (MRT) tool, AVG Anti-virus, and Avast Boot time scan.

Avast and Spybot each found an infection, but the re-direct issue continued.

Every time I go to Google and search the links returned are bogus and re-direct elsewhere.

My Outlook was acting up and I thought it could be connected.

I panicked and downloaded and ran Combofix.

Here's the log:
ComboFix 12-06-20.02 - Administrator 06/20/2012 15:21:34.1.2 - x86
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\19cfc9e0
c:\documents and settings\Administrator\Application Data\eeb7be1a
c:\documents and settings\Administrator\Application Data\f912361f
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\ifuttbsqrh.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\AOL\Adobe\ruscoraw.dll
c:\documents and settings\All Users\Ap... Read more

Answer:RootKit.ZeroAccess found by Combofix

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

5 more replies
Relevance 97.99%

I did an AVAST bootscan and ran RKILL. I posted results from FARBAR Recovery scan tool. SEE ATTACHED.*********************************************************************************************************************************************Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 27-12-2013 01Ran by SYSTEM on MININT-BR1785L on 27-12-2013 12:10:37Running from H:\Windows 7 Home Premium (X64) OS Language: English(US)Internet Explorer Version 11Boot Mode: RecoveryThe current controlset is ControlSet001ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.==================== Registry (Whitelisted) ==================HKLM\...\Run: [dldwmon.exe] - C:\Program Files (x86)\Dell V505\dldwmon.exe [677104 2008-10-02] ()HKLM\...\Run: [dldwamon] - C:\Program Files (x86)\Dell V505\dldwamon.exe [16624 2008-10-02] ()HKLM\...\Run: [MSC] - C:\Program Files\Microsoft Security Client\msseces.exe [1266912 2013-10-23] (Microsoft Corporation)HKLM-x32\...\Run: [GrooveMonitor] - C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe [30040 2009-02-26] (Microsoft Corporation)HKLM-x32\...\Run: [Dell V505] - C:\Program Files (x86)\Dell V505\fm3032.exe [312560 2008-10-02] ()HKLM-x32\...\Run: [APSDaemon] - C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59240 2011-09-27] (Apple Inc.)HKLM-x32\...\Run: [Adobe ARM] - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.e... Read more

Answer:RKILL found ZEROACCESS ROOTKIT

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
If the computer is able to boot in Normal Mode please rerun FRST from there and post the logs in your next reply.
 
 
Regards,
Georgi

21 more replies
Relevance 97.99%

I got an email from the campus administrator that ShadowServer found ZeroAccess rootkit on my laptop.
This is the message: (i've cut out the ip addresses)

"timestamp","ip","port","asn","geo","region","city","hostname","type","infection","url","agent","cc","cc_port","cc_asn","cc_geo","cc_dns","count","proxy","application","p0f_genre","p0f_detail"
> "2013-09-15
> 20:00:09","(IP)",52001,1103,"NL","(city)","(city)",,"udp",
> "ZeroAccess",,,"(ip cut out)",16465,22773,"US","ip(ip)",1,,,,,
>
> ---- end complaint ----

I've ran all the required softwares but no rootkit was found. Is it possible that ShadowServer gave false alarm? Or is the virus hiding so well?

I've attached all the logfiles required, except TDSSKiller, it didn't find any infected files.

Thanks!
 

Answer:ZeroAccess rootkit found by ShadowServer

You're getting a false positive.
 

3 more replies
Relevance 97.99%

I have a Window 7 Toshiba laptop with all current service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery now stays on.
 
Someone had installed games on my computer and with it came Sweetpacks malware.  I removed Sweetpacks and remnants but while running rkill I got a notification " Zeroaccess Rootkit symptoms found".  I am comfortable that Sweetpacks is removed but I need help to remove the Zeroaccess Rootkit before it takes any further hold.
 
dds.txt log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.25.2
Run by Main at 18:35:30 on 2013-10-18
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.2038.841 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Disabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Win... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCat I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same... Read more

14 more replies
Relevance 97.99%

My brother borrowed my laptop and downloaded some things he shouldn't have. I managed to clean most of the problems up with a combination of Malwarebytes, Adwcleaner, and Security Essentials, but Rkill found 3 instances of a rootkit.  I would like some help removing these since I have never done it before. Here is the DDS log, and thanks for your help.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16686  BrowserJavaVersion: 10.25.2
Run by Skootch at 12:01:22 on 2013-10-09
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.4061.1750 [GMT 3:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\NVIDIA Corporation\Display\nvxdsync... Read more

Answer:Zeroaccess rootkit symptoms found

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.  Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.If it gives you a warning about rootkit activity and asks if you want to run scan... Read more

25 more replies
Relevance 97.99%

Hi Guys, Been reading through the forums but this one has me a little stumped... Most cases I have been able to remedy myself but then I came across you tool of Rkill... which when run comes up with "ZeroAccess rootkit symptoms found.. Anyhow I have run pretty much in this order, Rkill - Malwarebytes - Nod32 - Combofix... and ran Rkill one last time after this to see if it detected anything else.. so here I am.. I have downloaded the Farbar Recovery Scantool and hit scan.. below I post the log files, anyhelp please greatly appreciated. Rkill Logfile Rkill 2.6.1 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2013 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 09/26/2013 08:08:09 AM in x86 mode.Windows Version: Windows 7 Home Premium Service Pack 1Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\TeamViewer.exe (PID: 6128) [T-HEUR] * C:\Users\user\AppData\Local\Temp\TeamViewer\Version8\tv_w32.exe (PID: 4252) [T-HEUR]2 proccesses terminated!Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * Windows Defender Disabled   [HKLM\SOFTWARE\Microsoft... Read more

Answer:ZEROACCESS rootkit symptoms found.

Also ran TDSS killer... and it came back with no threats found...

23 more replies
Relevance 97.99%

I have a Window 7 Toshiba laptop with all service pack and updates applied.  I was trying to set up file sharing on my network and found that I had lost access to do that on this laptop.  Every time I turned on network discovery it would shut itself off.  All of the default firewall rules were missing so I couldn't restore them.  I was able to finally get the rules from another Win 7 machine and get them restored and working again and I can now connect to my network.  Network discovery stays on.
 
However, I now had a notification " Zeroaccess Rootkit symptoms found" when I ran rkill and adwcleaner to remove Sweetpacks.  I am comfortable that Sweetpacks and remnants are removed.
 
Please help me remove the Zeroaccess Rootkit before it takes any further hold.
 
Here is rkill log info.
 
Rkill 2.6.2 by Lawrence Abrams (Grinler)
 
Program started at: 10/18/2013 09:48:29 AM in x86 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 * No malware services found to stop.
 
Checking for processes to terminate:
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKCU\SOFTWARE\Classes\.exe "@" exists and is set to !
  * HKCU\SOFTWARE\Classes\.exe has been deleted!
 
Performing miscella... Read more

Answer:Zeroaccess Rootkit symptoms found

Hello DakotaCatPlease repost this log and a DDS log by following this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

2 more replies
Relevance 97.99%

My pc was giving errors when I tried to change my firewall settings: Error code 0x80070424
I ran Rkill t and this is what I got:
Rkill 2.6.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/25/2013 07:52:27 PM in x64 mode.
Windows Version: Windows 8 Pro
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* C:\Windows\SysWOW64\ChgService.exe (PID: 1904) [WD-HEUR]
1 proccess terminated!
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\ [ZA Dir]
* C:\Program Files (x86)\Google\Desktop\Install\{6c76f889-4758-ee39-de24-8ad41767c58d}\ \x002ex002ex002e\x202exfbf9x0e5b\{6c76f889-4758-ee39-d... Read more

Answer:Zeroaccess rootkit symptoms found

Boot to SAFE Mode and run Malwarebytes Anti-Rootkit Beta and restart. After restart continue with other virus removal software such as Combofix (run CCleaner first it'll go faster), ADWCleaner, Malwarebytes, and do a boot-time scan to finish it up. http://www.malwarebytes.org/products/other_tools/

3 more replies
Relevance 97.99%

So I was browsing the internet earlier when my screen suddenly changed to one of those ransomware screens, more specifically the Police Central e-crime Unit one (description here: http://forums.anvisoft.com/viewtopic-45-973-0.html). I did the usual system restore, full scan with Malwarebytes and Microsoft Security Essentials which seemed to do the trick as the computer is running fine again. I wanted to be sure though so I ran rkill and it came up with this: Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 11/23/2012 10:12:07 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]

Checking Windows Service Integrity:

* No issues found.

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* No issues foun... Read more

Answer:ZEROACCESS rootkit symptoms found

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here.If you get crashes in normal mode,run it in safemode with networkingDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

3 more replies
Relevance 96.76%

I have run Fixzero Access - Rootkitremover - adwcleaner - Combofix - FRST - Junkware Remover tool - TDSSKiller - and Microsoftfixit50535  
 
And nothing changes.  When I first got virus it changed proxy settings and I could not do anything but I was able to do system recovery and hoped that would fix my problem.  It did fix proxy problem and computer is running fine now but I know that if zeroaccess is there then my fix will be short lived.  Please help.  
 
   

Answer:Rkill says I have zeroaccess rootkit symptons found

Hello sharongv,Welcome to Bleeping Computer.My name is fireman4it and I will be helping you with your Malware problem.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.If you do not understand any step(s) provided, please do not hesitate to ask before continuing.Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.Finally, please reply using the Post button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.I will be analyzing your log. I will get back to you with instructions.1.Download AdwCleanerDouble click on AdwCleaner.exe to run the tool.***Note: Windows Vista and Windows 7 users:Right click in the adwCleaner.exe and select "Run as administrator"Click the Scan button.A logfile will automatically open after the scan has finished.Please post the content of that logfile in your next reply.Or you can find... Read more

19 more replies
Relevance 96.76%

Computer redirecting and running extremely slow last week, so I ran a scan. Spybot S&D and combofix and found a zeroaccess rootkit, quarantined and removed some files. Seemed to work temporarily but came back. Ran TDSS Killer, found rootkits again, cured, restarted, then another rootkit popped up in a different file. Installed malwarebytes, ran a couple times. Mbytes says no infections found...still getting redirects sometimes but not always and my sound is not working. Opened device manager and found the yellow exclamation point beside the sigma tel audio codec, I then uninstalled the audio codec, restarted the cpu and let it load again, but still gives the error code 31, says windows can't load the driver for this.DELL/Inspiron 6400Windows XP SP2Last combofix log:ComboFix 12-02-08.02 - Admin 02/16/2012 18:23:10.7.2 - x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1693 [GMT -6:00]Running from: c:\documents and settings\Admin\My Documents\Downloads\ComboFix.exe.- REDUCED FUNCTIONALITY MODE -..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\windows\system32\drivers\etc\hosts.ics..((((((((((((((((((((((((( Files Created from 2012-01-17 to 2012-02-17 )))))))))))))))))))))))))))))))..2012-02-13 13:58 . 2012-02-13 13:58 -------- d-----w- C:\TDSSKiller_Quarantine2012-02-11 17:01 . 2012-02-15 13:58 162816 -c--a-w- c:\windows&... Read more

Answer:rootkit.zeroaccess found/cured hopefully...but now I have no sound.

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please d... Read more

2 more replies
Relevance 96.76%

I was told to post this and start at step six by another moderator in the help forum after running malwarebytes and posting the logs. My computer is freezing and running terribly. I tried running the dds as told and it starts and then stops about three quarters of the way through so i am unable to post the logs from it as i was directed. Please help as this is the computer that i use for my home business. Thanks in advance for anything you can do.

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Hello bigjimoo and welcome to Bleeping Computer!
I am D-FRED-BROWN and I will be helping you.
Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.
----------Step 1----------------
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.
----------Step 2----------------
Please... Read more

1 more replies
Relevance 96.76%

Need help please. I ran Rkill and log has "ALERT: ZEROACCESS rootkit symptoms found!", I'm assuming this is not a good thing? I am a noob to computer stuff. Here is the Rkill log. Do i have a virus? What should i do now?

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/30/2012 12:59:26 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 [ZA Reg Hijack]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\ [ZA Dir]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\@ [ZA File]
* C:\Users\Elan\AppData\Local\{7e477a91-d9cb-b2e3-5d2a-8988a4d79a22}\L\ [ZA Dir]
* C:\Users\Elan\AppData\... Read more

Answer:ALERT: ZEROACCESS rootkit symptoms found!

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 96.76%

Hi,
I received a suspicious email and by accident clicked the attachment-i came to this forum to find out if there was a way teo tell if i got a virus from that.  computer is not acting up-i also did system restore and then  posted in "am i infected forum" and was told to run rkill and post my log in which i did.  They also told me to run malware and i previously had it on my computer and it has expired-it let me run it but i could not copy to clipboard my results.  AII topic referenced is here: http://www.bleepingcomputer.com/forums/t/559116/did-i-download-a-virus/ ~ OB
i then was told i possibly had a serious malware infection and was told to follow instructions and post to here my log instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
 
here is my log, i am hoping someone will be able to help and thanks in advance. 
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702
Run by Chari at 23:15:56 on 2014-12-08
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2038.678 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Su... Read more

Answer:* ALERT: ZEROACCESS rootkit symptoms found!

I think i was supposed to attach this file as well-hoping someone can help!
 

 attach.txt   27.56KB
  0 downloads

6 more replies
Relevance 96.76%
Answer:RKill : ZEROACCESS rootkit symptoms found

deleted

5 more replies
Relevance 96.76%

Hi,
I need help with a virus infection.
 
PC: Windows 7 Ultimate Pro (64 bit)

A couple of weeks ago I picked up several virus's (Trojan.Gen2, Trojan.zeroacces.C, Trojan.zeroaccess!g46).  I ran the latest versions of the following programs.  I let them have control as to when to reboot, what to delete and fix. I also may have ran them a couple of times (before and after Rkill).
 
Norton Internet Security
Norton Power Erasure
Malwarebytes
Rkill
TDSSKiller
Rogue Killer
AdwCleaner
 

The problem is that my computer seems to be running fine now, but Rkill is showing:
 

  * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\ [ZA Dir]
     * C:\Program Files (x86)\Google\Desktop\Install\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\   \...\ﯹ๛\{c188de62-ae0f-52a9-c1fc-069d92d5d13a}\ [ZA Dir]
 
 

The full text is below.
 
 
My question:  Am I still infected?
... Read more

Answer:ZEROACCESS rootkit symptoms found! - by Rkill

Hello tweeettweeet I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

37 more replies
Relevance 96.76%

Hi
 
I have been told to continue my previously topic in this section.
Already scanned my system as told with superantispyware, eset scanner, spybot S-D, Malwarebytes and AdwCleaner.
 
dds log:
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16502  BrowserJavaVersion: 10.25.2
Run by lal at 18:38:03 on 2013-09-05
#Option MBR scan  is disabled.
Microsoft® Windows Vista™ Ultimate   6.0.6002.2.1252.31.1033.18.2046.481 [GMT 2:00]
.
AV: ESET Smart Security 6.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 6.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Windows\System32\alg.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\locator.exe
C:\Windows\system32\vssvc.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\iashost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ESET... Read more

Answer:Alert zeroaccess rootkit symptoms found

Thank you everyone, this problem is over now. The rootkits zeroaccess are cleaned.

2 more replies
Relevance 96.76%

Hello,Rkill has found ZEROACCESS rootkit symptoms on my desktop. Here is all that happened in the last 10 days of usage (I've been away 15 days).On 11/8 AVG Resident Shield detected the following:May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Object is inaccessible."; Process:"C:\Windows\System32\cmd.exe"May be infected by unknown virus Win32/DH{LgMPNg} in "c:\Users\Marcello\AppData\Local\Temp\nmrxscaweo.exe"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\System32\rundll32.exe"Trojan horse BackDoor.Generic15.BHGZ in "c:\Users\Marcello\AppData\Local\{f0f4eb1d-0609-2b50-2c39-9e4219ad9f0b}\n"; Action taken:"Moved to Virus Vault"; Process:"C:\Windows\explorer.exe"This folder is the same that is present in the Rkill report.The last one had an unknown malware, and AVG killed 3 processes and deleted 2 files:c:\Users\<username>\AppData\Local\Temp\MSIMG32.DLLc:\Users\<username>\AppData\Local\Temp\AEMWROSXCN.EXEMeanwhile, ZoneAlarm blocked several connections attempt.A full scan revealed trojan Java/Exploit.BAH, and I quarantined it.After that, whenever I reboot or log-off, my desktop resets the icons order to ... Read more

Answer:ZEROACCESS rootkit symptoms found (after a few problems)

Please do the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

29 more replies
Relevance 96.76%

Hello, my computer started acting strane few days ago - high cpu usage (svchost.exe), so i scan it with rkill in safe mode, and foun some ZEROACCESS rootkit symptoms with strange symbols. Anyone to tell me what should I do?
 
Thanx
 
Rkill 2.8.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 02/16/2016 11:02:25 AM in x86 mode. (Safe Mode)
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\{4aecd907-3b82-95f9-97f5-260548199d17}\   \...\ [ZA Dir]
     * C:\Program Files\Google\Desktop\Install\... Read more

Answer:Rkill - ZEROACCESS rootkit symptoms found!

Hi Gile My name is Aura and I'll be assisting you with your issue. To get started, I'll need you to provide me a fresh set of FRST logs. Follow the instructions below please.Farbar Recovery Scan Tool (FRST) - Scan modeFollow the instructions below to download and execute a scan on your system with FRST, and provide the logs in your next reply.Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;Check the Addition.txt option;Click on the Scan button;On completion, two message box will open, saying that the results were saved to FRST.txt and Addition.txt, then open two Notepad files;Copy and paste the content of FRST.txt in your next reply, and attach Addition.txt to it;Your next reply should include:Copy/pasted content of the FRST.txt log;Copy/pasted content of the Addition.txt log;

31 more replies
Relevance 96.76%

Symptoms on computer:
 
1. started with Adobe Reader trying to open all exe files 
2. ran Malwarebytes Chameleon
3. removed all Adobe products
RESOLVED: can now open exe files regularly
 
BUT, RKill tells me the following:
Program started at: 08/11/2014 11:23:36 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * SMTMP folder detected. Please see this link for more information: http://www.bleepingcomputer.com/forums/topic405109.html
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Install\{ca9c78ba-8955-5f3d-2240-222e9df81e8e}\❤≸⋙\Ⱒ☠⍨\ [ZA Dir]
     * C:\Users\Koko FitClub\AppData\Local\Google\Desktop\Instal... Read more

Answer:ZEROACCESS rootkit symptoms found via RKill

Please do the following:Please download the appropriate version of Farbar Recovery Scan Tool (FRST.exe) from here:http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/ (for 32bit systems)http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/ (for 64bit systems)save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.NEXTPlease download Malwarebytes Anti-Rootkit (MBAR) from here and save it to your desktop.(Direct link to the file: http://downloads.malwarebytes.org/file/mbar)Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the disclaimer and back up any important data before using.Doubleclick on the MBAR file you downloaded and approve the UAC prompt in Vista and newer operating systems.Click OK on the next screen, to allow the package to extract the contents of the file to its own folder, mbar.mbar.exe will launch automatically. On some systems, this may take a... Read more

2 more replies
Relevance 95.53%

Hi guys, I have run malwarebytes and rkill. The results are the following:


Code:
* ALERT: ZEROACCESS rootkit symptoms found!

* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\ [ZA Dir]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\[email protected] [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\201d3dde [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\L\76603ac3 [ZA File]
* C:\Windows\Installer\{2b524474-7c58-2ccb-2efa-8d9df2ff344d}\U\ [ZA Dir]

Checking Windows Service Integrity:

* Base Filtering Engine (BFE) is not Running.
Startup Type set to: Automatic

* Windows Update (wuauserv) is not Running.
Startup Type set to: Disabled

* Windows Firewall Authorization Driver (mpsdrv) is not Running.
Startup Type set to: Manual

* iphlpsvc [Missing Service]
* MpsSvc [Missing Service]
* WinDefend [Missing Service]
* wscsvc [Missing Service]

* SharedAccess [Missing ImagePath]
Should I be worry about this? Thanks!

Answer:ZEROACCESS rootkit symptoms found, and missing some Services

Hello Rus mate run the TDSS Killer from this and there are more you can run if it doesn't work but it usually is pretty good.
Best Free Rootkit Scanner and Remover

Let us know how it goes and there is an another option if it doesn't cure the problem.

9 more replies
Relevance 95.53%

Hi guys,
 
I have a ran Rkill on my machine after I thought it was not running so smooth...
 
There results have showed that rootkit symptoms have been found. Could you guys please help me trying to resolve this...
 
Below is the Rkill report:
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 11/05/2015 04:29:41 PM in x86 mode.
Windows Version: Windows Vista ™ Home Basic Service Pack 2
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\ [ZA Dir]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\[email protected] [ZA File]
     * C:\Windows\Installer\{6bd5e82b-ccf9-bd2c-3daf-70d2acba6466}\L\1afb2d56 [ZA Fil... Read more

Answer:Rkill found Zeroaccess Rootkit Symptoms! Win Vista SP2

Hello ndonaldson2912 and Welcome to the BleepingComputer.   
 My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
Ensure your external and/or USB drives are inserted during always the scan.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applic... Read more

11 more replies
Relevance 95.53%

HiI'm helping a friend and ComboFix found and apparently cleaned ZeroAccess. However, it looks like there is other stuff that should be cleaned.Thank you for the help.Jim ComboFix 13-02-20.01 - xxxxxx 02/20/2013  16:55:53.4.1 - x86Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.3191.1436 [GMT -6:00]Running from: c:\documents and settings\Desktop\ComboFix.exeAV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}AV: Norton 360 Premier Edition *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 Premier Edition *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}..(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))..c:\docume~1\CRAIGB~1\LOCALS~1\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Craig xxxxxx\Local Settings\Temp\{16AA8FB8-4A98-4757-B7A5-0FF22C0A6E33}_1101_1\dbdata11.dllc:\documents and settings\Desktop\ComboFix.exec:\documents and settings\Desktop\sc-cleaner.exe..(((((((((((((((((((((((((   Files Created from 2013-01-20 to 2013-02-20  )))))))))))))))))))))))))))))))..2013-02-20 23:11 . 2013-02-20 23:11 -------- d-----w- c:\windows\LastGood.Tmp2013-02-20 18:09 . 2013-02-20 18:59 -------- d-----w- c:\documents and settings\Desktop\Office Ally ERAs2013-02-20 08:16 . 2013-02-20 08:16 60872 ----a-w- c:\documents and s... Read more

Answer:Combofix found ZeroAccess rootkit - want to ensure it is cleaned

Hello whatisavailable Welcome to The Forums!!Around here they call me Gringo and I'll be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking ba... Read more

37 more replies
Relevance 95.53%

When i ran rkill.exe it is showing following alert.
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
     * HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\L\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\n [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-18\$222522a578fac5c22f2a3bcc81224072\U\[email protected] [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\ [ZA Dir]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\@ [ZA File]
     * C:\$Recycle.Bin\S-1-5-21-3140297160-3106756125-792325025-1000\$222522a578fac5c22f2a3bcc81224072\L... Read more

Answer:Rkill alerts me ZEROACCESS rootkit symptoms found!

Hi there,my name is Marius and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.    Please download Malwarebytes Anti-Rootkit from here Malwarebytes : Malwarebytes Anti-Rootkit and save it to your desktop.Be sure to print out and follow the instructions provided on that same page.Caution: This is a beta version so please be sure to read the dis... Read more

4 more replies
Relevance 95.53%

Ran rkill and got "ALERT: ZEROACCESS rootkit symptoms found!" Any help would be appreciated.
 
 
 
Rkill 2.8.2 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 11/12/2015 02:23:05 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1
Checking for Windows services to stop:
 * No malware services found to stop.
Checking for processes to terminate:
 * No malware processes found to kill.
Checking Registry for malware related settings:
 * No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
 * Windows Defender Disabled
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 * ALERT: ZEROACCESS rootkit symptoms found!
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\L\ [ZA Dir]
     * C:\Users\Roger\AppData\Local\{1268dd72-fe71-cce5-9387-5a1bb43f1e21}\U\ [ZA Dir]
Checking Windows Service Integrity:
 * No issues found.
Searching for Missing Digital Signatures:
 * No issues found.
Checking HOSTS File:
 * Cannot edit the HOST... Read more

Answer:rkill: "ALERT: ZEROACCESS rootkit symptoms found!"

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please download Combofix (by sUBs) and save it to your Desktop.Disable the realtime-protection ... Read more

13 more replies
Relevance 95.53%

Even after running various malware and virus checks, rkill says there are symtoms of zeroaccess.
 
* c:\Windows\assembly\GAC_32\Desktop.ini [ZA File]
* c:\Windows\assembly\GAC_64\Desktop.ini [ZA File]
 
Not sure where to go from here. Please help!
 
Trish

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

We need to repost...Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.Let me know if all went well.

3 more replies
Relevance 95.53%

I think I have a virus that has out smarted my Trend Micro Titanium version and Malwarebytes. I ran the full scans several times with no results. I see small blue and yellow shields attached to the front of my Malwarebytes, Trend Micro, and my Kodak printer icons on my desktop. I think this has something to do with the virus. I ran rkill in safemode and ran Malwarebites in safemode but Trend Micro made me get out of safemode to run it. * Also, when I entered safemode the first time it said that my recycle bin was corrupted. Delete contents? So, I deleted the contents. Then when I booted up in safemode again another time it said my recycle bin was corrupted again. Delete contents? So,I did.....   But it did't have anything in it anyway. so that was weird.

Answer:ran rkill and got this msg: * ALERT: ZEROACCESS rootkit symptoms found!

The best way to remove this is by starting a new topic with this ..... Please follow this Preparation Guide and post in a new topic.Let me know if all went well.

7 more replies
Relevance 95.53%

Computer specs:
Windows 7 x64 with SP 1
2GB memory
Intel i3 processor
 
Initial symptoms:
Computer was slow, despite having cleared browser cache and unchecked any unnecessary startup processes or services via msconfig
 
Initial scanning:
Ran rkill, found zeroaccess rootkit reparse points
Ran malwarebytes, found several hundred detected objects, attempted remove, restarted computer
Ran malwarebytes, found most of the same infected objects as before, restarted computer
Ran spybot S&D and removed all found, restarted computer
Ran SuperAntiSpyware and removed all found, restarted computer
Ran rkill, still finding zeroaccess signs
Ran malwarebytes, still finding many detected objects
Ran a tool which shall not be named without staff approval
Ran rkill, still signs of zeroaccess
Ran malwarebytes "Custom Scan", selected only the rootkit option, still detected objects found, they all seem to reference MindSpark, C:\Qoobox\Quarantine and something about RadioRage_4j
 
I'll paste rkill and malwarebytes logs below.  I'll be greatly appreciative of any help that could be given!
 
Kind regards,
Mike
 
Rkill 2.6.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 02/06/2015 09:08:03 AM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
C... Read more

Answer:Slow PC, malware found, ZeroAccess rootkit suspected

I have used this "use at your own risk" tool before when I had the zeroaccess rootkit : http://kb.eset.com/esetkb/index?page=content&id=SOLN2895
 
It seemed to find and clean it up for me even when malwarebytes wouldn't.

3 more replies
Relevance 95.53%

My computer started slowing and wouldn't connect to internet after a file download. I did a system restore to a week ago when laptop was running good. After, was still same symptoms, so I did various scans. Anti malwarebytes can find no further threats, but rkill still says rootkit symptoms found. The laptop is managible as long as the wifi is off. If connected to the internet, it becomes unresponsive.
 
Here is dds log:
 
 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 9.0.8112.16470
Run by shock at 14:06:03 on 2015-01-19
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2520.1284 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_afc3018f8cfedd20\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\Dell Wireless WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:... Read more

Answer:Rkill says *Alert: zeroaccess rootkit symptoms found!

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

26 more replies
Relevance 95.53%

As requested you will find the attach.txt log attached in zipped format and here is my DDS log file:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Eugenia at 16:11:58 on 2013-12-06
#Option Extended Search is enabled.
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3895.2504 [GMT -6:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k L... Read more

Answer:Windows 7 laptop ZEROACCESS rootkit symptoms found

Hello jackhammer I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the sam... Read more

16 more replies
Relevance 94.71%

Our laptop was infected with Disk Antivirus Professional. Followed the self help tutorial from bleeping computers. I than ran malwarebytes again to confim successful removal, it says no infections all clear but when i ran rkill again it said ZEROACCESS rootkit symptoms found. My avast internet security did not pick anything up aswell.
 
I have also noticed that in task manager a number of blank pages - internet explorer running but i have not run or opened internet explorer.
 
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16457
Run by Nathan at 15:53:05 on 2013-02-13
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.8108.5535 [GMT 10:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files\TrueSuite\TrueSuite.Service.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k... Read more

Answer:removed 1 virus still left with ZEROACCESS rootkit symptoms found

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate N... Read more

14 more replies
Relevance 93.89%

As the good mama's boy I am, I am trying to ridd my mother's computer from a particularly malicious infection.
 
After a good amount of hours spent, I have managed to ridd the system of the Antivirus Security Pro malware, taking away all the annoying popups et al. Malwarebytes was used to try to clean out all there was.
 
Unfortunately some problems persist, and an infection is still preventing downloads from the web (and consequently e.g. upgrades to windows security essentials.
 
Rkill identifies the problem as ''zeroaccess rootkit symptoms found''.
 
Googling this took me to the following entry at this forum. I have run farbar recovery scan tool including drivers MD5 as instructed, and it did pick up on quite a few things. The question is how to write a proper fixlist.
 
I am extremely greatful for any help I can get in this regard. All I can really offer in return is topay it back or forward in terms of microsoft excel help, as that is an area of expertize.
 
Anyway, here is the log from farbar (also attached, felt I had mixed messages there as to custom on this forum):
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 10-11-2013 01
Ran by SYSTEM on MININT-5BPMVLA on 13-11-2013 00:42:37
Running from G:\Sikkerhet
Windows 7 Starter (X86) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from... Read more

Answer:Antivirus Security Pro + zeroaccess rootkit symptoms found (rkill, FRST)

Hello Black Monday I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

24 more replies
Relevance 92.66%

Mini toolbox
 
MiniToolBox by Farbar  Version: 16-06-2013
Ran by Carla's ASUS Laptop (administrator) on 22-06-2013 at 10:57:29
Running from "C:\Users\Carla's ASUS Laptop\Downloads"
Windows 7 Home Premium Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
 
========================= FF Proxy Settings: ============================== 
 
 
"Reset FF Proxy Settings": Firefox Proxy settings were reset.
 
========================= Hosts content: =================================
 
 
 
========================= IP Configuration: ================================
 
Intel® Centrino® Wireless-N 1030 = Wireless Network Connection (Connected)
Bluetooth Device (Personal Area Network) = Bluetooth Network Connection (Media disconnected)
Atheros AR8151 PCI-E Gigabit Ethernet Controller (NDIS 6.20) = Local Area Connection (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 2 (Media disconnected)
Microsoft Virtual WiFi Miniport Adapter = Wireless Network Connection 3 (M... Read more

Answer:ALERT: ZEROACCESS rootkit symptoms found!+yellow&blue shields all over the place

Hello cfox73 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", ... Read more

18 more replies
Relevance 90.2%

Hello! Im afraid that lately im getting AVG finding threats such as 'Trojan horse Dropper generic, Virus found exoit' and im not always able to use AVG to erase them/fix them as one earlier today said 'object is inaccessible in c:/documents and settings/network services'.Also i seem to be getting strange pages opening up on a different tab when i already have a page up. When i update and run AVG, SuperAntiSpyware and Malwarebytes i am always finding threats.Please can anyone offer any advice on what else i can do?

Answer:Lots of 'threats' found+viruses found on scans!

Try running them in Safe Mode.

10 more replies
Relevance 89.79%

Hello
I am an IT professional but I am a web developer and not really a support person as much as I'd like to be....and lately I've learned that Rootkits are getting harder to remove... so I'm feeling a bit over my head with what's going on and I need your help.

My husband's computer is apparently infected with Rootkit.ZeroAccess, TR/Crypt.XPACK.Gen, Trojan horse Crypt, ANVH, PUM.Disabled.SecurityCenter, Hijack.StartMenu Internet, Hijack.Exefile and Pum.Bad.Proxy. Also AVG Free reported that serial.sys was white listed but could not be removed.

I put Combofix at C:\ and then ran it from a Safe Mode Command Prompt. It tells me that there is rootkit activity and needs to reboot, when I do that it says..please wait...Combofix is preparing to run...and then it just hangs. I was thinking about uninstalling AVG Free because I can't get into the console to temporarily disable it. So maybe that's the reason Combofix isn't working right.

So I would greatly appreciate it if someone would pickup this post and help me just start over from the beginning

Just tell me what you need me to do and I'll post back whatever info you need and, Don't worry, I know how to follow instructions.

The computer is a Dell and running Win XP SP3, AVG Free AntiVirus. It's turned off now until I can get your advice and help.

Thank you, Dona

Answer:Need help with Rootkit.ZeroAccess and TR/Crypt and others

Hello and welcome, This is difficult to remove. Having run ComboFix we need to see that and a DDS log.Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the LAST ComboFix log you have.Let me know if that went well.

5 more replies
Relevance 89.79%

My husband's computer is apparently infected with Rootkit.ZeroAccess, TR/Crypt.XPACK.Gen, Trojan horse Crypt, ANVH, PUM.Disabled.SecurityCenter, Hijack.StartMenu Internet, Hijack.Exefile and Pum.Bad.Proxy. Also AVG Free reported that serial.sys was white listed but could not be removed.

I put Combofix at C:\ and then ran it from a Safe Mode Command Prompt. It tells me that there is rootkit activity and needs to reboot, when I do that it says..please wait...Combofix is preparing to run...and then it just hangs. I was thinking about uninstalling AVG Free because I can't get into the console to temporarily disable it. So maybe that's the reason Combofix isn't working right.

So I would greatly appreciate it if someone would pickup this post and help me just start over from the beginning

Just tell me what you need me to do and I'll post back whatever info you need and, Don't worry, I know how to follow instructions.

The computer is a Dell and running Win XP SP3, AVG Free AntiVirus. It's turned off now until I can get your advice and help.
Here's the contents of his DDS log file
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by WWAdmin at 22:28:40 on 2012-02-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1468 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS&#... Read more

Answer:Need help with Rootkit.ZeroAccess and TR/Crypt and others

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated f... Read more

34 more replies
Relevance 85.28%

I have ESET anti-virus and it has quarantined a few things trying to access my comp. Win32/daurso found by MS Defender. Ran combofix and malware bytes to try and get rid of stuff, but Defender and ESET still block high risk things. After following instructions (ie. defogger to GMER) GMER also said Rootkits may have changed something. Please help! I have posted most recent logs for your review. I did not post Attach.txt as it said not to unless requested. Thank you. GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-05-25 12:59:29Windows 6.0.6002 Service Pack 2Running: gmer.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pxldrpog.sys---- Kernel code sections - GMER 1.0.15 ----? System32\Drivers\pmeamhy.sys A device attached to the system is not functioning. !.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DA0D340, 0x345217, 0xE8000020].text bridge.sys 8E498462 519 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[316] kernel32.dll!SetUnhandledExceptionFilter 7796A84F 4 Bytes [C2, 04, 00, 00].text C:\... Read more

Answer:Rootkit changes found by GMER, win32/daurso found by MS Defender

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

13 more replies
Relevance 82%

I think this started when I did an update for my graphics card... After I did that, AVG came up saying it had found a trojan horse Crypt.AQLW, they've all had a "dll" extension SNMPTRAP.dll, dmprimer.dll, symdns.dll, SQTECH9080.dll.. and so on. After a few days, the warnings have become less. It went down from maybe 10 to 12 warnings in around 4 hours to today i only got 2 warnings so far, in about 4 hours. Ive noticed nothing different as far as the operation of the computer, only those warning that happen once in a while... Only thing, when i ran GMER scan... i got a blue screen and a reboot. Thats the only time ive seen anything major happen so far.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.0.0
Run by dave at 20:13:17 on 2012-02-29
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3583.1990 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows&#... Read more

Answer:AVG cant get rid of Crypt.AQLW

Hi ds5000!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have... Read more

41 more replies
Relevance 82%
Question: Crypt.AQLW

I was using Google Images and I clicked on one, and a fraud spyware scanner popped up - I went to kill it using the Task Manager to discover it was disabled.
AVG 2012 (Free) then was going berserk giving all manner of files which were being infected with Crypt.AQLW (& variant names) every few seconds. ping.exe was one of the files infected. It reminded me of the Biblical "our name is legion for we are many)!
I ran the Malwarebytes program and it restored the Task Manager, and deleted some files.
I then ran all manner of Trojan removers (AVG remove Zero Access, Symatec, Fix Zero Access, Panda Yorkyt, and avastMBR (Always disbaling AVG First). I ran the TDSSKiller and it quarantined some files. AVG then stopped reporting the Trojan, and I replaced ping.exe from another computer and the system seemed normal. So I deleted all the various reports, thinking all was well.

I had an old copy of ComboFix (from about 4 years ago). I thought ok one last check so I ran it untutored (never read any instructions to the contrary!) and it offered to update (accepted) and after running it, it reported this;
"You are infected with Rootkit.ZeroAccess! It has inserted itself into the tcp/ip stack. This is a particularly difficult infection. If for any reason that you?re unable to connect to the internet after running ComboFix, reboot once and see if that fixes it. If it's not fixed, run ComboFix one more time". I have removed ComboFix with the uninstall comman... Read more

Answer:Crypt.AQLW

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

2 more replies
Relevance 81.18%
Question: Trojan Crypt.AQLW

Greetings..

I'm assisting a friend with a laptop that became non-responsive, with Windows not being able to load.

OS: Windows Vista.
AV: AVG 2011 Free (fully updated)
Windows Updated: not fully

I have gotten Windows to load with "last known good configuration". However, AVG warnings immediately reported - Trojan Horse BackDoor.Generic14.CCCR.

Steps I have taken, and results:
- Ran Spybot S&D (with full update and immunization applied), which only found 2 tracking cookies.
- (updated and in safemode), Ran Malwarebytes, which detected 219 objects. Selected to fix and was asked to reboot. Upon Windows reboot, received the following AVG warnings: Trojan Crypt.AQLW, as well as win32/Sirefref.ER
- Ran Combofix, which stalled at "scanning for infected files" step. I terminated scanning after it appeared it was stalled after 60 mins.
- Another attempt at running Combofix, with same results.
- overnight, Ran Malwarebytes again in safemode, which reported 219 objects. Selected to fix and was asked to reboot, and program hung without rebooting.
- Windows Update, reports 5 important updates avail, and 7 optional. I have just finished trying to apply the updates, but after 30 min. screen turned blue with "Windows encountered problem" (not sure on the exact error message), and system reboot.

Request: Can someone please tell me how to rid of these particular Trojans?

Answer:Trojan Crypt.AQLW

Please follow the instructions in ==>Malware Removal and Log Section Preparation Guide<==.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Once you have created the new topic, please reply back here with a link to the new topic.Most importantly please be patient till you get a reply to your topic.

2 more replies
Relevance 81.18%

Posted as a new thread from http://www.bleepingcomputer.com/forums/topic452624.html as requested

I am having problems running the new suite of programs suggested.

DeFogger runs but does not complete after clicking disable even after 30mins. It does produce this log almost immediately though

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 23:35 on 06/05/2012 (Steve)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...

DDS also runs with a black window but does not complete after 45 mins

GMER will also run but the window which appears is greyed out and I cannot uncheck any of the boxes or press scan

Answer:crypt.aqlw infection

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

24 more replies
Relevance 81.18%
Question: Malware-Crypt.AQLW

I have read a few of the threads on this forum and have followed instruction
on running aswMBR.exe and OTL.exe.
Attached are the logs from both.
Can someone take a look and let me know.
 

Answer:Malware-Crypt.AQLW

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything. Note if you cannot save things in C:\ then just save them to your Desktop. Make sure that you have disable UAC and rebooted first if you are running Windows Vista or Windows 7.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
[*]Starting your computer in Safe mode
If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does no... Read more

1 more replies
Relevance 81.18%

Please help! My wife's computer, an older HP P4 machine running Windows XP with SP3, seems to have come down with Crypt.aqlw. At least that's what AVG reports. Besides running the standard free AVG scan, I haven't tried anything heroic yet. Could someone please help me to get rid of this?

PS. She uses AOL. I don't know if that information helps or not. I just figured I'd throw it out there.

Answer:Help with crypt.aqlw infection

I decided to take the easy way out and just do a low level format and re-install Windows. The computer freezes after only being turned on for 5 minutes or so. There's no way it would allow me to download and run the programs necessary to diagnose and correct the problem. Thanks!

2 more replies
Relevance 81.18%
Question: Trojan Crypt.AQLW

Hi

I clicked on link send by my friend and end up with this problem, recurrent notification by AVG for Trojan, browser redirection and recurrent request to download adobe flash below my logs please help, thanks

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Joan at 0:04:20 on 2012-03-12
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2038.873 [GMT -4:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\sv... Read more

Answer:Trojan Crypt.AQLW

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

24 more replies
Relevance 81.18%

Hi guys, I'm new to the forum so would first like to say Hi and then help

According to AVG I seem to have picked up the crypt.aqlw virus.

This is being constantly being reported by AVG popups and links on webpages sporadically take me to random pages.

I have looked for removal instructions but have difficulty in making any sense of them
Can anyone offer any help?

Cheers
Steve

Answer:crypt.aqlw infection

Welcome aboard Download Security Check from HERE, and save it to your Desktop. * Double-click SecurityCheck.exe * Follow the onscreen instructions inside of the black box. * A Notepad document should open automatically called checkup.txt; please post the contents of that document.=============================================================================Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply.====================================================================================Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result.=============================================================================Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop. * Double-click mbam-setup.exe and follow the prompts to install the program. * At the end, be sure a checkmark is placed next t... Read more

4 more replies
Relevance 81.18%

Good day to you,

When visiting a website yesterday, AVG popped up warning me about an infection with Crypt.AQLW, I moved it to the AVG vault and started up Malwarebytes Antimalware.
It found a few infections and I decided to abort the scan and re-do it in safe mode.
The rerun in safe mode also found a few extra infections.

Trojan.FakeMS
Malware.Gen
Spyware.Password
PUM.Disabled.SecurityCenter

The cleanup of Antimalware is missing something though, as AVG finds a new Crypt.AQLW infection at each startup.

Current total AVG fault:
virus found Win32/Cryptor ...\application data\isecurity.exe
trojan horse Crypt.AQLW \system32\SaiH0408.dll
virus found Win32/Cryptor ...\application data\isecurity.exe
trojan horse Crypt.AQLW \system32\SE27bus.dll
trojan horse Crypt.AQLW \system32\ndassvc.dll
trojan horse Crypt.AQLW \system32\tpkmpsvc.dll
trojan horse Crypt.AQLW \system32\wintabservice.dll
trojan horse Crypt.AQLW \system32\dot4.dll
trojan horse Crypt.AQLW \system32\SenFitService.dll

I ran MBRCheck to see if there is something wrong with the boot record, but it stated it was OK.
The wireless network now is stuck in "acquiring IP address", so I shut down the network card.

Then I started googling for the Crypt.AQLW problem and found this website. I followed the guide and have created the prescribed log files. The ark.txt is pasted below the DDS, the attach.txt is attached.

Th... Read more

Answer:Infected with Crypt.AQLW

Hello IgorD and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please d... Read more

19 more replies
Relevance 79.95%

On the 29th of last month, AVG popped up saying that it caught Crypt.AQLW when I opened a page related to DC Universe from a Google Search (1st result on Google, it appeared to be a brasilian forum and when I opened it, I was redirected to another site automatically).
AVG supposedly fixed it, prompted me to restart the computer. After that, I kept geting more trojan warnings.
I tried running several programs to try and fix the mess but none seemed to work.
After a while I noticed that my hosts file was gone. Today the computer restarted on it's own and after that I had lost all internet\network access. A system restore from February 15th gave me back access internet and network access(I chose a system restore date a bit earlier than the 1st warning I got to try and avoid more problems).

Note: when running GMER at the end the program warned about a change in rootkits while scanning the computer. Please tell me if I have to run it again and repost the log.

DDS.TXT Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Alexandrino at 20:51:22 on 2012-03-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.351.2070.18.1014.305 [GMT 0:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Programas\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -... Read more

Answer:another person with Crypt.AQLW problems

Hello relmatos and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, pleas... Read more

15 more replies
Relevance 79.95%

Hello,

My first post to the forums can be found here;
http://www.bleepingcomputer.com/forums/topic444579.html

I have followed the instructions since that post, and the results are as follows. I should note that I have been unable to enable the Windows Firewall. Also, throughout the scans, AVG has been constantly reporting both the Trojan horse Crypt.AQLW and win32/Sirefef.ER. After each warning, I selected to ignore the warning and did not have AVG move the various .DLL files reported to be infected with the Trojans.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19190
Run by NIA at 14:51:29 on 2012-02-29
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\aestsrv.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\system32\STacSV.exe
C:\PROGRA~1\TELEVI~2\bar\1.bin\64barsvc.exe
C:\Program Files\Common Files... Read more

Answer:infected with Trojan Crypt.AQLW

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

58 more replies
Relevance 79.95%

It seems as if this is an ongoing problem from going through a few threads and searches so you can add my name in the list of infected pcs!

Trojan-

I have tried running AVG, will move the files to virus vault, but it keeps finding new files.

Ran Malwarebytes, cleared out what is found.

Ran Spy Bot Search & Destroy, cleared that out

Cleared out all the browser temp files & cookies, even did a system restore since I saw that suggestion around some other forums.

Still have the trojan files popping up.

Also there is an Adobe Flash Player Install popping up from time to time, not sure if that is related to the trojan virus.

Redirects in Chrome & Firefox, do not use IE.

Any help would be greatly appreciated!
 

Answer:Trojan.Crypt.Aqlw plus a few other problems

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything. Note if you cannot save things in C:\ then just save them to your Desktop. Make sure that you have disable UAC and rebooted first if you are running Windows Vista or Windows 7.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
[*]Starting your computer in Safe mode
If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does no... Read more

1 more replies
Relevance 79.95%

I followed the instructions per link below

http://www.bleepingcomputer.com/forums/topic445179.html

I could not download DDS step 7(nothing happens when I click on the "download now" button.
so I went to step 8, performed the scan which I have pasted below.
Please tell me how I can remove these viruses. My computer only runs in safe mode at the moment


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-05 16:11:51
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000528AS rev.CC46
Running: pg8hftv2.exe; Driver: C:\Users\Parisa\AppData\Local\Temp\kwdiapod.sys
---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\System32\DRIVERS\netbt.sys section is writeable [0x93210000, 0x99B2, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtProtectVirtualMemory 77CE4BA4 5 Bytes JMP 00E4000A
.text C:\Windows\system32\svchost.exe[948] ntdll.dll!NtWriteVirtualMemory ... Read more

Answer:Trojan crypt.aqlw & sirefef.er

Hello parishale and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, plea... Read more

43 more replies
Relevance 79.95%

Hi, all. i have a problem. AVG continuously finds on my computer Troja Horse Crypt.AQLW.
It shows every feew minuts the monit, that some .dll file in C:\windows\system32 (each time it is a different file (e.g. now it is comhost.dll)

The monit also says that it concerns process \\.\globalroot\SyStemRoot\system32\svchost.exe

It seems that AVG finds and deletes/puts to Quarantine each of those files, but it is really disturbing as it pops up very often. Also, i'm afraid if it is something really serious or not that bad?

I am quite green at that stuff, I have Win 7.
Could you help me, please?

Answer:Crypt.AQLW trojan horse

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and
Quote:




Having problems with spyware and pop-ups? First Steps




a link at the top of each page.

Please follow our pre-posting process outlined below.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 79.13%

AVG keeps identifying the threat Trojan Crypt.AQLW Win32/Sirefef.ER or something similar. It detected 17 after one bootup. Sometimes it says that its a critical process and won't remove it but won't let me access it. Alot of times this will cause my OS to crash. While creating some of the logs I did notice BitTorrent and something called Torrent Stream. So I know how the virus was acquired. My 15,11 & 8 yr old kids use this computer quite a bit so I suspect that's how they were installed. I have already talked to them about illegal downloads and the risk associated. BitTorrent and all things similar will be deleted immediately if safe to do so now. My wife has also downloaded a Coupon toolbars ect. This same computer had the Windows Security scam twice. The most recent was the VistaSecurty2012 right before this virus started.

I've done the DDS, attach and ARK logs. All of them were done in SAFE MODE. Its been the only way I can use the computer without it crashing. If they need to be done outside of safe mode let me know and I will redo them. Thanks for looking and I look forward to your response.
Here is the DDS.txt log Attach log is attached.

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_26
Run by JoelDC at 10:17:19 on 2012-02-25
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.1014.453 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Outdated* {5A27... Read more

Answer:Trojan Crypt.AQLW Win32/Sirefef.ER

I can't attach the GMER log. It is 6.27 MB

23 more replies
Relevance 79.13%

Hi:

My friend was foolish enough to click on a bogus virus warning and install Small Fortress bogus antivirus. Small Fortress disabled AVG and his Vista computer became infected with rootkit0.access.h and Trojan Horse Crypt.AQLW. Small Fortress was fairly easy to remove in Safe Mode but the rootkits disabled AVG. Several scans with Malwarebytes removed the Rootkits, however; something remains as AVG keeps on finding infected dlls in windows\system32 such as: pfc.dll, audstub.dll, saiclass.dll, iolodmv.dll, automate6.dll and eventually the rootkits reappear. I can keep it under control if I disconnect the internet but I'm at a loss.

Spybot, Superantispyware et all report no problems but problems remain.

AVG Resident scan continually pops up with a report that sys32\drivers\tdx.sys is infected with Trojan horse ZeroAccess.am but that it is whitelisted and just prompts to ignore. Superantispyware called tdx.sys a fraud copy?

I could use some help please.

Thanks,

Tom

Answer:Dlls infected with Crypt.AQLW continue to appear

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

65 more replies
Relevance 79.13%

Hi guys! Have I had a fun day!

The affected PC is in my office, runs XP and requires the use of a networked drive for writing data entry to a local database (hence the account being named Data Entry). I received a complaint on Monday that AVG was popping up trojan warnings which couldn't be closed or moved to Virus Vault (AVG identified these as 1CBD1A13, but instead of removing the threat it would pop up an unrelated warning "Please save all opened files prior to continuation" and then fail to remove the threat.)

I also updated MBAM's database and ran an MBAM scan, which came up with more results that also could not be removed or quarantined. Webpages that I'd try to load in Chrome/FF/IE would randomly redirect the first time I'd try them, but when I'd go back and try them again I was successful. One of the re-direct pages landed me at HAPPILI, too.

So today I decided to pop in a thread here, attempted to create all the logs requested (GMER locked up right after it completed a 5 hour scan, so unfortunately no log there), and I was just about to create this thread when AVG started to overload with warnings and finally surrendered to a mass of about 200 pop-up windows telling me all about my "possible HDD corruption". I knew I'd recognized that from somewhere, so I followed BC's instructions re: removing SystemCheck, managed to extract the DDS log files from where they were hiding to a jump drive, and so here we are... Read more

Answer:1CBD1A13 / Crypt.AQLW / HAPPILI / possible SystemCheck

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

8 more replies
Relevance 79.13%

I have been receiving AVG warnings about the "trojan horse crypt.aqlw" infection and its accompanying "sirefef". Is combo fix the only way to remove this? If so I need help. Thanks.

Answer:how to remove trojan horse crypt.aqlw

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

20 more replies
Relevance 79.13%

Having some trouble with a trojan horse (Trojan Horse crypt.aqlw) and I am continuous being redirected from google or various other websites. About every 10 minutes, AVG find the trojan mentioned and "removes it", but it comes right back. No luck with malwarebytes either. Been a while seen I had to clean up these kind of messes, so I am a bit out of date. Let me know if you can help!!!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:25:48 PM, on 4/6/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Motorola\MotoConnectService\MotoConnect.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPane... Read more

Answer:Trojan horse crypt.aqlw and redirects

Anyone else me out... concerned with the health of my system
 

1 more replies
Relevance 79.13%

Hello, and thank you in advance for your assistance.

The problem is on a Win XP computer -- AVG is frequently reporting "Trojan Horse Crypt.AQLW" and occassionally "Trojan Horse Agent r.ATS". Clicking "Move to vault" on these alerts doesn't resolve it. Other main symptom is the inability to use Google ... any search re-routes the browser to other pages.

I have followed all steps in your Preparation Guide and am posting the requested data below and attaching the requested files.

During the GMER Log step, the scan resulted with a message box appearing on top of the GMER window. The message read:

"WARNING!!!
GMER has found system modification caused by ROOTKIT activity."

I will not make any changes to this computer or request other assistance on this issue; I'll wait for your reply and follow the instructions.

Thanks so much for your help!

Please see attached files:
- attach.txt
- Ark.txt

Please see DDS.txt below

--------DDS.txt------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Julie Schwalm at 11:45:02 on 2012-05-08
.
============== Running Processes ===============
.
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\P... Read more

Answer:Trojan Horses: Crypt.AQLW and Agent r.ATS

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

16 more replies
Relevance 79.13%

Hi. I'd be very grateful for any help with regard to this virus. My system restore will not work, AVG antivirus disabled and not updating and I often get re-directs when browsing the Internet (not always). I also have a window popping up every now and again which says it is going to install an adobe product.

I have had a look around for similar unfortunate users and did try a Solved post which suggested running rootkit buster from Trand Micro but this doesn't seem to have worked for me.

Really appreciate any help with this. Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 20:32:44, on 20/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\SHAREA~1\MediaBar\Datamngr\DATAMN~1.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tech\Office Program Selector\6.0\ACROMAPP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Belkin\Bluetooth Software\BTT... Read more

Answer:Virus - Trojan Horse crypt.AQLW

16 more replies
Relevance 79.13%

Here goes...

The PC (Windows XP [32-bit] SP3) I'm working on has been infected with a trojan - the internet connection settings have changed and it won't connect automatically as it did before. When I attempted manual connecting (Enabling Wifi) and opened a browser they would redirect after homepage to various spumy sites.

AVG on startup picked up a threat and and I quarantined it, I then ran SAS, MBAM and AVG both in normal boot Windows XP (where some rootkit infections seemed to be picked up to be dealt with on reboot) and then when AVG picked up infection again after reboot, did all three scans again in Safe Mode.

On next start up AVG found same issue so I came did some online searches about Trojan AQLW and came here!

- - - - -

I've tried to go through the list of preparatory clean ups and downloaded as many of the tools as I can.

Note: CCleaner on each reboot would find temporary internet files to clean even though no obvious internet connection

- - - - -

1. Ran SAS again - saved log file but no infections found.

Log file attached -


2. Ran MBAM again - saved log file but no infections found.

Log file attached -


3. Installed ComboFix to desktop - tried to disable AVG2012 as per bleepingcomputer but combofix still detected it, so removed AVG using AVG removal tool as advised on your guide.

Was then able to run ComboFix - had to connect briefly to internet to allow recovery console to be downloaded and installed, then... Read more

Answer:Removal of Malware - Trojan Crypt.AQLW?

contd...

5. Installed and ran MGTools from C:\

Note: in Safe Mode still as keyboard had stopped working

Log file attached - MGlogs.zip
 

10 more replies
Relevance 79.13%

Obviously, I have a problem. I have an Acer Aspire One netbook with XP, and awhile ago AVG started to repeatedly locate two viruses, IDP.Trojan.1C8D1A13 and Trojan Horse Crypt.AQLW are the identifications they were given. For some time I had AVG quarantine or delete the files it was finding. A search of the internet found some similar problems in your forums, so I started following a procedure that I found referenced in several threads. When I got to the Combofix portion of the procedure it reported that there was still an active AVG protection even though I had uninstalled AVG via the add/remove function, so I stopped it at this point. Later I found that, while the computer seemed to work (other than some instability on startup where it might try restarting two or three times before "getting there") it would no longer connect to the internet via either the wireless, Ethernet cable, or using a link to my phone via USB called PDAnet.
Today I began following your "read and run first" procedure as best I could using a flash drive to transfer software from the computer I'm typing on now. Everything went fine, finding no significant problems, until I got to Combofix. Even though I had run the AVG_remover tool you provide, Combofix was still finding some active AVG protection. I ignored this with no immediate problem. Combofix then reported "Root Kit Zero Access" and after some time had to reboot. After this the scanning began. I came... Read more

Answer:Nasty Trojan 1c8d1a13 and crypt.aqlw

Hi and welcome to Major Geeks, jeepwhisperer!





jeepwhisperer said:





Combofix then reported "Root Kit Zero Access" and after some time had to reboot. After this the scanning began. I came back later and found the windows explorer missing... background is still there, cursor still works, and the drive light comes on briefly every few minutes.Click to expand...

As long as the ComboFix window is open, even if explorer is closed, you should leave it alone. It will probably be finished if you left it running overnight.

Not sure if you have another AV installed or not, but this is what usually causes ComboFix to hang on reboots.

Also, do not worry about ComboFix detecting AVG, it's detecting an old entry in WMI which we can remove later.
 

19 more replies
Relevance 79.13%

[attachment=120095:mbam-log-2012-03-04 (16-52-28).txt]I'm new to this forum. I'm not very tech savvy. I have read several different istructions on how to remove trojan crypt.aqlw & sirefef.er and they are all different in what software they recommend to download, so I'm very confused.
I have ran malwarebytes and superantispyware but no luck! my AVG kept detecting the virus so I downloaded norton and uninstalled AVG in safe mode.
Can someone please help me. I am completely lost as how to get rid of these viruses

Below is my log from Malwarebytes
please help!!!!!!!!!!!!!
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5128

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

12/30/2010 4:45:28 PM
mbam-log-2010-12-30 (16-45-28).txt

Scan type: Quick scan
Objects scanned: 144754
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 27
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 22

Memory Processes Infected:
C:\Program Files\ClickPotatoLite\bin\10.0.631.0\ClickPotatoLiteSA.exe (Adware.ClickPotato) -> Unloaded process successfully.

Memory Modules Infected:
c:\program files\clickpotatolite\bin\10.0.631.0\clickpotatolitesahook.dll (Adware.ClickPotato) -> Delete on reboot.

Registry Keys Infect... Read more

Answer:Help me remove Trojan crypt.aqlw & sirefef.er

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 78.31%

I'm so glad I stumbled across this website. I'm helping a friend deal with Trojans. Although I'm a power user, I'm not familiar with Trojans, except that they're difficult to remove using off-the-shelf programs like Spybot SD.

The free AVG on the laptop continually quanrantines files infected by Crypt.AQLW. I tried dealing with this on my own (I didn't realize I shouldn't have, but I know now!). The aswMBR log reported Win32:Sirefef-JQ infection in C:\Windows\system32\drivers\cdrom.sys and dfsc.sys. I also ran ComboFix.exe (sorry!) once and it reportedly disinfected cdrom.sys as well as popped up a couple messages: one reporting possible trojan infection in the network drivers, TCP/IP stack; and another reporting possible rootkit infection. It then restarted the computer and completed its work.

The laptop also occasionally loads random spam-ish websites usually with some sort of adult content.

The logs have been attached as instructed in the prep guide.

DDS.txt:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_17
Run by Cris at 17:19:06 on 2012-03-04
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2550.1626 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\... Read more

Answer:Infected with Trojans (Crypt.AQLW and Win32:Sirefef-JQ)

Hello James An, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a... Read more

2 more replies
Relevance 78.31%

It seems as if this is an ongoing problem from going through a few threads and searches so you can add my name in the list of infected pcs!

Trojan-

I have tried running AVG, will move the files to virus vault, but it keeps finding new files.

Ran Malwarebytes, cleared out what is found.

Ran Spy Bot Search & Destroy, cleared that out

Cleared out all the browser temp files & cookies, even did a system restore since I saw that suggestion around some other forums.

Still have the trojan files popping up.

Also there is an Adobe Flash Player Install popping up from time to time, not sure if that is related to the trojan virus.

Redirects in Chrome & Firefox, do not use IE.

Any help would be greatly appreciated!

Answer:Trojan.Crypt.Aqlw & Adobe Flash Installer

Hello and welcome. Lets take a look here and see how it is after these.Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed>>>Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.
For instructions with screenshots, please refer to the How to use SUPERAntiSpyware to scan and remove malware from your computer Guide.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE... Read more

1 more replies
Relevance 78.31%

Hello, my computer I believe is infected with a virus Trojan Crypt.AQLW
I'm not sure what information you need (or really how to get it), but any help would be very much appreciated, and all instruction will be followed to the letter.
 

Answer:AVG is telling me computer is infected Trojan Crypt.AQLW

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything. Note if you cannot save things in C:\ then just save them to your Desktop. Make sure that you have disable UAC and rebooted first if you are running Windows Vista or Windows 7.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
[*]Starting your computer in Safe mode
If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does no... Read more

1 more replies
Relevance 77.9%

I ran a full scan with avast today and it only found one threat.
It was win32:crypt-pfh [trj] which had the file path of C:\ProgramData\Microsoft\Search\Data\Applications\Windows
 
I searched it up online and found a microsoft answers where a representative had responded saying that it was a false positive and that it is a system file. The answer: http://answers.microsoft.com/en-us/windows/forum/windows_7-security/suspected-trojandropper-in-tmpedb-file/8fe699fc-aae1-4b26-9bc0-55cb24608fbe
 
But, looking on another forum a user advised the person asking the question to turn off Desktop Search by using the toolbar and deselecting it. When I tried to do the same, there was no option to turn off the toolbar for Desktop Search because desktop search is not on the list.
 
If any one can help me in identifying this as a FP or not I would greatly appreciate it as avast considered the file to be of high severity. 
 
Thanks, Hermes
 
Edit: Forgot one small detail, I had tried to move the file to avast's quarantine chest with no effect, tried to repair it, nothing, finally I chose the fix automatically option and it seems to have worked. but, this does not downgrade my concern as to whether my computer is infected or not.
 
Edit 4:32pm: Ran a threat scan with malwarebytes, came back clean.
Also ran a scan with Adwcleaner and nothing significant there.

More replies
Relevance 77.9%

This problem started when I recognized the OpenCloud Security process running. My computer had gotten slow and I was trying to figure out why.
I believe I cleaned out the OpenCloud Security malware, but the pc is still slow. There are browser redirects/popups, and my windows firewall has been shut down. When I try to start it, it gives an error that says something about a service and supporting services not running. It will not let me start the services, so I have downloaded and installed Comodo. I can't use F8 to boot into safe, I can only get there by using msconfig.


MalwareBytes found this:
c:\Users\Brandi\AppData\LocalLow\Sun\Java\deployment\cache\6.0\34\1f57a762-4b742277 (Backdoor.IRCBot)


SuperAntiSpyware found something called exploit.pdf


Avira keeps popping up a notification that says:
A virus or unwanted program TR/Crypt.ULPM.Gen was found in
C:\Windows\assembly\tmp\kwrd.dll

I click to remove but it still comes back. When I scan with Avira, SAS, or MWBytes, they find nothing.

I am running Vista Home Premium 64 bit
Here is my DDS.txt log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.6001.19088 BrowserJavaVersion: 1.6.0_26
Run by Brandi at 10:32:28 on 2011-09-30
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.4054.2148 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP:... Read more

Answer:TR/Crypt.ULPM.Gen found by Avira

Hello

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.



We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

A guide and tutorial on using ComboFix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

8 more replies
Relevance 77.08%

Hi, I have a problem with my laptop for some reason my avira antivirus wasn't able to remove the TR/Crypt.XPACK.Gen even though the detection is found. I tried scanning the file directory that contains the virus but the only thing that my antivirus program did was sending it to quarantine.. for all I know, it is still there in my C: drive. How should I get rid of this virus? (the antivirus notification is getting really annoying lately)..
 
Thanks!

Answer:TR/Crypt.XPACK.Gen was found and couldn't make it go away. Help!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/536102 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 77.08%

Since Avira picked it up I updated Java, ran combofix, and downloaded malwarebytes. Can someone help me make sense of the logs and get rid of this virus, thanks in advance.

Answer:Avira found TR/Crypt.ZPACK.Gen2

Also, Malwarebytes found this: disable.cryptsvc. I googled it and it looks like cryptsvc is legitimate but I can't find anyone talking about disable.cryptsvc specifically. I quarantined it for now. Does anyone know what this is?

15 more replies
Relevance 76.26%

I have been working on a laptop windows XP, SP2 Sony Vaio for about 7 hours now.
Originally it had no functionality due to the Windows Recovery Virus, but having tackled that (using ComboFix) I have now found further problems. It was first apparent when Windows IE redirected and Google Chrome failed to load. Programs are failing to install properly and my memory sticks are infected every time I insert them into the laptop. However after following instructions for obtaining diagnostics using the following as a guide;
http://www.bleepingcomputer.com/forums/topic368072.html
I would like some further guidance. Hopefully it should be a simple case but the sooner the better, until then I'll continue to see if I can do anything myself.

Thanks for your time.

Nick.

Answer:Windows XP initially with Windows Recovery Virus, but subsequent infections found.

Well...I don't think that it's wise to use a malware topic for a specific person on a specific system...with perhaps other problems...as a "guide" for self-troubleshooting.

That said, I will move your topic to the Am I Infected forum where those experienced with malware situations...can advise/suggest.

Louis

2 more replies
Relevance 75.85%
Question: Found ZeroAccess

I recently was instructed to create another post about finding ZeroAccess and reference my other post here:
 
http://www.bleepingcomputer.com/forums/t/565155/ads-by-randomprice-adware/#entry3613691
 
Any help would be greatly appreciated. Thank you.

Answer:Found ZeroAccess

Ok, so you still need to follow the Prep Guide as instructed in Post 7 of that other topic.

4 more replies
Relevance 75.85%
Question: Found ZeroAccess

Sorry I thought the FRST and addition logs were already taken care of by the last post. They are both pasted below because I can't figure out how to attach the addition log
 
FRST Log
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-02-2015
Ran by Josh (administrator) on JOSH-PC on 07-02-2015 11:28:24
Running from C:\Users\Josh\Downloads
Loaded Profiles: Josh & Tiff (Available profiles: Josh & Tiff)
Platform: Microsoft Windows 7 Professional  Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Google Inc.) C:\Program Files\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Microsoft Corporation) C:\Program Files\Skype\Tool... Read more

Answer:Found ZeroAccess

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Run this tool to clean your Temporary files/Folders.Download TFC to your desktopClose any open windows.Double click the TFC icon to run the program.TFC will close all open programs itself in order to run.Click the Start button to begin the process.Allow TFC to run uninterrupted, it should not take long to finish.Once it's finished, click OK to reboot.If it does not reboot, reboot your system manually.===Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.

start

CloseProcesses:

(Company) C:\Program Files\Popcorn Time\Updater.exe
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-562459901-1482382580-3887097223-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
ShellExecuteHooks: - {AEB6717E-7E19-11d0-97EE-00C04FD91972} - No File [ ]
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin HKU\S-1-5-21-562459901-1482382580-3887097223-1000: CouponNetwork.com/CMDUniversalCouponPrintActivator -> C:\Users\Josh\AppData\Roaming
\CATALI~1\NPBCSK~1.DLL (Catalina Marketing Corporation)
FF Extension: 50Ceouponss - C:\Users\Josh\AppData\Roaming\Mozilla\Firefox\Profiles\ds7b9x07.default\Extensio... Read more

11 more replies
Relevance 75.85%

After I ran MGlogs, my computer would not connect to the internet. That was fun. System restore fixed it. I hope system restore did not alter the logs in any way. The programs did not seem to find anything, but I have a problem that originated on Facebook. Posted in the other topic forum.

My lap top freezes, gets real loud, slows and stops loading and flashes when I go on Facebook. What ever was causing that had migrated to other areas in the computer and began to be problematic in the same way, but system restore fixed that. System Restore did not fix the Facebook problem though.

I was hoping someone here might have some experience with this. Thanks!
 

Answer:Ran The Scans. Looks Like They Found Nothing.

Not finding any malware, but please attach the log from running RogueKiller.
 

10 more replies
Relevance 75.44%

Hello,
I use Avira Internet Security 2012, yesterday when I was doing a daily scan I found this trojan tr/crypt.xpack.gen, Avira quarantined it. I restarted my system and it took ages to restart, I uninstalled Avira and downloaded Bitdefender Total Security 2013 (Trial) and scanned my system with it and it didnt find anything, even Malwarebytes didnt find anything, but still my system is all messed up, when I tried to turn it off it got stuck on 'Logging Off' screen, I waited 20mins, but nothing happened so I turned it off directly.

Now I want to know if there is a way to fix this? When I start my laptop after 'starting windows7' screen I get a black screen with a mouse cursor for about 5mins, then I get system log in screen. Same thing when I turn it off, it takes ages.

Also I'd be really grateful if someone recommend a good anti-virus with good real-time protection. Is Bitdefender good? If it is I will happily buy it, anything to save my system. Thanks in advance

Answer:Found & Deleted > tr/crypt.xpack.gen but now system is super slow.

Have you tried scanning your computer with Malwarebytes in SafeMode ?

To get to safe mode

While the PC is booting up tap on the F8 key . Choose Safe Mode . You could choose Safe Mode with Networking if you need to update the Definitions of Malwarebytes.

1 more replies
Relevance 75.03%

Rkill 2.6.5 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:http://www.bleepingcomputer.com/forums/topic308364.html
Program started at: 05/16/2014 01:13:39 PM in x86 mode.
Windows Version: Windows Vista ™ Home Premium Service Pack 2
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* ALERT: ZEROACCESS rootkit symptoms found!
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\@ [ZA File]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\L\ [ZA Dir]
* C:\$Recycle.Bin\S-1-5-21-1313530273-2412965177-1143821080-1000\$ff24043d55f85ce9a20a8337d9b4b888\U\ [ZA Dir]
* ALERT: ZEROACCESS Reparse Point/Junction found!
* C:\Program Files\Windows Defender\en-US => c:\windows\system32\config\ [Dir]
* C:\Program Files\Windows Defender\MpAsDesc.dll => c:\windows\system32\config [File]
* C:\Program Files\Windows Defender\MpClient.dll => c:\windows\system32\config [File]
* C:\Program Files... Read more

Answer:ZeroAccess Infection Found

attached dss zip file

40 more replies
Relevance 75.03%

Hello, I should apologize first as I'm not particularly knowledgeable about computers, but I'd really appreciate some help here.

My problem is that something is using up around 50% (sometimes less, a lot of times more) of my CPU power, even when no applications are running. I've looked at the programs in the task manager, comparing them to an online database, and nothing is in there that should not be in there. The programs with the highest memory usage are programs like Firefox, svchost, and a bunch of McAfee programs which have never caused this problem before. Oh, and the processor is an Athlon 64 X2 dual-core, with one GB of RAM.

This just started on Friday, after years of having this computer. I was first alerted to this problem when McAfee detected the trojan "Generic PWS.y" and said it couldn't be removed, and I noticed that the computer's CPU temperature climbed up to about 54 degrees C, way more than usual. I ran McAfee virus scan, Lavasoft's Ad-Aware, and Microsoft Defender but none of them found anything. I tried checking the hard disk for errors, and degragging, but that didn't solve it.

System Restore never worked, no matter what the date, it always said "Restoration Incomplete" and that no changes could be made.

My dad (who knows more about computers than me but he can't figure this out either) shut down some unnecessary programs from the startup list but that didn't help, neither did CCleaner. Finally I read a tip on the Generic... Read more

Answer:CPU usage always around 50%, various scans found nothing

Have you used Hijack This? If not go ahead and download that program scan your system and save the log file. You can then post that in the Hijack this forum so members can help you there.

You did a good thing in turning off System Restore to scan for viruses. I would suggest rebooting the computer and going into Safe Mode with Networking and running that virus scan again. Try out Bitdefender Online scanner do a google search for the exact link. I have used that numerous times and it always helps to find virues/adware that other ant-virus progs don't detect.

Sometimes you can't remove a virus when in Normal mode becuase the service that is attached with the virus is in use. When booting to Safe mode it only loads the necessary drivers and services nothing else.

Hope I can be of some help.

2 more replies
Relevance 75.03%

Hello i am running microsoft xp media center edition service pack3. I have mcafee security center as firewall and antivirus.I use malwarebytes-anti malware to remove malicious programs and have hijack-this installed but dont know how to use it.The problem comes when i use internet explorer 8 and try to search using either bing or google (these are my prefered seach providers) i get the search results but when i click the link i get redirected to some other outrageous search page . Mcafee finds no trace of this virus neither does Malwarebytes. Below is a copy of the log file from Hijack-this. Please help this is very fustratingLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:38:57 PM, on 3/22/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\DISC\DISCover.exeC:\Program Files\DISC\DiscUpdMgr.exeC:\Program Files\HP\HP Software Update\HPwuSchd2.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC... Read more

Answer:infection not found with various scans

here is my DDS file and attach fileDDS (Ver_10-03-17.01) - NTFSx86 Run by Compaq_Administrator at 21:52:14.90 on Mon 03/22/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.702.365 [GMT -5:00]AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\Program Files\McAfee.com\Agent\mcagent.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\GamersFirst\LIVE!\Live.exeC:\Program Files\EarthLink\ISP\ISP8200\Browser\Bartshel.exesvchost.exeC:\WINDOWS\arservice.exesvchost.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\eHome\ehRecvr.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\PROGRA~1... Read more

24 more replies
Relevance 74.21%

I normally running McAfee Security Suite which found some problems the other day. Today, I noticed that I am unable to run a couple of programs. Also, it appears that my virus scanner is shut down. I tried to install Malware Bytes but got an error and was unable to install. I ran RKILL and it gave me the following (ZEROACCESS rootkit found):

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 01/16/2013 06:31:12 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\New User\Desktop\rkill\rkill-01-16-2013-06-31-13.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\$Recycle.Bin\... Read more

Answer:RKILL found ZEROACCESS entry

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

23 more replies
Relevance 74.21%

I was having a problem running malwarebytes. It now runs after completely unistalling using their tool and re-installing after  using RKill and Superspiware remover.  RKill still finds symptoms of ZeroAccess on my computer in the way of several files in my local folder.  I do not know how to remove those files.  Something keeps disableing real-time protection in malware bytes.  Other than that I have not seen anything out of the ordinary.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17420  BrowserJavaVersion: 10.51.2
Run by Mike at 19:16:49 on 2014-11-14
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8191.4039 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Disabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\s... Read more

Answer:ZeroAccess Symptoms found by RKill

Hello and welcome.  Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.”  Absence of symptoms does not mean your machine is clean!Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.   Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

16 more replies
Relevance 74.21%

A few days ago I started getting the fake Acrobat and Java update requests. I ignored them and then started getting random redirects to http://63.209.69.107 with IE using any search engine as well as directed to other random sites.
I ran a full scan with McAfee and it found ZeroAccess!cfg, along with Exploit-CVE2012-1723 in 3 different locations, and JV/Exploit-Blacole.q that was located in a Sun/Java folder. It cleaned and deleted them.
Continued to get the same symptoms.
Ran Malwarebytes which came back clean.
Ran a McAfee Stinger, no change
Ran TDSSKILLER, clean
Ran DDS and it ran and attached logs
Ran GMER, it only allowed me to select Services, Registry, Files, C:, and ADS. All other boxes are greyed out and can not be selected
I tried the instance of GMER on another machine and all options were selectable

Answer:Found ZeroAccess!cfg with McAfee, but still getting redirects

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

25 more replies
Relevance 74.21%

Hello,
 
A colleague's browser is being redirected - both IE and Firefox on a 64 bit machine running Win7.
 
AVG Antivirus Business Edition moved some items to the virus vault, but the problem continued.
 
We ran Malwarebytes, which found Scorpion Saver and SavingBull, which were deleted.
 
We downdownloaded and ran RKill - which found ZeroAccess toolkit.
 
We downloaded and ran Hitman Pro, which found nothing.
 
We re-ran Malwarebytes, and nothing was found.
 
I see lots of suggestion for dealing with ZeroAccess toolkit.  Is there a consensus on the best method to do so?
 
Pam H.

Answer:Redirection - ZeroAccess Toolkit found

Hi,
 
You are infected with ZeroAccess, we will need more advanced tools to deal with it:
 
Please follow the instructions in THIS GUIDE starting at Step 6. If you cannot complete a step, skip it and continue.
Once the proper logs are created, then make a NEW TOPIC and post it HERE. Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.
If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.
It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
xXToffeeXx~ 

2 more replies
Relevance 73.8%

\Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockVolume1\System Volume Information\_restore{7FECEBA8-84EB-40AB-BC2B-38ABE387330A}\RP107\A0214351.dll

This is the location of a Virus.

Ive done scans up the yinyang and i still cant find it, but my AVG keeps on giving me a warning message about it. So, where is this virus and how do i get rid of it. By the way, its a Trojan, and it has the word Flood in it.
 

Answer:My AVG found a virus, but my scans didnt...

You need ot turn System Restore off
For XP http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam

For ME http://service1.symantec.com/SUPPOR...2001012513122239?OpenDocument&src=sec_doc_nam

This will purge your restore points - after that you can turn it back on.
 

1 more replies
Relevance 73.8%

other than when clicking on search results in google all is well here is the scan logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:59:55 PM, on 5/23/2009Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16830)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Windows\Explorer.EXEC:\Windows\System32\igfxtray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Windows\system32\igfxsrvc.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\Nero\Nero 9\NeroDiscCopy9.Gadget\NeroGadgetCMServer.exeC:\Windows\system32\wuauclt.exeC:\Program Files\uTorrent\uTorrent.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=691... Read more

Answer:hijack not found in software scans

Hello ncdoc0623414,Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document.Please download Malwarebytes' Anti-Malware from one of these places:http://download.cnet.com/Malwarebytes-Anti...&tag=buttonhttp://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlhttp://www.besttechie.net/mbam/mbam-setup.exeDouble Click mbam-setup.exe to install the application. * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select "Perform Quick Scan", then click Scan. * The scan may take some time to finish,so please be patient. * When the scan is complete, click OK, then Show Results to view the results. * Make sure that everything is checked, and click Remove Selected. * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. * Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is diffi... Read more

5 more replies
Relevance 73.8%

I have been having ongoing trouble with redirects occurring not just with Google as others have stated but with any link from anywhere including this site. It doesn't happen with every click but it always happens.
They are also not always redirects. Often when I click a link within a page another full size window pops up in the background and almost always goes to a URL beginning with www.google-analytics.com.
And the ever popular redirect to a spyware scanner happens quite frequently as well.

I have run:
Norton 360
MalwareBytes
SuperAntiSpyware
Kapersky TDSSKiller
Microsoft Security Essentials
Avira

None of them find any problems.

I have not noticed any problems with other programs not running correctly. This only occurrs within my browser.
Using IE8 and Running Win7 Pro

DDS.txt is below
I ran GMER and it didn't allow me to make changes to the checkboxes. It ran as follows:
X Services
X Registry
X Files
X C:\
X ADS

The scan came back clean (no system modifications found) It did not produce the ARK.TXT file

DDS (Ver_10-10-21.02) - NTFS_AMD64
Run by Scott at 8:04:45.84 on Fri 10/22/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2558.729 [GMT -4:00]

SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32�... Read more

Answer:Redirects occuring from everywhere Scans found nothing

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

3 more replies
Relevance 73.8%

Hi,

I Just went through the "Read and Run Me First" procedures and there are things on my computer that need to be removed. I would appreciate help removing them if possible.

Thanks in advance!
 

Answer:Removing malware found on scans

Not too much to do.

Re run Hitman and have it delete Potential Unwanted Programs.


Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


O2 - BHO: (no name) - {04A1B386-D2DA-4361-8A4B-0F3F42863BB0} - C:\Users\Dad\AppData\Local\TCPIPx86_x64.dll (file missing)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

After clicking Fix exit HJT.



Download and run OTM.

Download OTM by Old Timer and save it to your Desktop.


Right-click OTM.exe And select " Run as administrator " to run it.
Paste the following code under the area. Do not include the word Code.


Code:

:Files
C:\Users\Dad\AppData\Local\TCPIPx86_x64.dll
C:\Program Files (x86)\MyPC Backup

:reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2410}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{17FFC4B4-7026-4E2E-A1C4-18941B6CCCA7}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2410}]

:Commands
[emptyt... Read more

9 more replies
Relevance 73.8%

I havent noticed any side effects from the virus yet but im worried about my avg scan results please see if there is anything wrong.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:33:37 PM, on 24/04/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16766)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\uTorrent\uTorrent.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\AVG\AVG10\avgtray.exe
C:\Program Files (x86)\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\AVG\AVG10\avgui.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Users\Orion Hsu\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/USCON/23
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/USCON/23
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink... Read more

Answer:Trogan Sheur3 Found In AV Scans

I scanned again a day later and it found nothing, and the computer seems to be completely fine.
 

1 more replies