Computer Support Forum

Smitfraud-C Removal and removal steps questions

Question: Smitfraud-C Removal and removal steps questions

I am working on my Dad's computer in his office and I have a few questions BEFORE I run CCleaner. I am in the process of following the "Read and run this before posting" but I want to make sure of a few things first. When I run CCleaner am I to let it clean all the cookies as well? I know that there are a few sites that my Dad goes to on a regular basis and I am afraid that it will wipe out cookies that he needs. Could someone please advise?

Relevance 100%
Preferred Solution: Smitfraud-C Removal and removal steps questions

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Smitfraud-C Removal and removal steps questions

While cookies are not really problems to be concerned with, it is better to let CCleaner remove them so that the other scans don't take as long to run. In addition it can tremendously reduce the size of logs that have to be read. So yes clean cookies but you can first just tell Ccleaner which cookies to keep. It is part of the features which you should learn to use and configure.

Be careful with Spybot and SmitFraud-C. Lately I have been seeing it remove rundll32.exe which you do not want to do. Also if you truly have SmitFraud, you should run one of the special removal procedures (mentioned in the READ ME). Like one (only one) of the below:

SpywareStrike, Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

SpywareQuake & SpyFalcon Removal Procedure

5 more replies
Relevance 101.27%

Defenders of the Universe:

Please assist.

I'm running a Vista SP1 machine and it's infected with Smitfraud-c and Virtumonde.

I was a good little girl and followed all of the steps in the malware removal guide, including the specific steps for vista.

I also tried out the miri smitfraud removal app.

Winpatrol is still detecting evil. I get a prompt about the following being added to the task scheduler:

wusydtqb
C:\Windows\System32\rundll32

This all started when I thought I could be smart by disabling the java updating services. Of course I now know that the few seconds I saved doing so wasn't worth it as it left me vulnerable to malware. D'oh!

Please assist - here are all of the logs from the removal/detection apps I've run.

Thanks,

Katie
 

Answer:vista removal steps unsuccessful - virtumonde, smitfraud-c

additional logs:
 

4 more replies
Relevance 94.71%

Hello I have somehow gotten the trojan-spy.html.Smitfraud.c, it is an error message on startup screen and it says the computer is operating in safe mode. Can someone please help??? I have ran hijack. Any help I would be soooo grateful. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 2:56:40 PM, on 4/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\o11edn2jxl4wwmthd.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\wp.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\P... Read more

Answer:Trojan-spy.Smitfraud removal questions

hi, welcome to TSG.

you need to get Xp SP1 asap and all other patches as your open to muliple threats.
Make a new folder in C:\ and call it Hijack this, and Save hijack this to
this folder so that it runs properly and can make back ups. Click scan,
then save the log and post it here so we can take a look at it for you.
go to this site and download these tools and once you get both
adaware and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk entries".
Click next to start the scan.Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again
With CWshredder close all browsers and programmes and select the FIX button.

Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.

All tools can be downloaded at the... Read more

1 more replies
Relevance 75.85%

A short while back the malware forum helped me with a PUP issue.

http://forums.majorgeeks.com/index.php?threads/checking-before-i-delete-pups.296008/

I now have a new build and I am wanting to keep it as clean as possible. I am wanting to install a PDF editor program. My choices of programs all seem to have "Ghostscript" as part of their install. I cannot get solid confirmation from the web regarding the safety of Ghostscript. Yesterday I posted a thread in MG Software, but , as of yet no one has replied.

So, thus my following question. If I install a program with GhostScript and find that the GhostScript itself also brings with it some malware - then can I basically follow the same steps as the above linked thread to start and/or complete a cleaning? After installing the program I plan on doing a Malwarebytes scan to find out if any infection has taken place.

In fact, I guess I should actually install Malwarebytes 'before' installing the software that contains GhostScript.

Also, should I start a new thread, aside from this thread, if I find any signs of Malware from the install of any software containing GhostScript?

Thanks for any advice and guidance.

Dekade
 

Answer:Can I Use The Same Removal Steps As Before???

You should install Malwarebytes first then scan whatever downloaded PDF editor program before installing it. You could even upload the file to VirusTotal for scanning.




Dekade said:





Also, should I start a new thread, aside from this thread, if I find any signs of Malware from the install of any software containing GhostScript?Click to expand...

No - do not start another thread. In the case of a suspected malware infection, this is ALWAYS the starting point to receive help, as noted under the heading of this forum.




Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.Click to expand...

READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker)
 

10 more replies
Relevance 75.03%

Could one of you pros take a look at the logs, just to be sure? In particular, I'm curious what you think of the ATI startup and RRLog results.

My system was near instantaneously infected when I enabled Vuze -- P2P. Surprise, surprise. Well, actually I was surprised that it was so quick, and so brutal...

System froze up, then rebooted... 3 virus protection scanners didn't work, access control lists were modified to lock out access, I could not enter safe mode, etc.

I disconnected from the net immediately and tried to recover. Safe mode was the problem -- after correcting AGP440 and MUP issues, in Safe Mode Combo Fix allowed the operation of all other tools (without it, none worked except CCleaner and SuperAnti-Spyware, which failed to detect any issues.)

The rest ran smoothly, and my system appears fine. I would really appreciate it if someone would skim the logs. I wouldn't be surprised if there were at least cleanup ops that you would recommend. All suggestions welcome.

In advance of any reply, THANK YOU for the help so far. I encountered many issues and it took 2 days to "recover", but your guide is excellent.

S
 

Answer:Removal steps worked, Thanks! OR, uh, so it seems?

Final log of 5, attached
 

2 more replies
Relevance 75.03%

I've completed all the recommended steps and I'm wondering what to do next. I think I've attached all the necessary logs. Any help would be greatly appreciated!
 

Answer:Completed removal steps, what next?

Welcome to Major Geeks!

You forgot to attach your ComboFix log which I see is extremely large. You will need to put it into a ZIP file so that it gets compressed to be small enough to attach. Then attach it. We will get started without it but I do need to see it.



Okay now we need to use a new tool.

Download and save to RenV.exe to your Desktop (must be on the Desktop)
Now Copy the bold text in the below code box to notepad. Make sure you scroll thru all of the code box to get all lines selected. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Apoint2K\Apoint .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Lexmark 2300 Series\ezprint .exe
C:\Program Files\Lexmark 2300 Series\lxcgmon .exe
C:\Program Files\Lexmark Fax Solutions\fm3032 .exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent .exe
C:\Program Files\ltmoh\Ltmoh .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\mcupdate .exe
C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
C:\Program Files\McAfee.com\Agent\MCUPDA~2 .EXE
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe
C:\Program Files\Microsoft ActiveSync\wcescomm .exe... Read more

8 more replies
Relevance 75.03%

Hi.

4 days ago my machine began running slow, mouse was erratic, net was dragging and every re-boot I got the error window as in the attatched screenshot.

After running Norton as standard - and Advance System Care (which I then deleted) and finding nothing I came here - and followed your advice to the letter . The log attatchments are below. Im stumped - please help. Thanks.

Im running W8, 64 Bit. 6.00 gig Ram, i5.
 

Answer:Malware Removal? All steps taken?

plus this TDSKILLER log.
 

31 more replies
Relevance 75.03%

So In the past maybe 5? months I've been redirected to:
2 times aferesearchgroup.com claiming to be a charter survey (Charter doesn't know about this at all and the website is basically unlisted on google)
1 time Browser hijacker and my anti-virus/mbam were unable to find anything wrong.
 
I've run adwcleaner, jrt, and rkill to try and remove any threats..
 
Is there anything else I can do to block any potential attacks?
 
 
 
Edit: I use webroot pro and google chrome

More replies
Relevance 75.03%

My problem:

Trying to remove bts.scour from my computer. Looked up and followed the following script from an earlier post request that was similar...

Have done the first step and have posted the scan results below the 1st step.

My computer is Windows 7

Do i go to the 2nd step and proceed as though it is the same issue?
(2ns step, Download aswMBR Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log, Post the log results here

3rd step, Download, ESET online scanner, Install it, Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats
Export the list to desktop,copy the contents of the text file in your reply)
johnsherry
Member

Group:Members
Posts:22
Joined:05-September 12
Posted 05 September 2012 - 08:08 AM
Apparently picked up a redirect virus that is not detected by my antivirus protection as I have run scans with both. I went through the system files and could not readily identify anything there for a chance of manually removing it. I need help removing this virus from my PC.

Thanks in advance.

John

Back to top

--------------------------------------------------------------------------------

#2 narenxp
Forum Addict

Group:BC Advisor
Posts:8,516
Joined:24-October 11
Gender:Male
Location:India
Posted 05 September 2012 - 08:10 AM
Download

TDSSkiller

Launch it.Click on change ... Read more

Answer:bts.scour removal steps

Will wait for other two logs

13 more replies
Relevance 75.03%

I have been to several forums and about Mebroot removal and i still don't follow on exactly how to do them. I would like experts to please tell me exactly wat steps to follow. I have used Superantispyware, Malwarebytes and ESET( it is the only one that notfies me about Mebroot) I also have combofix and rootrepeal but i don't know how to use them. Also tried ESET Mebroot removal tool and FixMeBroot by symantec which doesn't help.

Ads from internet explorer keeps poping up and my volume continues to get disabled.

mbr gives me the following:

device: opened successfully
user: error reading MBR
kernel: MBR read successfully

Answer:Mebroot removal steps

Hello, Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

2 more replies
Relevance 75.03%

Hi gents. I've recently (2 days ago) been infected by the virus/trojan which was started when I stupidly downloaded a fake "adobe" video codec.

Symptoms were that my desktop background changed, some tabs were disabled in properties (right click on backround picture > Properties). It also had a Windows "AntiVirus XP 2008" program which ran scans saying I have thousands of viruses.

I have followed all the steps shown in this thread: http://forums.majorgeeks.com/showthread.php?t=139313

However, after restarting my computer after running combofix, the desktop properties and back ground picture changed back to the infected state. And I get popups of a false "Windows Security Alert" every now and again.

This is really doing my nuts in Please help me sirs.
 

Answer:Still Infected after removal steps

Here is the MGtools log.

Hope this provides enough information
 

8 more replies
Relevance 75.03%

Dear Tech Support Guy,

I have come across several other threads where you systematically guided people through the various tools needed to successfully remove SVCHost.exe virus. I too have that issue and wish to be guided through fixing this problem. I will wait to hear from you.

Best regards,

-Hunter
 

Answer:SVCHost.exe Removal Help Steps

Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 2:21:33 PM, on 2/2/2012 Platform: Windows 7 SP1 (WinNT 6.00.3505) MSIE: Unable to get Internet Explorer version! Boot mode: Normal Running processes: C:\Program Files (x86)\iTunes\iTunesHelper.exe C:\Program Files (x86)\Opera\opera.exe C:\Program Files (x86)\Mozilla Firefox\firefox.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Users\Hunter\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search.yahoo.com/?fr=w3i&type=W3i_SP,204,0_0,StartPage,20120102,16897,0,6,0 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Int... Read more

3 more replies
Relevance 75.03%

hello,i have a problem with my google chrome...few weeks ago when i reinstalled it my search engine changed from google to arabyonline and also in addition random ads popping up all the time which i unable in extensions.

currently,i have the search engine locked to be Arabyonline, "enforced by administrator", by search engine was google before and had icons on right top ,but after ths arabyonlin e becoming the default search engine ,that is missing and also when i try to search no more suggestions appear like how they appeared when i used google .i have no idea if anything else is infected as well

i did many things, tried to install the following:,malwarebytes, AVG internet security, spyhunter and I also un installed chrome and re installed it, all of this only fixed the home page, everything else is still the same.Please, help me out! I tried everything I can, I've been trying for the past few weeks to get rid of it, i managed to get rid of the ads and take control of the home page but thats it!
My search engine is still locked to Arabyonline saying "enforced by administrator".
after seeing some of your posts i have scanned using farbar recovery and attached first and addition files.
kindly tell me the further procedures. please help me !
 

Answer:arabyonline(removal steps please)

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

6 more replies
Relevance 75.03%

Thanks to Grinler (and to all the other BP volunteers/staff) for posting easy to follow step-by-step removal instructions for common malware.http://www.bleepingcomputer.com/virus-removal/andhttp://www.bleepingcomputer.com/forums/t/171335/spyware-and-malware-removal-guides-index/You guys and gals have helped me multiple times in the past and don't get enough praise! For all you other newbs, the links above are great places for self-help before you attempt to scan or post logs asking for help.

Answer:Thanks for the Removal step-by-steps

Thanks for the kind words and you're welcome on behalf of the Bleeping Computer community.

1 more replies
Relevance 75.03%

Hello-

My wifes pc started having problems and when I ran spy bot it showed braviax infection. Removed but continued to have problems. Ran a few other programs to try and get it all cleaned up but no luck. Found your site and followed the steps.

It appeared to have cleaned the issues up...malwarebytes and SAS showed clear. But I ran Kaspersky and got a hit for some wurldmedia files. I'll include that log as well.

This same braviax issue infected her pc a year ago. I'm wondering if I left some trace behind that it re-infected with.

Thanks in advance for any help you can give!

James
 

Answer:followed malware removal steps..gone?

attached are two more logs...thanks
 

19 more replies
Relevance 75.03%

I first noticed a problem Saturday 9/26/09. To the best of my memory, I got redirected to a website on saturday that my antivirus said was malicious. I use AVG 8.5 but when I left the site my computer began giving warnings that it was infected. My browser started to open what appeared to be inocuous websites. I went to my AVG and ran it. It detected a virus and a couple of Trojans and deleted them but I got an errror mssg after trying to delete the other files it detected. When I tried to run the AVG again, it appeared fine but wouldn't start a scan. I went to Major Geeks and downloaded various spyware removers and a virus remover, i.e AVIRA which detected and deleted some torjans and/or viruses, AdAware which also deleted some malware and Spybot Search and Destroy which errored with a message that it would not run because I lacked the special priveleges. I was still having trouble with AVG so I deleted it and reinstalled, at first it would get error messages and wouldn't allow me to delete it but I eventually got it to delete. I reinstalled and ran a scan again. Subsequent to that, I was unable to run again and unable to delete it. I went to your forum and followed the malware removal instructions. SuperAntispyware ran well and found infections that it deleted but Malewarebytes wouldn't run, If memory serves, it would start but the quickly disappear from the screen. ComboFix, Rootrepeal and and MGTools all ran well. Unfortunately I am still having the ... Read more

Answer:Cannot run all the Removal Steps, still having problems

Welcome to Major Geeks!





schmitz5 said:





and now am unable to open SuperAntispyware to retrieve my log so I am unable to include that.Click to expand...

You don't need to run it to attach the log. The log is already save to the below location. Just attach it.
Code:

"C:\Documents and Settings\Gary.CHLOEII.001\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Logs\"
Sep 27 2009 1073 "SUPERAntiSpyware Scan Log - 09-27-2009 - 12-11-22.log"

Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
Open Notepad and copy/paste the text in the below quote box into it:




KILLALL::

File::
C:\WINDOWS\win32k.sys
C:\WINDOWS\Temp\1e6d6ece-f365-4eb7-8f4d-ee6d3c9b102a.tmp
C:\WINDOWS\Temp\238d0b4d-8553-488c-b82e-89314456e9c8.tmp
C:\WINDOWS\Temp\321d99a2-81a5-4453-af13-aef73db7577b.tmp
C:\WINDOWS\Temp\355c352e-6742-41b5-8120-706a6995c685.tmp
C:\WINDOWS\Temp\613bec91-27c3-456d-9918-85af90bfeda1.tmp
C:\WINDOWS\Temp\7d7c99a2-5be8-4591-b795-7516622556ff.tmp
C:\WINDOWS\Temp\b4b807b7-bca1-4bb1-bf84-97a... Read more

15 more replies
Relevance 75.03%

Continuation to http://www.bleepingcomputer.com/forums/t/333603/mebroot-removal-steps/i ran DDS 3 hrs ago and had the files ready for your request. Hoping that doesn't change anything. Please check attached files.Gmer runs well for me its just i don't know how to really use it.

Answer:MeBroot removal steps

In response to Orange Blossom here:http://www.bleepingcomputer.com/forums/t/333603/mebroot-removal-steps/I thought i should inform u folks that i ran CC Cleaner to fix my reg as opposed by "you should NOT make further changes to your computer " . So am i required to re-run DDS script ?

9 more replies
Relevance 75.03%

Im running windows xp. service pack 2
only started having problems tonight. i had searched for an episode of "flashforward episode 6" on google. got a link that look trustworthy on ask yahoo. clicked to dl video controller so i could watch. problems occured after that. i get redirected on all searches etc. spybot wont run. avg completely disapeared from my computer after a restart..
found this site.

Followed all steps possible.
I have a 64 bit computer so i had to skip a the parts listed.
completed all steps in registration email. got to the xp cleaning section.
installed and used superantispyware. when rebooted and tried to run again for log file. I got message: windows cannot access the specified device, path or file... i tried to use alternate start and nothing happens. used repair and got message that i dont have privaliges. how can i retreive log file. i cant even find any txt files in superantispyware folder..it did find and delete 5 trojans and 1 other file

moved onto install of mb.exe
i renamed files as told to. started program after install. chose quick scan as told. program closed on its own. reinstalled program, double checked re-naming of files etc. and used full scan this time, program closed again.
cant run other programs because im on 64 bit processor...

installed mgtools to c:\mgtools.exe
double clicked .exe with no av running and black window briefly apears, then disapears. nothing happens..

ran win32diag.exe
program stops
... Read more

Answer:Completed all steps for removal. please help

why is my post completely gone? i followed all steps in the registration email. i was up till 1:30 am doing all the things asked of me. i wake up looking for good news and i have my whole post gone?

Kyle
 

15 more replies
Relevance 75.03%

Hello,
I've completed the Read and Run Me First steps, and the various scans have turned up a lot of scary-looking files. My laptop, which runs Windows 7, has been experiencing a few ongoing problems:

I have to reconnect to my wireless Internet whenever I log out of Windows even though I have set the computer to log in automatically. This has been going on for a month or so.
Whenever I use a search box on a web page, advertisements automatically appear. I haven't been able to remove this problem, which has been happening for at least a month.
My bank's web site alerted me that I may be getting redirected to an unsecure site. This was alarming.
My Internet has been getting steadily slower. I realize this could be due to a number of causes.
I'd very much appreciate advice on how to proceed. Thank you in advance.
 

Answer:Malware Removal Next Steps?

Welcome to Major Geeks!

While I look thru all of your logs, run Hitman Pro again and allow it to remove all of the Malware remnants and Potential Unwanted Programs items it found. Then reboot your PC. After reboot, run a new scan with Hitman Pro and attach the new log.





neilers17 said:





My bank's web site alerted me that I may be getting redirected to an unsecure site. This was alarming.Click to expand...

Have you used a different PC to change all passwords? Or called your bank to ask them to change passwords?
 

2 more replies
Relevance 75.03%

I'm so glad you're out there to help! I followed all the steps outlined on your site & I still need some removal help. I'm working on my nephew's machine & he doesn't have the CD's that came with his laptop, so starting over wasn't an option.

He has a Toshiba Satellite laptop, celeron 2.8 ghz, 192 mb ram, 60 gb hd with 20 gb free. Running Windows XP Home with all updates. The machine is running with no major problems now, but I know there are still some bad things out there. I ran a new hjt this morning since I ran all the others last weekend. I'm attaching what I can now.

Thank you so much for your help! Shelley
 

Answer:Need Removal Help-Followed Defined Steps

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
C:\WINDOWS\System32\n?pdb.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [vz8YXH4uh] C:\documents and settings\billy gene\local settings\temp\vz8YXH4uh.exe
O4 - HKLM\..\Run: [VvQWF] C:\documents and settings\billy gene\local settings\temp\VvQWF.exe
O4 - HKLM\..\Run: [u7Xy] C:\documents and settings\billy gene\local settings\temp\u7Xy.exe
O4 - HKLM\..\Run: [p0yp81WI] C:\windows\system32\p0yp81WI.exe
O4 - HKLM\..\Run: [o7yrOCUPm] C:\documents and settings\billy gene\local settings\temp\o7yrOCUPm.exe
O4 - HKLM\..\Run: [Lo] C:\documents and settings\billy gene\local settings\temp\Lo.exe
O4 - HKLM\..\Run: [lMm4zGyC7] C:\documents and settings\billy gene\local settings\temp\lMm4zGyC7.exe
O4 - HKLM\..\Run: [Ijc.exe] c:\windows\system32\Ijc.exe
O4 - HKLM\..\Run: [iGYTExK9] C:\documents and settings\billy ge... Read more

22 more replies
Relevance 75.03%

About 3 weeks ago i started getting random pops ups when i was on the web. Firefox/IE crash at random, and will not reopen untill i restart my system.  Restarting also takes longer then it used to, it has to save some dill program that has been running, and i always just click "END NOW" instead.  My computer has been slower, and my NOD 32 antivirus program keeps saying it found somthing, but it has not been able to remove it.  I think it is " TROJAN/VUNDO ".  I dont know much about computers, but i can follow directions -somewhat   I'm not in a rush so plz don't attempt to help me if you are.  I am not sure which log files i shoud post on here, so i will wait till i get a response. Thank You ALL - THIS WEBsite it Amazing

Answer:Problem, please help - I already went through Removal Steps

first:http://www.computerhope.com/forum/index.php/topic,69848.0.htmlalso, right now we really only have one active malware removal specialist- our other one is very busy with this new game called "real life"  .Since there is only one, he has to help all the people requesting help in the malware forum.IMO he is quite quick. However since he runs through from bottom to top(first come first serve)- and bumping your thread puts it at the top- it makes it take longer.

1 more replies
Relevance 75.03%

hi, recently ive been noticing a lot of pop ups, usually with every new address i open, or i will have a really slow internet activation time (when i start google chrome it takes forevaaaaa). I have also noticed a program called strongvault, i immidiately googled it and came to this awsome forum site, when i was reading through a post, i realized i also had what i thought was another malware program: delta search bar. I left my room door open one day and my roommates friend went on a downloading spree and since ive been having these problems. I have also noticed toolbars in my mozilla and chrome popping up when i start them, i reinstalled mozilla and chrome and that fixed it. since i ran ccleaner (today), i havent really had many pop ups, but i did do all of the other steps and i have some logs for you awsome tech savy people to look thru =P. I noticed quite a few threats detected with all of the scans that i did, however tdsskiller did not show results for threats so i left that log out. I greatly appreciate the effort you all put forward to helping people like me(i feel so lost haha). i am a very patient person, so no bumping of this thread will happen i assure you. THANKS!
 

Answer:malware removal *followed all steps (1-4)

Rerun MBAM and have it fix everything it found.

Now Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[TASK][ROGUE ST] 0 : c:\program files (x86)\internet explorer\iexplore.exe -> FOUND
[TASK][ROGUE ST] 4808 : wscript.exe C:\Users\Jonathan Hawley\AppData\Local\Temp\launchie.vbs //B

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now rerun Hitman and have it fix everything it found.

Reboot and rescan with both RogueKiller and Hitman and attach those new logs as well.

Be sure to tell me how things are running.
 

10 more replies
Relevance 75.03%

Hello
I have tried to research this myself but am still unsure.
When the antivirus program quarantines a trojan, does it do any harm to leave it there?
There are choices;1-remove,2-repair,3-report to Mcafee.
I asked them but am getting contradictions and vague answers.
I do not want to remove a necessary file with a 'simple' removal but how are you supposed to know what will happen when you click remove?
I will continue to research this but could use an educated response.
Thank you
 

Answer:malware removal steps

peterr said:





When the antivirus program quarantines a trojan, does it do any harm to leave it there?Click to expand...

No, other than the fact that other scanners could detect it. Once you are sure that something that was quarantined was not a false detection, you can empty the quarantine.





peterr said:





There are choices;1-remove,2-repair,3-report to Mcafee.
I asked them but am getting contradictions and vague answers.
I do not want to remove a necessary file with a 'simple' removal but how are you supposed to know what will happen when you click remove?Click to expand...

If something is truly malware, it needs to be fixed. Sometimes a fix means delete the file since it is not a necessary file; however, other times a file that is necessary for Windows or for some other program could truly get infected and the first thing you would like to do is repair (i.e. remove the infection) if possible. Sometime a repair is not possible and you will need to delete/quarantine the file and then replace it with a good copy. Care must be taken not to delete a file required for your PC to boot or run properly which is why sometimes a scanner may detect a problem but could say that it cannot be fixed. If the fix it, it could make your PC unbootable.

Sometimes scanners will have False Positives (FP) which McAfee has quite a few of and you need to report them or they will never fix them and they will ke... Read more

5 more replies
Relevance 74.21%

I'm brand new to the forum, and somewhat of a novice at this... the problem first started off with the Antivirus 2010 windows popping up all over the place, followed by my icons, toolbar and everything else dissapearing on my desktop. I was able to get rid of the majority of the virus problems with malware bytes. But im still unable to download the current definitions for the program. The malware is blocking Malware bytes, ad aware, and spybot from connecting to the internet. Any help will be greatly appreciated. Thanks, Brandon.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:30:18 PM, on 2/16/2010Platform: Windows Vista SP2 (WinNT 6.00.1906)MSIE: Internet Explorer v8.00 (8.00.6001.18882)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\system32\taskeng.exeC:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Windows\system32\wbem\unsecapp.exeC:\Program Files\Hewlett-Packard\Shared\HpqToaster.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Windows\Explorer.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\system32\SearchFilterHost.exeC:\Program Files ... Read more

Answer:malware still present after trying all removal steps.

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Relevance 74.21%

Hello, I am a victim of the FBI Virus and have tried every forum and YouTube video but have gotten no where! I have a Eee PC tablet with Windows XP Home Edition. The virus has locked me out of one of my administrator accounts. Each time I logged in using any of the safe modes I get a big white screen. I cannot log into any. I have logged into the other administrator account on my computer and tried to access my main account (that's locked) but failed. I keep getting an "access denied" message. I really need to retrieve all of the photos and videos from the account that is locked, that is why I am so desperate to get into it. Please, with the information given, can someone tell me how to remove this virus? Thank you.
Eee PC Netbook******** I apologize!!

Answer:FBI Virus Removal Steps Needed

Run the scans from the other admin account Please download TDSSKiller from here and save it to your DesktopDoubleclick on TDSSKiller.exe to run the application, then click on Change parameters


Check Loaded Modules  and Detect TDLFS file system.  Do not check Verify file digital signatures (even though it is checked in the example)If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


Click Start Scan and allow the scan process to run

If threats are detected select Skip for all of them unless I instruct you otherwiseClick Continue


Click Reboot computerPlease post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply===================================================aswMBR--------------------Download aswMBR and save it to your desktop.
Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.If you need help to disable your protection programs see here and here.Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.

When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.

Please post the contents of the log in ... Read more

5 more replies
Relevance 74.21%

Hi.In the last week or two, i have noticed that my computer is running slower than normal, as in taking a long time to open web pages, and on a few occasions i have been viewing a website, only to find that it dissapears and a completley different website appears.I have ran windows defender, that turned up nothing.I also have spybot, that turned up a load of usage tracks, which i removed anyway.So i just thought i would post these three logs to you to see if there is anything interesting in there.I am new to all this, but i have printed the "self help" pages out for the computer hope hijack this process  tool, to try and understand it a bit more.I am running windows xp pro sp3.internet explorer 8Thankyou for your time at looking at the logs.[attachment deleted by admin]

More replies
Relevance 74.21%

Good evening,

Earlier today I clicked on a website link after searching for lyrics to a particular song. Immediately, a large, full-page pop-up alerted me to the fact that I had some sort of infection and that my computer was at risk. No matter how many times I attempted to click the red X and remove the box, it just reappeared and prevented me from returning to the IE browser tab to close it. The warning box gave a phone number to call to get help with the situation.

At first, I thought that the message was from Microsoft and called the toll-free number. When some other company answered, I told them I did not want their help and hung up. I, instead, manually opened the Microsoft Security Essentials control box and started a full scan. At the end of the scan, I was told that the scan found no issues which surprised me since I thought that the warning box was still inhibiting my access to my IE browser.

Looking around in an attempt to find more information, I selected the MSE History tab and found two items previously quarantined. I selected them and removed them. Afterward, I was able to close the IE tab associated with the warning box by hovering over the IE icon in my taskbar, but I don't know if that timing was simply a coincidence since the quarantined items were not from today's scan.

I provided all of the information because I am not sure whether I need to do anything else, at this point. Everything appears to be back to normal, but I don�... Read more

More replies
Relevance 74.21%

Please can someone look at my logs, not sure if I got rid of all virus. I've run through the malware removal steps and here are my logs for superanti spyware/malwarebytes anti-malware/HJTSUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 12/07/2008 at 07:04 PMApplication Version : 4.21.1004Core Rules Database Version : 3665Trace Rules Database Version: 1645Scan type       : Complete ScanTotal Scan Time : 00:39:02Memory items scanned      : 313Memory threats detected   : 0Registry items scanned    : 5797Registry threats detected : 7File items scanned        : 22934File threats detected     : 12Adware.Tracking Cookie   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][1].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][1].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][2].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][2].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][2].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][2].txt   C:\Documents and Settings\Matt & Ariana\Cookies\matt_&[email protected][1].txt ... Read more

Answer:Logs for following malware removal steps

Download ComboFix? by sUBs from one of the below links. Be sure top save it to the Desktop.Link #1Link #2**Note:  It is important that it is saved directly to your DesktopClose any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts.For Windows XP Systems install the Recovery Console:- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.- If for some reason your Internet is not working click No.- If you are not using Windows XP, you will not be prompted.- When prompted to accept the EULA click OK.- Accept Microsoft's EULA (Click Yes).- When you are told that the RC is installed correctly click YES to continue scanning for malware.When finished ComboFix will produce a log for you.Post the ComboFix log and a new HijackThis log in your next reply.Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

1 more replies
Relevance 74.21%

Hi. Hope I'm doing this right. I'm confused because I thought I would be removing the malware that was detected by Hitman by the Hitman software, as opposed to sending something in. Forgive my ignorance.

Here are some logs you asked that be saved.
 

Answer:Finished the Malware Removal steps. What's next?

Welcome to Major Geeks!
Exit any programs that you may have started.
Please disconnect any USB or external drives from the computer before you run this scan!
Rerun RogueKiller ( if running Vista,Win7, or Win8 user right-click and select Run as Administrator to run ) for WinXP and Win 2K just double click to run
Wait until Prescan has finished
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
click on "delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and attach the content of the Notepad into your next reply.
The log should be found in a new RKreport[x].txt on your Desktop
Exit/Close RogueKiller and reboot your PC.
Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: (no name) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
R3 - URLSearchHook: (no name) - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
R3 - URLSearchHook: (no name) - {d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0} - (no file)
O2 - BHO: (no name) - cardisabled - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no nam... Read more

14 more replies
Relevance 74.21%

Im having problems with my Windows 7. The machine has been behaving odd lately, a few random bluescreens, the display drivers seem to be buggy as in windows aero is not working and I cannot view any videos in vlc, having a considerate amount of missing .dll issues and I cannot access device manager to check anything. I suspect some kind of malware. I have the 5 logs attatched to my post.
 

Answer:Help with malware removal - have completed steps in FAQ

Your logs are clean. You may need to post in the software forum for further assistance. You should remove either AVG or Kaspersky Internet Security.

Have you tried doing a system restore?
 

7 more replies
Relevance 74.21%

I keep getting redirected, probably 90% of the time, when I use any sort of search engine link, usually I get redirected to anotehr search engine with results similar to whatever i lookup up in my original search engine. I also get a popup window a few times a day, usually linking me to a news ad about google ads. If you need to know anything more specific please let me know, but those are the only things I can see not working properly. And here are the results of the scans I was requested to run and paste, thank you for your help!

Also, I do not have access to my Windows Install Disc

DDS (Ver_10-03-17.01) - NTFSx86
Run by Dan at 9:27:07.89 on Tue 09/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1407.711 [GMT -6:00]
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe... Read more

Answer:Reply to First Steps for Malware removal

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean!
Please do not run any scans or install/uninstall any applications without being directed to do so.
Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.
Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please download Rootkit Unhooker and save it on your desktop.Disable your security programs
Double click RKUnhookerLE.exe to run it
Click the Report tab, then click Scan
Check Drivers, Stealth Code, Files, and Code Hooks
Uncheck the rest, then click OK
When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
Wait till the scanner has finished then go File > Save Report
Save the report somewhere you can find it. Click Close
Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"Please include the following in your next post:Rootkit Unhooker log

14 more replies
Relevance 74.21%

STEP 1: Remove Hao.360.cn redirect with AdwCleaner
STEP 2: Remove Hao.360.cn browse hijacker Junkware Removal Tool
STEP 3: Clean up the various Windows shortcuts that have been hijacked by Hao.360.cn virus [cant be done. my properties doesnt have the extra links behind]
STEP 4: Remove Hao.360.cn virus with Malwarebytes Anti-Malware Free
STEP 5: Double-check for the ?Hao.360.cn? malware with HitmanPro
(OPTIONAL) STEP 4: Scan your computer with Zemana AntiMalware [detected the virus but failed to remove] SEE ATTACHED , previously firefox url was in zemana too, but somehow it got removed.
(OPTIONAL) STEP 5: Reset your browser to default settings
DongFang input was installed and uninstalled but nothing else has happened until this time. Is it due to my McAfee recently expired and I have not download free AVG? Please help! Thanks!
 

More replies
Relevance 74.21%

My first post.
Problem computer is on a domain. User clicked on a link in an email they thought was from Linked In. Problems included multiple windows claiming read/write delay; bad hdd-memory. All desktop icons disappeared, etc. Symantec reports "Suspicious.Ad" infection.
I ran the malware removal steps. mbam, MG, RR & Superantispyware logs are attached. Combofix hung up at the scanning stage ("may take ten minutes . . . could be double") so I never got a log. This may be due to Symantec Real time Scanning which I couldn't disable because this is an Endpoint client machine on the network. I may have to uninstall that.
After cleaning symptoms:
no browser redirects but occassionally a browser window opens on its own for facebook login or something about twitter. This user doesn't do facebook or twitter.
Most folders on C drive are marked hidden; start>programs folder is empty; memory errors when trying to create PDF files. Trying not to use the computer so there may be other symptoms I haven't encountered.
Your help is appreciated.
Thank You,
Jody
 

Answer:Malware removal steps didn't fix everything

No logs attached I'm afraid.

Also you need to take a look at this:

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
It will show a Black screen with some information that will contain either the below line if no problem is found:
Done! Press ENTER to exit...

Or you will see more information like below if a problem is found:
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

 

11 more replies
Relevance 74.21%

Hello,

There was/is an extensive thread on removing the MyWay Search Assistant posted in 2005. I carefully followed all steps up to where she was instructed to copy some items into the registry. I've saved all logs but am new to this so will wait to hear from someone before posting them.
What I have is that MyWay is still listed in the Add/Remove programs but it fails and cannot remove it.
Running Super AntiSpyware on a brief scan does not find it but on a complete or full scan it does. Searching the registry using regedit I find it in multiple locations. Not sure how to get a txt file from redit. The other suggested registry search tool in that old thread is now a broken link.
Thank you for any assistance you may offer.
 

Answer:I've followed all the steps in the old 2005 MyWay removal and no joy

Welcome to Major Geeks!

Instructions from 3 years ago may no longer apply and using instructions given to someone else is not always a good idea either. Try the below:

Click Start, Run, and enter the below into the Run box and click OK.

msiexec.exe /quiet /x{78d944d7-a97b-4004-ab0a-b5ad06839940}

If the above does not work, you will need to do the below.


Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto an... Read more

1 more replies
Relevance 74.21%

i completed the malware removal process step by step(i think). attached are logs. please check and advise. thanks in advance...bridgeman001
 

Answer:Malware removal steps completed, what now

Welcome to Major Geeks!

It would be more helpful if you explained what malware problems you are having. Also have you been working on malware removal in another forum. I see you have BFU installed and I wondered why.

You forgot to attach the log from SUPERAntiSpyware. Did it find anything?


The only items I question right now are the below two files which appear to be drivers. Do you know what these are from?
Code:

2008-10-11 23:32 .2008-10-11 23:32 11,264 -a- H:\WINDOWS\system32\drivers\uzi0ote5.sys
2008-10-10 22:24 .2008-07-08 14:54 148,496 -a- H:\WINDOWS\system32\drivers\21466736.sys

R1 is-H3JRUdrv;is-H3JRUdrv;H:\WINDOWS\system32\DRIVERS\21466736.sys [2008-07-08 148496]
R1 uzi0ote5;AVZ-RK Kernel Driver;H:\WINDOWS\system32\Drivers\uzi0ote5.sys [2008-10-11 11264]

 

1 more replies
Relevance 74.21%

I've got Bifrose Backdoor trojan?!. My Spyware Doctor keeps picking it up, I quarantine & delete it, then it comes back next time I reboot.

I've run everything in the 'malware removal' thread (which I have saved as it's been used many times successfully!) & still it's returning!

Any idea's anyone?

Cheers in advance, appreciated.

PS-here's the HijackThis log:
 

Answer:Ran the malware removal steps, still got a problem...

Welcome to MajorGeeks.com, please follow our standard cleaning procedures:

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support


Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..
In your next post, please make sure you attach the following logs and that you have run these scans in the following order:

CounterSpy - ONLY IF you were not able to run Windows Defender
Bitdefender - from step 6
Panda Scan - from step 6
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis
NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
 

5 more replies
Relevance 74.21%

Hi,I have another laptop that seems to have gone all wonky.  It is a Toshiba Laptop that was originally for Vista but the company wanted it to run XP Professional so they rigged it for XP.  It has up to Service Pack 3 installed.I'm able to follow the removal steps up until SAS and Malware.  Both programs can be downloaded but they won't execute from the desktop.  I've even tried to rename Malware to just mbam and still didn't work.  I can't even seem to install Hijack this either.

Answer:Can't follow the Malware removal steps :(

HijackThis doesn't need installing - it should just run from the route of the main drive.Try putting in the C:\ directory then reboot and access safe mode (F8 on boot up). Try running what scans you can there. You most likely won't be able to install anything in safe mode though.

5 more replies
Relevance 74.21%

Still having issues with Roll Around after completing many steps I have found online:

Tried to find and uninstall program (nothing under rollaround, I did find one program by a different name that showed up as associated with roll around, which I uninstalled.)
I looked for recently installed programs, but all I see look legit. (iTunes)
Reset browser settings.

Ran McAfee and Malwarebytes a couple of times before looking up help. Followed steps on your website: Downloaded and ran AdwCleaner/deleted/rebooted. Downloaded and ran Junkware Removal Tool, Ran Malwarebytes again, (no threats found this time), Downloaded and ran HitmanPro, found four items and deleted them. (they were all trackware)
 

Answer:Roll Around Virus after many removal steps

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

5 more replies
Relevance 74.21%

Dear all,

I have completed all Malware Removal steps after all index.php files on one of my webhosting provider were injected with
<img heigth="1" width="1" border="0" src="http://imgaaa.net/t.php?id=">

Since this apparently can only happen when my FTP passwords are retrieved I suspected my computer was infected by a keylogger? I included all log files except one(super antispyware), since this ran already for 1,5 hrs and nothing found yet, I will rerun this during the night again. I am running W7-64bit so didn't run rootrepeal.

3 files were deleted by combofix, are these indeed some kind of keyloggers? And am I free of this malware so I can startup my websites again?

Many thanks in advance.

Regards,

Kelvin
 

Answer:Confirm Removal Steps Succesfull?

I am not seeing any malware in your logs. I am also not seeing any AV protection software. What issues are you still having?
 

3 more replies
Relevance 74.21%

I have/had a virus/spyware/malware problem and upon doing an internet search I found your forum.   I have followed the steps in "Read this before requesting malware removal help".  Background - I mistakenly authorized a download (my AVE internet security warned me) and immediately knew it was loading bad software.  Being a novice I panicked and tried to shutdown my computer and disconnected my high speed internet.  When I restarted I had several anti-spyware icons on my desk top.  I ran my AVE virus checker and it was finding viruses, but was running very slow.  As it continued additional windows popped up warning that software was trying access the internet.  At first I clicked OK to not allow access, but then Internet explorer would open.  I decided not to click any more windows and just let my virus scan run.  At one point the scan stopped before completing it's check.  It had removed and placed Trojans and other viruses in the vault.  So I cancelled the scan. I was still receiving software unauthorized internet access windows popping up.  I decided to run my Max Registry Cleaner to restore a prior registry.  Following this no more unauthorized accesses occurred.  I reran my virus scan and it ran fast.  The only issue I have now is Windows Automatic Update is off and I can't turn it on.  It will also not run manually.  I received a error code 0x8DDD0018, but Micros... Read more

Answer:Malware removal help (dkinfl)- all steps followed

Open Hijackthis and select Do a system scan only then place a check mark next to:O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)Now click Fix checked, exit Hijackthis and run CCleaner.The logs look fine, any more signs of malware?-----Look here for your error message. http://support.microsoft.com/kb/910337

5 more replies
Relevance 74.21%

Here are the reports. Let me know what to do next.

Also, I play online rpg's a lot (particularly City of Heroes/Viallains). I find myself getting a lot of "lag" when I play. Any way to put an end to this annoyance?

Thanks
 

Answer:Malware removal steps 1 - 6 completed

Hi Bookman1269!
Welcome to Major Geeks!

I'm missing 4 of your scans and the ones you ran weren't installed correctly. There is another way to do this which is a bit easier and produces less logs. Please go to this link NEW READ & RUN ME FIRST WITH MG TOOLS and follow the instructions. I suspect part of your lag may be from too many temporary files, which should be aided by running CCleaner at the beginning of the instructions in this link. You may also have malware, but I can't tell you that without seeing the logs.
When you finish with the instructions, you should have 4 logs:

- AVG Antispyware 7.5
- BitDefender (BDScan)
- Panda (activescan)
- mglogs.zip

Please make sure to follow the instructions for your operating system. Once we have a chance to look at these logs, we can tell you a little more about what's going on with your computer.

abri
 

1 more replies
Relevance 74.21%

I did all the steps for windows xp cleaning and still have problems. The two biggest are 1. When I boot my computer I'm flooded by notifications of mass outgoing e-mailings that my norton antivirus blocks and 2. I can't get my custom wallpaper to show up-it only shows up when i'm shutting down my computer. Spyware doctor (free trial) shows that I have over 70 infections. I'm attaching all sorts of logs that I have to date. I believe the malware infected my computor through an infected exe file. I would really appreciate any help I can get.
 

Answer:Malware Removal Help-I did all the steps and still have problems

more log files
 

6 more replies
Relevance 74.21%

I have been working on this for 7 hours, trying to get everything exactly as the read me file suggests and the other links in that thread. I am not that computer literate, plus dont fuss me if I didnt do something right :-o I'm trying. Thank You for any help Here is my only 2 logs I could get (1 incompleted)
super antispyware log
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/03/2009 at 06:45 PM

Application Version : 4.31.1000

Core Rules Database Version : 4332
Trace Rules Database Version: 2186

Scan type : Complete Scan
Total Scan Time : 00:55:41

Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 5130
Registry threats detected : 2
File items scanned : 13934
File threats detected : 4

Adware.Gamevance
HKU\S-1-5-21-507921405-813497703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3}
HKU\S-1-5-21-507921405-813497703-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

Trojan.Agent/Gen
E:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\TEMP\1E.TMP

Trojan.Dropper/Sys-NV
E:\WINDOWS\SYSTEM32\1D.TMP
E:\WINDOWS\SYSTEM32\FDE32.DLL

Trojan.Agent/Gen-FraudLoad
E:\WINDOWS\SYSTEM32\FDE32(2).DLL

MGtools log (not complete) attached
 

Answer:virus removal, problem with some of the steps

I FORGOT TO ADD MY NOTES AS REQUESTED IN READ ME AND OTHER STEPS ON THREAD.......
unable to download ccleaner says error 500
try to download defragmenter from maintenance page and it doesnt start
the download. i have 2 antivirus programs ...my antivirus that came
with my computer, symantec corporate edition has been disabled, and i
cant enable it. i cant run a scan, it says files are missing or moved.
i tried to remove the second antivirus (avg pro trial edition) rebooted
and its not in add/remove programs anymore. but still in system tray
functioning.
tried to download malewarebytes anti male ware. I click on the link
to start the malewarebytes program and the download doesnt start.
(i didnt download the programs that didnt except the 64 bit bc i didnt
know what i had)
i downloaded root repeal to my desktop. i double click on it and it says
windows cannot open the file, choose from a list to open it for you.
i didnt continue since i wasnt sure of what i was doing.
i downloaded mgtools. double clicked it and it started a prompt screen
during the scan for mgtools (i have a "windows -no disk"
error message that reads....
EXCEPTION PROCESSING MESSAGE C0000013 PARAMETERS 75B6BF9C 4 75B6BF9C
75B6BF9C)...im not sure if thats any useful information just thought i'd
include it. (it just came up again) (i clicked continue) (and the scan
has stalled out) not continuing the scan.... i had to close the window after about 30
minutes. i tried to re... Read more

14 more replies
Relevance 74.21%

I got a message yesterday and this morning when I started the computer and clicked to go online from my anti-virus program and something about a bad browser add-on called CBrowserHelper Object.

I have been having issues with the computer suddenly shutting down on me (sometimes after it has been on for less than an hour and other times when it has been on for a few hours). But when I turn the computer back on there is no message about the computer having been shut down improperly.

I was thinking that perhaps is is getting too hot since I know that hard drive is good (brand new one in fact and it passed all the hard drive tests) and since the battery on this laptop is really old I do not use it anymore and just keep it plugged into an outlet. I do keep the laptop elevated and the stand it is on has a fan running to help keep airflow to the underside of the laptop. I have eneded up getting a small fan and putting it behind the laptop and keep that running as well to keep the laptop cool and then it does not shut down on me (at least not yet) which is why I was thinking that there might be an issue with the cooling of the laptop. It is a Gateway M1629 running Vista Home Premium 32 bit operating system with 3GB of RAM and an AMD processor.

However, After getting that message yesterday and this morning I figured I had better run the Malware steps here. I already run spyware and malware scans a few times a week and they found nothing. Unless the last step found some... Read more

Answer:just ran all steps for malware removal and cleaning

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.


Search-Results Toolbar <<< Uninstall this.


Re run Hitman Pro and have it remove everything APART from:





Miniport ____________________________________________________________________

Primary
DriverObject . . . : 876B6688
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 00000000 +0
IRP_MJ_SCSI . . . : 884451F8 +0
Solution
DriverObject . . . : 876B6688
DriverName . . . . : \Driver\atapi
DriverPath . . . . : \SystemRoot\system32\drivers\atapi.sys
StartIo . . . . . : 00000000 +0
IRP_MJ_SCSI . . . : 85C88A2C \SystemRoot\system32\drivers\ataport.SYS+18988Click to expand...


And the entry on the Repairs tab is okay too I believe.



Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Attach JRT.txt to your next message.


Now run the C:\MGtools\GetLogs.... Read more

17 more replies
Relevance 73.8%

MS Removal Tool is a rogue software. It restricts you from accessing your desktop. You cannot start Task Manager, and you cannot open Internet Explorer or any other programs. This situation is the result of malware (a variant of Win32/Winwebsec) that is infecting your computer.
To remove the MS Removal Tool, follow the steps below: Boot your computer into Safe Mode.
Windows XP and Windows Vista:Start your computer and press and hold the F8 key.A Windows Advanced Options menu will appear. Use your arrow keys to scroll to Safe Mode and click the Enter key.Click the Start button, and then click Run.Type cmd then click OK. A black command prompt window will appear.Locate the affected directories:
Windows XP:Type cd c:\Documents and Settings\All Users\Application Data\ and press the Enter key.Type dir and press the Enter key.
Windows Vista:Type cd c:\ProgramData\ and press the Enter key.Type dir and press the Enter key.Type c:\Users\All Users\ and press the Enter key.Type dir and press the Enter key.Scroll through the list to find directories with random names that contains 18 characters. For example: cHl08200gMhHd08200 , pJg08200fBmPl08200.Type rd /s /q <random name>, and then press the Enter key. Replace <random name> with the 18 character name. Repeat this step for each random name you find.Type reg delete hkcu\software\microsoft\windows\currentversion\run once /v <random name> /f, and then press the Enter key. Replace <random name> with the 18 cha... Read more

More replies
Relevance 73.39%

Hi,I need some help with my laptop.Hope computer hope can help me.  At first my laptop cannot run any applications. the file **** is infected. I tried to format my laptop but can't, it keep on shutting down when I try to boot from CD. Thus, I followed all the malware removal steps. then, everything is running back to normal. Just that I can't get connected to the internet. Can you help me, how to fix this? Herewith, I paste all the logs, in case if it is needed.SuperAntispyware log:SUPERAntiSpyware Scan Loghttp://www.superantispyware.comGenerated 08/16/2010 at 01:00 PMApplication Version : 4.41.1000Core Rules Database Version : 5360Trace Rules Database Version: 3172Scan type       : Complete ScanTotal Scan Time : 02:21:40Memory items scanned      : 578Memory threats detected   : 0Registry items scanned    : 8322Registry threats detected : 2File items scanned        : 131293File threats detected     : 22Trojan.Agent/Gen-Frauder   [jjlghcfp] C:\DOCUMENTS AND SETTINGS\IMAN\LOCAL SETTINGS\APPLICATION DATA\AFLGBTIDE\NCKLCBSSHDW.EXE   C:\DOCUMENTS AND SETTINGS\IMAN\LOCAL SETTINGS\APPLICATION DATA\AFLGBTIDE\NCKLCBSSHDW.EXE   [jjlghcfp] C:\DOCUMENTS AND SETTINGS\IMAN\LOCAL SETTINGS\APPLICATION DATA\AFLGBTIDE\NCKLCBSSHDW.EXEAdware.Tracking Cookie   C:\Documents and Settings\iman\Cookies\[email protected][1].txt &... Read more

Answer:done the malware removal steps, but can't get connected to the internet.

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.Exit out of MessengerDisable then delete the two files that were put on the desktop.************************************Open HijackThis and select Do a system scan onlyPlace a check mark next to the following entries: (if there)R1 - HKCU\Software\Microsoft\Windows\Curren... Read more

8 more replies
Relevance 73.39%

I still seem to be having issues with pop-ups. I've attached the 5 logs from running the MGtools. Can anyone take a look and tell me if I still have problems that weren't removed?
 

Answer:I performed all the steps following the malware removal guide, but...

Here are the other two logs.
 

13 more replies
Relevance 73.39%

Ransom virus popped up on kid's phone (yeah, I know)...Samsung Axiom running Android 4.1.2. None of the tactics found online work. Avast does not open. Tried installing Malwarebytes...installed, but unable to open through play store. I tried hooking it up to a pc with Malwarebytes, but the program won't let me scan the phone.
 
I need ideas. Please help.

Answer:android: malware removal steps not working

G'day nomad, Click on THIS LINK,...(I am assuming this is not the avast program you already have) ....install the program, follow the prompts, and let me know if it gives you any joy.

3 more replies
Relevance 73.39%

I was having trouble with win32:malware-gen and some other assorted baddies. Every time I double-click on "My Computer" or most of my desktop icons, it automatically tries to install SmartWebPrinting and I was also getting redirects through Firefox and it wasn't letting me get at it until I found you guys. Went through the malware removal process and the redirects seem to be gone, but my system still tries to install SmartWebPrinting anytime I double-click an icon.

Here are my logs from the steps of the process. Thank you for your help!
 

Answer:Followed malware removal steps, but one lingering issue...

Here is the SAS log...
 

4 more replies
Relevance 73.39%

I ran all the malware removal steps and everything went well. I am attaching logs. I also have MGlogs.zip on my hard drive will you guys need this? Thanks for the help its worked well. Everything went in the order the directions said.
 

Answer:I ran all steps from READ & RUN ME FIRST. Malware Removal Guide

Sending the MGlogs.zip file
 

2 more replies
Relevance 73.39%

I have followed the removal guide to the letter and I am still getting the trojan downloader BHO.BHG or BHO.BGL thing anytime I hit a webpage, its making my AVG work overtime. I am also getting website redirects. I did have the virtumonde thing and tried the alternative scan for that, it keeps trying to fix the same thing every time I reboot.
the spybot scan: "couldn't fix all problems, associated files in use (memory)", I never saw that before.

Attached are the requested files when asking for help, everything was done in order.

I appreciate any help that you folks could provide and thank you in advance.

Brian
 

Answer:Malware removal steps completed, problems still around...

Additional scans requested
note, the AVG scan saved in the .tab format, it will not upload.

Thanks in advance
Brian
 

11 more replies
Relevance 73.39%

Read this please, it was my original Topic of my Problem it explains it most.Link to Topic.DDS Log:DDS (Ver_10-11-27.01) - NTFSx86 Run by Kyuubi at 12:22:44.70 on Fri 12/03/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHPuInternet Settings,ProxyOverride = *.localBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startupuRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /muRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exedRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tdRun: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startupIE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\off... Read more

Answer:Rootkit Removal - steps followed, dunno title for it.

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

18 more replies
Relevance 73.39%

Hello fellow geeks,

I am trying to clean up a machine that had a few infections. I have run through all the steps prescribed in this thread: http://forums.majorgeeks.com/showthread.php?t=35407

The only item coming up in any of the scans shows up in spybot. It is a PSGuard registry key, located at HKLM\Software\ShudderLTD\PSGuard

Spybot cannot fix this problem (I have run in safe mode, rebooted into safemode again, rebooted into normal mode, etc.). I have also tried to manually delete the object, but it says I am unable to delete the registry key. I am logged in as an administrator on this machine, and I have checked permissions to verify that I have Full Control over this object. I have also tried to take ownership of it, but I still cannot delete it.

This is the last piece of malware on this machine, and I would like to get rid of it. Can anyone help me?


Thank you in advance!
 

Answer:PsGuard Removal Help (Followed all steps in sticky threads)

Thanks...

Here is the logfile...
 

3 more replies
Relevance 73.39%

I dowloaded both malwarebytes Anti malware and smithfraudfix. Malwarebyte won't open and smithfraudfix does not get rid of the virus. Please help as this is VERY annoying.

Answer:Personal AntiVirus Removal steps not working

If mbam won't install or runSome types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.

8 more replies
Relevance 73.39%

article link NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help
Have dds files was doing gmer got blue screen lots of writing all I caught was pxdoquoe (I think) then it said crash dump. computer shut off but I restarted it.
I have been getting various exploit viruses/trojans and MSE has removed all but this one twice: Exploit:JS/Blacole.BV it allowed it on 2/14/12 and 2/15/12
I am using:
an acer aspire1200 running windows vista 6.0 (Build 6002: Service Pack2)
Microsoft Security Essentials 1.121.435.0 last updated today
Malwarebytes last updated today
ran scans using both
In the same vein how do I find out where the exploit viruses/trojans come from? I know the computer user info.
Please advise
Thanks

Answer:have been hit by exploit so trying to follow steps in removal article

Hello and welcome to TSF.


Quote:




Have dds files was doing gmer got blue screen




Do you still need help? If you do, please post the DDS logs and we'll take it from there.

18 more replies
Relevance 73.39%

Hi....I'm new, and not very PC smart. It's taken me a week to go through all your steps for malware removal, but I'm still getting them!

My OS is Windows XP Professional service Pack 2 (build 2600) version 7.1h.
Hard Drive is 119.96GB with 107.56 free. RAM is 254MB.

The processor is 2.4 gigahertz Intel pentium 4, 8 kilobyte primary memory cache, 512 kilobyte secondary memory cache.

Don't know what all this means, but I think you need it....

Here's the problem.

Firstly, we suddenly got an automatic Windows style dial-up connection window. This had not been the normal way for us to get on line. The dialing program window shows C\WINDOWS\system32\fd2ba95f.exe

Then a series of pop-ups which include "SYSTEM INTEGRITY SCAN WIZARD", "MALICIOUS SOFTWARE REMOVAL WIZARD", ULTIMATE WINDOWS DEFENDER" TRIUMPH ON-LINE CASINO", " BT YAHOO ONSPEED", REAL PLAYER UPDATE", "THERE IS NO VIRUS PROTECTION DETECTED ON YOUR PC", and lastly, "YOUR COMPUTER IS AT RISK. NORTON VIRUS IS SWITCHED OFF". It wasn't.

To the best of my ability, I ran all the steps as outlined in your pre-posting requirements. I don't get these pop-ups all the time, in fact, they are quite rare, but they are annoying, and I don't like the idea the PC is still infected.
The dial-up connection window is always there. We just ignore it.

I have saved, ready for sending, an Activescan log, a BD scan lo... Read more

Answer:I've completed the required steps for malware removal...now what?

Welcome to Majorgeeks!

Yes! As requested in the READ & RUN ME, attach your logs if still having problems.
 

5 more replies
Relevance 73.39%

I tried renaming like it says and I still get the win32 error. I want to stay in order. What do I do now? Also my other computer keeps booting up, and won't stop, regardless of safe mode. How can I stop this so I have something else to work on in the meantime.
 

Answer:Working through the removal steps. How can I get SuperAnti Spyware to run?

Or do I just skip this step?
 

2 more replies
Relevance 73.39%

Having trouble getting rid of Malware/Adware. Tried multiple approaches from this forum, Malwarebytes forum, and Reddit. Anything found and removed just returns upon reboot. Removing extensions and resetting chrome hasnt helped. I am usually pretty computer savy and I try to keep my virus software up to date, but this is a really annoying one. I have run a few programs including Rkill, TDSS killer, Rogue Killer, AdWareCleaner, Malwarebytes free, Kaspersky, Junkware Removal Tool, CCleaner, etc. The only program that has had any success with even finding infections is Spyhunter 4.

Removed all programs and nonsense that I thought may be causing the issue but still, no luck.

I have attached the FarBar FRST.txt and Addition.txt and the logfile for the AdwCleaner I just ran.

At this point I am pretty frustrated and I havent been visiting places I shouldnt (knowingly) and really only use this machine for email and internet browsing.

Infection started around July 10 or so, I think, but not sure. That is when I started seeing ActiveCoupon, ArcadeTwist, Cassioopesia, CoupMania, and so on.

Any advice?
 

Answer:Mal/adware returns after reboot and trying all removal steps

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

18 more replies
Relevance 73.39%

A friend of mine has w32.blaster.worm. I've tried to help him remove it with all the normal steps, downloaded the removal tool from Symantec from here:http://www.symantec.com/security_re...I have attempted to navigate to the registry key that's supposed to be there but it's not listed, as discussed in this article:http://deletemalware.blogspot.com/2...His Norton anti-virus is expired and he doesn't have an alternate virus software (he won't make that mistake again!). I tried to have him download Adaware and install it but it will not allow him to install in either normal or safe mode. He receives an error message that he does not have admin rights while booted normally and in safe mode it won't allow the install either.While in safe mode he can run Hijack This & the removal tool/executable but when he attempts to run anything in normal boot he receives the error that he does not have admin rights to the machine.I had him download Hijack This and got the log file from safe mode (normal boot gives the admin error). I was hoping someone could take a look and see if they can see what we need to do? Any help is greatly appreciated.Safe mode log:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 12:53:21 PM, on 2/8/2011Platform: Windows 7 (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16700)Boot mode: Safe mode with network support Running processes:C:\Program Files (x86)\Mozilla Firefox\firefox.exeC:\Program Files (x86)\AOL 9.5\waol.exeC:\Program Files (x86)\Common ... Read more

Answer:W32.blaster.worm removal steps not working

Looking at his log I've seen something I didn't realize before. He was saying he has XP this entire time and now I see that the log shows Windows 7.GRRRRRR.I found the following article that talks about the removal and this seems to fit right in line with what is happening for him.http://social.answers.microsoft.com...Does anyone know if there's a better way or should we just follow these steps?

2 more replies
Relevance 73.39%

Infected by viruses, ran Spybot and Malwarebytes, MWB had been turned off, not normal. Still had problems, so Completed Read Me steps, Still have problems

Computer would not operate in std mode, so steps up to combofix were done in safe mode. Safe mode did not allow uninstall of Java, so this step was skipped.

Running Vista 64 so RootRepeal was not done.

Everything was fine for a few minutes. Browsed major geeks for a moment and start-up programs seemed fine.

When re-enabling user account control, double clicking the EnableUAC.reg brought up the windows does not recognize this file extension, browse to find the correct program. Tried twice, same result. So i did it manually through control panel and rebooted. Everything fine.

After re-start, step 6 of Vista instructions, right clicked Computer and things went bad. Computer locked. Tried a few times rebooting and problems got worse. Now in STD mode computer locks or screen goes black. Task manager will not come up to see what apps and processes are running. Sometimes desktop or startmenu will fade to grey and everything locks.

Also of note, in STD mode, I get a pop-up window titled Security Alert: You are about to view pages over a secure connection... no one will be able to see pages etc. I closed the window clicked google chrome to nav to Majorgeeks and all seemed well enough. Clicked restore pages, then naving MajorGeeks the browser locked with the message waiting on cache.

Now computer boots in STD mod... Read more

Answer:Malware removal steps complete, still have problems

Other MWB logs attached...
 

49 more replies
Relevance 73.39%

Hi,

My computer was infected with the "Spyware detected! system error #384" along with the desktop warning page about how my life is in danger. Luckily I found this site and the removal procedures outlined in one of the threads. I followed the 7 page outline and the only program I couldn't get to run was RAV Antivirus. It appears that it worked, EXCEPT, now there is just a big white window (where the bright red warning page used to be) on my desktop. I ran another check with Spyware doctor and no infections are indicated. Can someone take a look at this for me - I can attach the HJT log file when ready. Thanks
 

Answer:I went through the Basic S.T.V. Removal steps - can somone read my HJT log?

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
 

17 more replies
Relevance 73.39%

I have been infected with spyware for two months, mostly because I haven't been serious about fixing the problem, but now I am. Last time I posted a HJT log, and was then asked to do the removal instructions to arrive at a known state. However I am unable to complete the entire task. I have done primary cleaning, removed some items, ran ccleaner a few different times always with different results. I can run ewido, spybot, adaware, and they remove different items. I have done the Qoofix and removed that. I have no antivirus currently, and when I attempt to run McAfee Stinger I get this message: "Shut Down by: NT Authority/System, c:\\windows\system32\services.exe" I then attempted to locate that file, and viewed hidden aswell, however there was no such file. Also I am unable to turn on a windows firewall, it has been disabled. My symptons are popups, the NT Authority Shutdown, and when the computer first starts up and loads windows I receive two .dll errors. One reads: "error loading w2a8a52d.dll , not found"


Please help, I have HJT and am able to run it, nothing obvious seems wrong in it. Also, I can only run the antispy software while in safemode, NT Authority shuts me down normally.
 

Answer:Unable to complete steps in removal guide, HELP

Oh Boy, I just went into my WINDOWS folder under the C drive and see about 30-40 new files created today that are hidden, but their titles are blue, and not black like the rest. They are all titled : "$NtUninstal***$" and I just recovered the pc from a screen that said I had a serious error, and must restart and if the message happened again I had a serious problem, but the PC loaded fine thirty seconds later, but now there are 30-40 $NTuninstall$ files that don't sound good.
 

7 more replies
Relevance 73.39%

Stupidly, I managed to infect our church office computer by opening an attachment to an email from an unknown source - I should have known better! It won't happen again!I know you can get loads of results on Google for 'virus removal' but would welcome any easy steps (if there are any) from you guys (and gals!) at the coalface.The O/S is Win XP Professional and the AV is Avast. In Device Manager, there are lots of yellow The explanation marks! In particular, the USB mouse, USB keyboard and internet connection will not work. Thanks to Woodchip I've managed to get the mouse to work by connecting an old PS/2 mouse but is there any easy way to get the others to work? What do you need to do to get rid of those yellow exclamation marks??Thanks in advance

Answer:Virus removal - any easy steps to follow?

There is this. click here it is free but not 100% sure it is what you are looking for.Maybe someone will add there comments about it.But better waiting to see if there are any other remedies first.

10 more replies
Relevance 73.39%
Answer:WhiteSmoke resistant to Jack's steps for removal

Hi and welcome to the MalwareTips.com forums!

I'm Jack and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necess... Read more

1 more replies
Relevance 73.39%

Hello,

After encountering a few blue screen restarts I began to suspect my computer was infected with something. Ran Spybot S&D and found smitfraud-c generic and have been trying to remove it since without success. Any help would be greatly appreciated.

Thanks

E

Answer:Smitfraud-C Removal

what operating system are you using?

14 more replies
Relevance 73.39%

Hi,
I have a Smitfraud-c spyware/malware in my pc which I detected through Spybot. It says I need to reboot to remove it, but when I reboot, it is still detected. I get lots of popups when I start IE or Firefox.

Here is my Hijack This log. Can someone please help me?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:26:30 PM, on 1/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\DOCUME~1\Ami_2\LOCALS~1\Temp\jgvvacro.exe
C:\Documents and Settings\Ami_2\Application Data\Smilebox\SmileboxTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ami_2\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=msgr
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*htt... Read more

Answer:Smitfraud-c removal help

9 more replies
Relevance 73.39%

Hi. I have a Dell Inspiron B120 (Windows XP) that has been infected with the SmitFraud virus for a few months. Because of this, I barely use it anymore.

I have run the SmitFraud fix already but I get stuck because once that end report is run, I don't know which files to remove, or how to remove them.

I've seen a lot of people get help here before, so this looked like the right place to post. I appreciate any help I can get.

Thanks in advance.

Answer:Smitfraud Removal Help

...that has been infected with the SmitFraud virus for a few monthsWhat program is alerting you to this infection?Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on Download_mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the messag... Read more

1 more replies
Relevance 73.39%

I have Smitfraud.C and haven't been able to resolve it. Here's my HJT Log...I appreciate any help.

Logfile of HijackThis v1.99.1
Scan saved at 6:24:32 AM, on 3/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz... Read more

Answer:Smitfraud.C removal - here's my HJT Log

Hi Avdogg, Welcome to TSG!!

Run HJT again and put a check in the following:

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Me...ridge-c282.cab

Close all applications and browser windows before you click "fix checked".
Go to www.java.com & download the latest version of java 1.5.0.6
install it & then go to add/remove programs and UNINSTALL ALL previous versions of sun java
Get all critical security updates at the Windows Update site.
 

3 more replies
Relevance 73.39%

I need serious help.

I got a virus from a USB disk and now my computer is infected. The virus is identified by SpyBot as Smitfraud-C and from the threads I've read on here it seems to be correct. I cannot run my computer in Normal Mode as it shuts down after a minute. Therefore, I am posting from my wife's laptop.

NOD32 doesn't recognize it, nor does Ad-Aware. SpyBot recognizes it but cannot remove it. I can only run my computer in Safe Mode as it crashes. I do have CCleaner, HiJackThis, and ComboFix already installed and ready for instructions.

I need serious help to get my deal running again.

PLEASE HELP!!!
 

Answer:Smitfraud-C Removal (HELP!!!)

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide
Note:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

2. If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
 

1 more replies
Relevance 73.39%

Hi all.

So I got hit with Smitfraud and I got the remover(v1.71). I followed the instructions 3 times. And now I get a new page every other time, instead of every time. Does anyone know of a sure fire way to get this thing offa my system? Thank you!
 

Answer:Smitfraud removal help!!!

c:format?


there are just some bugs that i have gotten where it was more time effective to format then to fight with it for a few weeks.
 

9 more replies
Relevance 73.39%
Question: Smitfraud removal

An AntiVir scan came up with Smitfraud this morning. I did not have AntiVir try to remove because it came up with other items that I know are not viruses, and was unsure how to delete just the one.
I have run the basic cleaning shown here, and am attaching the logs.
 

Answer:Smitfraud removal

Welcome to MajorGeeks!

I'm waiting for your logs to be attached so I can begin reviewing them.

HOW TO: Attach Items To Your Post

dr.m
 

6 more replies
Relevance 73.39%

Im running Win XP SP2, Norton Internet Security 2008 and Spybot S&D current updates as of 01-16-08. Spybot is dectecting Smitfraud-C, Smitfraud-C.MSVPS and Zlob.Downloader.vcd Every time i run Spybot it dectects all 3 and fixes problem but virus re-appears. Norton AV doesnt detect any of them as well. Here is my Hijack this Log. Any help would be really appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:22 PM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.E... Read more

More replies
Relevance 73.39%

Hi, I have had problems with my computer running really slow for a while now. Sites would also redirect to other ones. I would click a link, and it would take me to google or some other search engine with porn words filled in the search area. I downloaded Spybot Search and Destroy and it took care of the majority of the issues. It could not remove a registry entry from Smitfraud though. Here is the log from Spybot.

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Smitfraud-C.CoreService: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\core

Zlob.DNSChanger: TCP/IP Settings #1 (Undefined) (Registry change, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer=208.67.220.220,208.67.222.222

That Smitfraud entry can not be removed for some reason. I did a HijackThis scan and here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:16:47 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Sym... Read more

Answer:SmitFraud Removal Help

10 more replies
Relevance 73.39%

Hello,

The other day I noticed a yellow bar at the top of my browser window saying "Protected mode is currently turned off for the Internet zone. Click here to open security settings". After trying to "fix" this I got a blue screen - searched it and doesn't sound pleasant! I started my computer in Safe Mode and ran spybot which came up with the following malware - smitfraud-C.gp. I also searched some forums that say spybot does not fix this even though it says fixed. So I have not gone any further. I also don't get an Internet connection in safe mode to download anything - is that normal? I am working from an iPad now. The computer with the problems is running Vista.

Thanks for your help
 

More replies
Relevance 73.39%

The other day i was just surfing WoW mod sites and AVG picked up an svchost.exe after running spybot the Smitfraud-C was found and refered it back to the svchost.exe. I think i need a little help gettin this bug worked out.
 

Answer:Smitfraud C removal

Here is the log for smitfraudfix after cleaning. I am just wondering how this is going to fix the problem because after cleaning when i come back to normal start-up avg finds the svchost.exe again.
 

10 more replies
Relevance 73.39%
Question: Smitfraud Removal

Hi everyone. I've been trying to help a friend remove what we think is the smitfraud-c spyware. We've got rid of the 'blue screen' that kept popping up, but we are still getting a windows explorer error giving us the option to send or not the error to MS. This is stopping us from getting into the control panel & explorer. Here is the Hijackthis log. Any ideas would be really appreciated.Logfile of HijackThis v1.99.1Scan saved at 13:13:04, on 03/07/2005Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\00THotkey.exeC:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exeC:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exeC:\Program Files\Apoint2K\Apoint.exeC:\Program Files\TOSHIBA\TouchED\TouchED.ExeC:\WINDOWS\LTSMMSG.exeC:\WINDOWS\System32\T... Read more

Answer:Smitfraud Removal

Hi jimmyjazz.First, let's see if we can fix the explorer error. After that we may need to run the full fix for smitfraud. It's hard to tell what part remains. You also have some possibly unrelated malware listed in the log.The file, wininet.dll, may be infected causing the explorer error. It's located at C:\Windows\System32\wininet.dll.Their may be a clean copy at C:\WINDOWS\system32\dllcache or at C:\WINDOWS\ServicePackFiles\i386. It is a windows system file, do not delete it unless you find another copy.Press Ctrl+Alt+Delete to access taskmanager, then click file>new task (run...)Click the browse button in the box that opens.Edit: you may need to change the "files of type" setting in the browse box from programs to "all files" to see the dll files. Navigate to C:\WINDOWS\system32\dllcache and right click/copy wininet.dllGo back to the System32 folder and locate wininet.dll, rename it to wininet.oldNow, right click/paste in the wininet.dll you copied from dllcacheReboot and see if that helped.If successful, locate and delete these two files:C:\Windows\System32\wininet.oldC:\Windows\System32\oleadm32.dllPost an update on any progress and a fresh hijackthis log.

3 more replies
Relevance 73.39%

Hi

A few months ago my PC became infected with the Smitfraud virus, and it did the whole desktop thing and all the stuff it was meant to do. I managed (I thought) to remove it, and my PC has been working fine since. However, I ran a full Search and Destroy yesterday and it says that there are still 17 Smitfraud items on here, and it can't remove them, even when it runs on start-up. I'm a bit concerned, therefore, that I might still be infected. Ad-aware and AVG don't show anything....

Any help please?

These are the offending articles:

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2052111302-764733703-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\adulthell.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2052111302-764733703-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bin.wordsx.cc\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2052111302-764733703-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\crl.thawte.com\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2052111302-764733703-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\datingforlove.org\*!=W=4

Smitfraud-C.: User settings (Registry change, nothing done)
HKEY_US... Read more

Answer:Smitfraud removal help

Please do not post any logs inline and do not post any HJT logs without having run the READ & RUN ME sticky thread steps first.

Please download DelDomains and unzip it to your desktop. Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Please note you will need to "Immunize" with Spybot again because deldomains will remove all of the sites Spybot adders.)

Then check your Spybot scan now.
 

3 more replies
Relevance 73.39%

Hello!
I used your Smitfraud removal tool, and it seems to have worked at least as far as enabling me to sign into MajorGeeks, which I was unable to do before. I couldn't start a thread, so I saved my rapport logs to My Documents, and am attaching them to this post.

Altho' I am able to now log into things like here and my email, when I ran A2, it still found a Hoax file, which it seems to have deleted. I understand this is still part of the Smitfraud thing. Do I need to do anything else to get rid of this @#$%^ thing?
Thanks for your help.
 

Answer:removal of smitfraud

That is only the first log from SmitFraudFix. You need to attach the log from step 2 which actually attempts to remove problems. Did you run the second part?


Also if you are still having problems, please follow the instructions in the below link and attach the requested logs when you finish these instructions. If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide
Note: If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can running steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode
 

21 more replies
Relevance 73.39%

Hello, I recently became infected with Smitfraud. I've tried a few things and have been able to remove some aspects, but it's still there. Can you help?Hijack Log:Logfile of HijackThis v1.99.1Scan saved at 3:36:53 PM, on 3/6/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\RioMSC.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wdfmgr.exeC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\System32\alg.exeC:\WINDOWS\Ex... Read more

Answer:Smitfraud-c Removal

Welcome to BleepingComputer joey56935 Go!Zilla:Gozilla is likely spyware and as such,presents a serious vulnerability which should be fixed immediately! Delaying the removal of gozilla.exe may cause serious harm to your system and will likely cause a number of problems,such as slow performance,loss of data or leaking private information.Click on Start/Control Panel/Add or Remove Programs and remove/uninstall Go!Zilla,then restart your pc.**********************************Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546You are well advised to remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:ViewpointViewpoint ManagerViewpoint Media PlayerThen restart your pc.**********************************Download KillBox,unzip/extract it to your desktop.http://download.bleepingcomputer.com/spyware/KillBox.zipStart up Killbox and place a check in 'Delete on Reboot'.In the 'Full path of file to delete' box,copy and paste:C:\WINDOWS\system32\rpcc.dllThen press the red button with the white cross.It will then provide a window for your to confirm the delete.Next it will ask if you now wish to reboot,select YES.Allow it to reboot.If it does'nt reboot automatically,r... Read more

8 more replies
Relevance 73.39%

My computer is infected with smitfraud.c System is running Windows 98

Symptom is text on first screen that says Security warning
A fatal error in IE hsa occured etc Error was caused by Trojan-spy.HTML.Smitfraud.c etc ....

I have followed instructions and have run the following:

Trend Micro's Free Online Scan - found nothing
Symantec Security Check - all safe

Gone to safe mode
ran Avert Stinger - clean
ran CCleaner - cleaned

Ad-Aware SE found 4 critical objects - quarantined and removed

Spybot - Fixed 9 problems 1 - Alexa Related 4 CoolWWWSearch bootconf
1 -Element 3 - Security IGuard

About.Buster stalled at 6% scanned (several times)

I have run HIJACKthis

attatched is log file

Thanks norm44
 

Answer:smitfraud.c needs removal

Might need the man, Chaslang, but I can see some obvious problems and will get you started. I also like checking add remove programs for anything you didnt install. I am having you remove items that are not needed as well. Remove these from safe mode:

C:\BSW.EXE (delete this file as well)

NOTE: Trojan.Win32.Agent.ct. When run this file (BSW.EXE) extracts a bmp file to the c:\ folder and sets it as your desktop background.

C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\REAL\REALJUKEBOX\TSYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\MSMSGS.EXE
C:\AMERICA ONLINE 5.0\AOLTRAY.EXE
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\SYSTEM\msmsgs.exe
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\realplay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RealJukeboxSystray] "C:\PROGRAM FILES\REAL\REALJUKEBOX\tsystray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - Startup: RealDownload.lnk = C:\Program Files\REAL\RealDownload\REALDOWNLOAD.EXE
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149/5/s1//q.chm::/file.exe

I can not be sure if this will completely remove it, so do some scans while in safe mode again to see what happens.
 

8 more replies
Relevance 73.39%
Question: Smitfraud Removal

Recently I was infected with the Smitfraud virus/spyware/trojan or whatever it is as detected by Spyboy search and destroy.

Unfortunately, Spybot would not remove the Smitfraud - C Core Service menace.

I read a very long potential solution to this problem on one of these boards that I was not eager to tackle.

I re-booted my computer in Safe mode ( windows XP) and then ran Spybot S&D again. In safe mode Spybot successfully removed the beast and I am back to normal.

I hope this helps somebody.

Answer:Smitfraud Removal

Smitfraud-C.Core Service is a rootkit found with certain SmitFraud infections and identified by Spybot S&D as Smitfraud-C.CoreService. There is a specialized fix tool for this infection that is used under the guidance of malware removal experts.

1 more replies
Relevance 73.39%
Question: smitfraud removal

Hi i'm new to this forum but have found some info earlier on how to remove smitfraud c, have followed this guide http://forums.majorgeeks.com/showthread.php?t=74265 as far as posting my log file so here it is.
Thankful for any help
 

Answer:smitfraud removal

Welcome to Major Geeks!


Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
To avoid addtional delay in gettin... Read more

1 more replies
Relevance 73.39%

Ok, so my computer got a smitfraud virus, and I had two icons in the tray giving me fake balloon tip all the time. I managed to remove the two running processes that prevented me from deleting the folder with the virus, and I deleted two registry keys that were related. So only one icon disappeared, and one still remains. This is where I need help. If I click the icon I can redirected to AntiSpywareCheck, but I haven't downloaded it, so my computer haven't got fully infected yet, but still the icon maintains. This is VERY annoying, to get this balloon tip all the time. My anti virus searches can't find it. I have tried ad-aware, spybot, Avast and ActiveScan 2.0 online search.

Here's my HiJackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:36:08, on 01.07.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Lavasoft\Ad-Aware\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Programfiler\Microsoft S... Read more

Answer:Help with smitfraud removal

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\Deckard\System Scanner\extra.txt

Click Upload.

What DSS will do: create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select optio... Read more

1 more replies
Relevance 73.39%

I've seen some threads on here on how to remove SmitFraud but they all deal with Windows XP and not Vista. I've tried downloading the Smitfraudfix but am unable to run it becuase it requires 2000/XP. It is really getting annoying trying to remove it because Spybot can't even when it scans on startup. So I really need some help or a program to remove this damn thing.

I am running Windows Vista Business.

Logfile of HijackThis v1.99.1
Scan saved at 10:16:23 PM, on 6/20/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\GameSpy\Comrade\Comrade.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\GameSpot\GDM_TrayApp.exe
C:\Windows\S... Read more

More replies
Relevance 73.39%

have been through method one without successful removal. trying to do method two but am stuck at step 11. after i paste to notepad from step 10 i go to file menu and select paste from clipboard. nothing happens here. can not figure out what i am doing wrong. please help me

Answer:Need Help With Smitfraud Removal

Which self-help tutorial are you referring to?
Cheers,
John

2 more replies
Relevance 73.39%

Has anybody else had trouble removing Smitfraud-C.? If so did you find a solution.
Old Red
 

Answer:Smitfraud-C. removal

http://forums.majorgeeks.com/showthread.php?t=109841&highlight=Smitfraud

5th post from BJgarrick explains how to remove.
 

1 more replies
Relevance 72.57%

I followed all the steps given here

till the end and got a lot of malware cleaned up except these

Code:

1. [URL]http://adsmanager.net/a/[/URL]
2. [URL='http://go.padsdel.com/afu.php?id=530403']Redirect[/URL]
3. [URL='http://tvplusnewtab.com/lp8?type=media&pub_id=3281&srcid=9225325b-0778-4b3a-80bd-ad6f5b882333&sub_id=w7SM8HG6GNUP6E6113B9FPNK']Browser not supported[/URL]
4. [URL]http://muzikfury.thewhizmarketing.com/?chid=113&oid=619&crid=5204&subid=235839213165&pubid=530403[/URL]
which keep coming up (and other similar redirects) in all my browsers Chrome, IE, Firefox .

The same virus could not let me open up

Farbar Recovery Scan Tool Download

that's why I could not provide FRST.txt file.

I am attaching the logs from RKill and Adwcleaner.
 

More replies
Relevance 72.57%

Followed all steps to the word...A lot of things have been fixed. However there are still problems like pop ups and my computer is very slow to connect to the internet.
 

Answer:Computer very slow after Malware removal steps completed

Computer very slow after Malware removal steps completed...bdscan

this is my bdscan results
 

10 more replies
Relevance 72.57%

Initial problems were:

Popuppers Advertisement Window65
mssvchost.exe file cannot be found
cannot find: syscfg32.exe, servicelog.exe
error load NVQTWK

last boot still had mssvchost.exe problem.

I have run all the steps and encountered the following problems along the way.

Step 5: Counterspy in Safe mode did not allow me to save a log. I went in later & saved the history of the scan as a .txt and will attach this file.

Step 6A: I could not install the Latest Sun Java version: Got the message that policies were in place by administrator -- I'm the administrator & did not put any policies in place -- so no BitDefender or Panda files possible.

Thanks in advance for help
Linda
 

Answer:Have finished all steps in malware removal-- please analyze logs

Here's the Newfiles file.

Again,
Thanks,
linda
 

5 more replies
Relevance 72.57%

Hi, I've been trying to complete the steps for malware removal.   I cannot do a THING with my laptop, can't connect to the internet or run any programs (I was trying to do the steps listed on the HOPE forum and was only able to get through the first few steps (rrkill and Super Antispyware) AND run the scan. but from there I've been unable to do anything further. What do I do now???Thanks!Lisa

Answer:Malware removal - can't perform any suggested steps with .exe file

Oh, I'm running Vista 64 bit.

14 more replies
Relevance 72.57%

I have a laptop infected with the beesq.net redirect.  Can I use the same steps as posted here to remove it?
http://www.bleepingcomputer.com/forums/t/512528/beesqnet-hijacked-my-browsers-dont-know-how-to-remove-it/
 
Here is my dds log and I've also attached the attach.txt document
 
Thanks for your help
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16720  BrowserJavaVersion: 10.45.2
Run by support at 11:08:03 on 2013-11-07
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2812.1623 [GMT -5:00]
.
AV: Symantec Endpoint Protection.cloud *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection.cloud *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection.cloud *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_ccf0dd3cb081af84\STacSV64.exe
C:\Program Files (x86)\Common Files\logishrd\L... Read more

Answer:beesq.net infection - can I use the same removal steps as previously posted

Hello cti1 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", th... Read more

4 more replies