Computer Support Forum

[SOLVED] Computer won't start up after removal of WIN32.NETSKY removal

Question: [SOLVED] Computer won't start up after removal of WIN32.NETSKY removal

I recently started my daughters laptop to find a Windows Security window pop up prior to desktop starting up. It mentioned there is a Worm, WIN32.NETSKY that has infected my system, and that I should perform a full scan to remove the worm. I have McAfee on my computers so I contacted them for help. They concurred with the Windows suggestion. I did a complete scan of the system. 14 infections were found. McAfee quarantined them all and I deleted them. I re booted. After the Windows XP boot screen I got a standard blank screen with the shut down immediately going into process. It would restart and go through the same process again. Shutting down and restarting. I have found out through this site what the WIN32.NETSKY worm/virus is, i can imagine how it got into the computer, So how do I fix this? I might also add the computer will NOT let me enter safe mode. So at this point I can do nothing but go through an eternal reboot! Also I can't figure out weather I removed the worm or not!



Thanks in advance, Tom

Relevance 100%
Preferred Solution: [SOLVED] Computer won't start up after removal of WIN32.NETSKY removal

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: [SOLVED] Computer won't start up after removal of WIN32.NETSKY removal

This is what can happen with viruses. They shred your Windows OS files.

What happens when you keep pressing F8 at start up? Can you get to the advanced options menu to do a "repair install"?

Otherwise I think you will probably have to recover your personal data off the drive, completely reinstall Windows, but cleanse that personal data with anti-virus cleaners before you migrate it back to the new installation so the machine doesn't get infected all over again.

4 more replies
Relevance 99.22%

OK, this virus just came out of nowhere when started up my computer this morning and I cant get rid of it. I've tried Spybot, and others like them and I'm stumped help me please!:cry


Logfile of Trend Micro HijackThis v2.0.2

EDIT: Inline log removed & attached
 

Answer:Worm.Win32.NetSky removal help!!

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:



If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

[*]Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try u... Read more

1 more replies
Relevance 99.22%

Hi all....Please help... i dont know how the virus took total control... i was using my laptop as a wireless connection to my xbox and my screen went out and after replacing the part and getting it back from the repair shop i find my laptop which was just a bit buggy before is now fully infected. I use Comodo free but the virus has seemed to gotten a hold of it like a minion so it isnt functioning properly and it didnt delete it when i ran its scanner. it is the win32.netsky worm says my system... and i cant use regedit or task manager. i get pop ups etc.... here is my HJT log i hope i dont get dinged for posting it in the wrong are i dont really have forum experience so excuse my retardation!!HJT log followsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 16:32:12, on 30.01.2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\winupdate86.exeC:\Program Files\COMODO\COMODO Internet Security\cfp.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDO... Read more

Answer:worm.win32.netsky removal

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.During the download, rename Combofix to Combo-Fix as follows:It is important you rename Combofix during the download, but not after.**NOTE: If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tabSet to "Always ask me where to Save the files".After that, double-click and run Combo-Fix. Let it finish its job and post the log hereIf ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

30 more replies
Relevance 99.22%

Hey, I've been having some malware problems concerning Worm.win32.netsky. Can someone please help me with the removal of it?

I've attached my HijackThis log.
 

Answer:Worm.win32.netsky removal.

Welcome to Major Geeks!

Please uninstall HJT as it will be properly installed when you do the following:

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 99.22%

My computer is suddenly getting all these security warning pop-ups every minute or so telling me my computer is infected with Worm.Win32.NetSky, and trying to direct me to (http://www.safenavweb.com/index.php?sid=3&pn=53&said=2&aid=5245&pid=0). I'd really appreciate some help on manual removal of whatever this is.

My HijackThis log is attached.
 

More replies
Relevance 99.22%

It started with fake notifications of spyware detection, I used MalwareBytes to try to remove it and I downloaded avast! antivirus. Then my google pages were redirecting me to the wrong sites, which I thought was the Google Re-directing virus (I had this before), so I ran Quick Scans in both MBAM and avast, then I ran full scans, for about 3 days. Each time, they found infected items and I removed them through the program, and they kept coming back. Now when I turn on my computer, it says that my computer has detected worm.win32.netsky, and also something about "wioprs.dll" not loading or something like that. I have tried to use SmitFraudFix, but that didn't get rid of the virus, I tried to look for the files that I am supposed to manually remove to get rid of worm.2in32.netsky, but I couldn't find any, and I have finally given up trying to do it myself or through programs. As I tried to turn on my computer today it began this monotonous beep, and I had to close my computer and take out the battery for it to stop, then it started again but stopped when I turned it on. Please tell me what to do and what to download and what to post on HijackThis, if you can help me! As soon as possible!! Thank you!
 

Answer:Worm.win32.netsky removal please help!

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a differe... Read more

1 more replies
Relevance 99.22%

My mother's computer that she uses for email and internet has recently been stricken with some malware. It has BSOD'ed, on a few occasions and I get a warning that I have malware Worm.Win32.Netsky upon booting it, my desktop is changed to a large warning, and some websites on firefox are restricted, not to mention my task manager has been mysteriously blocked by the system administrator.I have ran Malwarebytes AM as well as Avast but they haven't fixed anything.Unfortunately, this thing is a POS, it is running Windows XP SP1 and isn't the most...up to date.Help would be greatly appreciated. Thank you whomever takes the time.Here are the logs:DDS (Ver_09-12-01.01) - NTFSx86 Run by maria at 20:26:15.45 on Wed 01/27/2010Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.1022.217 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\Ati2evxx.exeSVCHOST.EXESVCHOST.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\LEXBCES.E... Read more

Answer:Worm.Win32.Netsky removal?

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:38:44 PM, on 1/27/2010Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\Program Files\Intel\Intel Application Accelerator\iaantmon.exeC:\Program Files\Canon\IJPLM\IJPLMSVC.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Pro... Read more

3 more replies
Relevance 99.22%

I went through the process of running Highjack This as well as SDFix. How am I supposed to figure out what needs to be fixed with Highjack This? Here are the log files from the two processes.
HighJack This
Logfile of HijackThis v1.99.1
Scan saved at 7:18:22 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\HPQ\ONE-TO~1\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:... Read more

Answer:worm.win32.netsky removal

Download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
...
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 

1 more replies
Relevance 97.99%

please help!!

I have inherited the worm.win32.netsky virus. I have been currently stuck on downloading the smitfraud.exe. What should I do everytime I click on it nothing happens. Any words of wisdom?
 

Answer:worm.win32.netsky virus removal help

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 97.99%

Hello, I have a similar problem to many posts that i have been reading. The virus I got started by producing the popups that were saying that I had the worm.win32.netsky virus and that I should download the spyware software to remove. I also dealt with the other issues like my background being changed and also the Internet explorer popups. I've thoroughly researched this issue and have decided to use this forum to try and cleanse my computer. Ive attempted the steps in the preparation forum such as running the different scans, which have seemed to temporarily slow down the virus as the popups are no longer occuring. My computer is still running very slow and I have not recieved any concrete evidence that the virus was actually deleted. Im hoping that by posting my hijack this log you will be able to inform me of the proper method of fixing this issue. Thank you for your help.SDLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:57:11 PM, on 25/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16544)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\... Read more

Answer:Worm.win32.netsky Malware Removal

Hello rockinstevied,NOTE: If you have downloaded SmitfraudFix previously please delete that version and download it again! Please download SmitfraudFix Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htmYou should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please reboot your computer in Safe Mode by doing the following :Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account.Once in Safe Mode, double-click SmitfraudFix.exe Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infect... Read more

6 more replies
Relevance 97.99%

Hey there, I have a similar problem to a few of the posts on here. The virus I got started creating popups that said that I had the worm.win32.netsky virus and that I should download the spyware to remove it. I've ran through some of the procedures that have been mentioned in some of the discussions I read through. The popups seem to have disappeared, however my computer seems to be running a little slow still and I still have a toolbar in my Internet Explorer with the following icons listed; "Remove Popups" "Scan Spyware" "Security Test" and "Spam Protection". This toolbar never use to be there. I'm hoping you will be able to help me out to get my computer back. I'd greatly appreciate any tips or fixes you can give.Thanks in advance,CJNLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:31:41 PM, on 07/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\... Read more

Answer:Worm.win32.netsky Removal Without Having To Reformat

Welcome to the BleepingComputer HijackThis Logs and Analysis forum c_j_nunnMy name is Richie and i'll be helping you to fix your problems.Your version of Sun Java is out of date.Older versions have vulnerabilities that malware can use to infect your system.Please follow these steps to remove older versions of Sun Java,and then update.1. Download the latest version of Java Runtime Environment (JRE)2. Scroll down to where it says 'Java Runtime Environment (JRE) 6 update 3'.3. Click the "Download" button to the right.4. Check the box that says: "Accept License Agreement".5. The page will refresh.6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.7. Close any programs you may have running - especially your web browser.8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.10. Click the Change/Remove button.11. Repeat as many times as necessary to remove each Java version.12. Reboot your computer once all Java components are removed.13. Then from your desktop double-click on jre-6u3-windows-i586-p.exe to install the newest version.Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restar... Read more

5 more replies
Relevance 97.99%

My computer was infected with the worm.win32.netsky. I ran Smitfraudfix, Spybot Search & Destroy, CureIt. Malwarebytes and Windows Defender (in safe mode)...they all popped up the virus and I proceeded with the "fixes" for each program. Windows Defender and my Avira antivirus also popped up the files during the cleaning and they were deleted from there as well. I've restarted in safe mode again, reran all the programs and nothing is coming up at this point and the "your computer is infected" sign disappeared from my desktop.
My problem is now connecting to the internet, my connection is working but it won't let me connect to certain things. When I try to run IE I get "cannot connect to the webpage". When I do a diagnosis for my Windows XP it says "cannot connect using http, https or ftp. It will also not let me connect to Windows Update, Avira update, Malwarbytes update but would allow me to update Spybot, Cureit and Defender. It's also connecting to the weathereye that runs continuously on my computer and I'm able to use my Outlook email.
Following is my Hijack This scan...this was luckily already on my pc as I'm unable to get onto the internet to download anything onto it. I haven't posted this in any other forum, this pc does belong to me and my kids had a p2p program installed that has been deleted. Thank you for any assistance you can offer!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:... Read more

More replies
Relevance 95.12%

I'm not sure if I'm having two seperate problems, or the login problem was created from the virus.

I have posted in another forum and with no luck (as in no even answered), I'm desperately seeking help elsewhere.

I logged into my username with my password, and all I get is my desktop background. And then.. nothing. No start menu, no icons, no green screen that was there before from the virus.

I don't know if I should have, but I did anyways, let it sit all night, hoping something would come up, and it did nothing.

So that's my first issue.. and I can't seemingly solve my virus issue unless I can get logged in.

My computer will not boot up in any of the regular Safe Modes, only in "Normal" and "Last Configuration", and this was going on before the login issue.

I desperately need help logging into my system.

Things that may or may not be important..
I have an HP Pavilion Desktop, with Windows XP, 5.5 years old.
I cannot find my recovery discs.
I use wireless connection.

My second problem is the worm.win32.netsky virus, and I know I'm getting ahead of myself, but I'm going to go ahead and post the problems with the difficulties I was having removing it before I had the login issue.

I could not seem to download anything. I only had the options of "save file" or "cancel" when downloading any of the tools mentioned in the guides. Once I saved the file, I had no idea where it went. I have searched for i... Read more

More replies
Relevance 78.31%
Question: NetSky removal

I am working on removing the netsky worm and i cant "finalize" the removal. I have run through the "Read & Run me First" section for the removal guide. I have attached my MGlog. I am not very computer savy so I have no clue what I am doing from here. Please help....
 

Answer:NetSky removal

I forgot to attach the combofix log so here it is. I am running the AVG again I forgot to save the report.
 

10 more replies
Relevance 78.31%

I have followed the guide and nothing was found on the computer.

It is a MS Small Business 2003 server

The only logs produced were by the MGTools step.
 

Answer:Need Help with [email protected]!enc Removal

Welcome to Major Geeks!

You need to attach the logs from SUPERAntiSpyware, Malwarebytes, and ComboFix that we requested.

Exactly where is Symantec detecting [email protected]!enc
 

5 more replies
Relevance 78.31%
Question: Netsky removal

Hi
Can anyone tell me if there is a way to remove netsky if task manager is disabled?
I have gone to safe mode and still can't get to task manager or regedit at the command prompt.
Thanks
Sylvia
 

Answer:Netsky removal

If you are referring to the Netsky worm, please click on the Report button and kindly ask to be moved to the Malware Removal & HijackThis Logs forum. From there, be patient. You should get an answer within the next 48 hours. These guys are really busy!
 

3 more replies
Relevance 77.9%

I was browsing the internent 2 nights ago when I suddenly came upon what I now know to be a virus claiming to be a Windows related security programme - This was stopped by AVG but not before I lost most of my desktop icons and most of the items from my start up menu including the pre loaded microsoft games which come with windows XP home edition and also most of the other files now read "empty"
I've recovered several items by using methods recommended on the internet, but still many of my items aren't accessible and still say "empty"
I understand that these viruses cause files to be hidden, and I'd appreciate anyones assistance in getting things back, these include the software for my printer, mp3 player, M/S word, and even AVG, even though I know that some of these progremmes still exist on my computer, I'd like to get these back on my start menu, but dont want to make things worse by tinkering.
AVG found and removed win32fakesysdef, and I downloaded SUPERantispyware which found the trojan gen-nullo(short).
Any assistance would be appreciated!

Answer:Start up files empty after removal of win32/fakesysdef and trojan gen-nullo/short

Let's see, if we can recover your missing features.Download and run UnHide

6 more replies
Relevance 77.49%

Started yesterday with an unexpected shut down while on myspace. There was first a warning of netsky worm when logging into my windows accounts,popups, change of desktop wallpaper to infection warning, then an inability to start programs--"program" has been infected and cannot be ran, etc.--trying to get me to go to bogus antivirus program. I had to repeatedly reboot, run avast in boot scan and delete files to get online to try to find a solution.At some point i tried to boot in safe mode and it would no longer let me.Later I was stuck on the boot menu unable to load Windows until i reset factory defaults in setup. Since then when booting it shows "floppy diskette seek failure f1 to continue and f2 to run set up utility". I have followed your xp cleanup and it has helped my computers speed as well as removed the netsky warning. The boot "seek failure" screen remains and I recognized the files listed on mglog log were popping up as suspicious earlier on avast today. Any help on what i could do next would be very much appreciated. logs are attached. thankyou
 

Answer:please, I help with netsky/worm removal

2nd part of first post, 5th log attachment

:cry I do not know how to find my thread to add a new post with the other log from my cleaning, sorry to start a new one if it was unnecessary
 

8 more replies
Relevance 77.49%

My IE 6 was running extremely slow so I ran a scan with my Norton and found nothing. I then ran housecall from Trend Micro and found 22 instances of the HTML netsky.P virus. I deleted the files and ran HijackThis and here is my log file.
Logfile of HijackThis v1.99.0
Scan saved at 10:24:28 PM, on 2/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.ex... Read more

Answer:HTML Netsky.P Removal

The Scanlog is clean.
 

1 more replies
Relevance 77.49%

Hello forum! Here is the challenge I think I may have already mostly solved, thanks to another post here at techguy! I am running Windows XP with service pack 2, on an older Dell laptop.

I was infected with trojan-spy.win32.mx. It was awful, and the McAfee spyware software wasn't detecting it at all after scanning the machine for 3 days.

I already had hijackthis installed so I ran it and got the following results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:42 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Common\ViewpointSer... Read more

Answer:Solved: trojan-spy.win32.mx removal

13 more replies
Relevance 77.49%

Symptoms: Nothing serious as far as I can tell. Upon starting up..
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
This starts up. I can close it no problem, but would like to put a stop to it. Other entries in the hijackthis log file also look fishy, but I'm no expert so I'll let you guys decide..

I attached the Avast log file to the post. It seems to point that I have a Win32ialer-567. Other things noted in the log file were I believe successfully moved to the chest, so hopefully no problems there.

Also I do have system restore on, and I'm pretty sure it goes back farther than when the problem occurred, not 100% sure though. Have read somewhere in here to reset it somehow, but wondered if using it was a viable option if I got a big one.

Logfile of HijackThis v1.99.1
Scan saved at 12:09:47 PM, on 10/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WI... Read more

Answer:Solved: Win32:Dialer-567 [Trj] Removal?

9 more replies
Relevance 76.67%

can anyone help please.Netsky Q arrived in a zip file, which I did not open but it has got onto the drive. AVG found it and I deleted the file, ran AVG again and it was still there. Deleted temp int files and cookies and ran AVG again, still there. Downloaded and ran symantec removal tool, AVG still found it again. Downloaded and ran bitdefender removal tool, Yep.. still there !!! This little blighter must be very well hidden for the removal tools not to find it, or is this because I have deleted files etc. AVG doesn't seem to be able to remove it to the vault either.any help would be appreciated, Thank You

Answer:Netsky Q removal tools not working..

C:\WINDOWS\Temporary Internet Files\CONTENT.IE5\R4QAK8DA\GAME.ZIP:\data.rtf.scrthe above is AVG details of file.

5 more replies
Relevance 76.67%

Dear all,

further to my previous post below I have carried out the following activities,

1. downloaded vundofix and run it and removed items
2. downloaded combofix and carried out the same as above.
3. run superantispy

I have attached all logs. Can someone please review and comment on any further actions

HIJACKTHIS LOG after running items above

Logfile of HijackThis v1.99.1
Scan saved at 6:23:40 PM, on 22/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explor... Read more

Answer:Solved: Win32 Adware Virtumonde removal

9 more replies
Relevance 76.67%

This is my first posting but I've read the other posts regarding this virus. My computer has a virus which accesses a site which downloads files containing the Win32/TrojanDownloader.Murlo.NN virus. It accesses the web address http://root.51113.com to download the files. It also infrequently accesses http://log2.yahoo.cn through my browser though I'm not sure what it does when it does try to access it.

I've blocked both of the addresses with my firewall but it still tries to access them. It would download *.gif files and also setup.dll as well as some other types of trojans. I pretty well have it contained I think but I don't know what information it may be sending/trying to send out. That is what has me worried. It will access the first site at anytime I am accessing the internet. It think it only accesses the latter when I run IE Explorer.

Here is my Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02, on 08/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Zone... Read more

Answer:Solved: Please help with Win32/TrojanDownloader.Murlo.NN Removal

I've found the culprit I believe. I scanned my computer with TrendMicro HouseCall and it it found a PE_PATCHED.DV infection in the file C:\windows\system32\actxprxy.dll. Now, my NOD32 did not see any infection so I went to http://virusscan.jotti.org/ to check just this file. Ikarus Antivirus detected it as a Trojan-Downloader.Win32.Small.ap. I scanned the windows file of the same version in the Windows Servicepackfiles folder and found that there was no infection found there. I replaced the version in Windows/system32 and have not had any trouble since. It seems that this was making a call to contact the website a download the murlo.nn virus amongst other nasty things. Anyway, if the virus pops up again, I'll be sure to post.
 

1 more replies
Relevance 75.85%

Please help zlob trojan has taken over my life as well as my computer. I have run Noton, spy sweeper, registry mechanic. it seems to go away and then its back. I think it's way over my head. Please advise.

Michelle
 

Answer:Solved: Win32/zlob trojan removal problem

7 more replies
Relevance 75.03%

Discovered Trojan WIN32/Powessere.Alreg. Did the kill program and ran hit man. I thought computer wa fixed. Still runs slows. Oh I also ran malware bytes. Programs take forever to load. Have a Gateway corei7 running windows 7 home premium so 1. Is there still malware/virus/Trojan residual? Help

Answer:Trojan WIN32/Powessere.Alreg. Removal computer still runs slow

You are most likely infected with Poweliks which typically affects the ability to browse or download files using Internet Explorer and causes PowerShell error alerts. Task Manager shows numerous occurrences of (COM Surrogate) dllhost.exe or dllhost.exe *32 (if using a 64-bit version of Windows) that spawn and consume resources as described here.If you are having trouble downloading files with Internet Explorer, follow these instructions to re-enable downloads/reset all Security zones to default.Please download ESETPoweliksCleaner and save it to your Desktop Double-click on ESETPoweliksCleaner.exe to start the tool.Read the terms of the End-user license agreement and click Agree if you agree to them.The tool will run automatically. If the cleaner finds a Poweliks infection, press the Y key on your keyboard to remove it...If Poweliks was detected "Win32/Poweliks was successfully removed from your system" will be displayed.Press any key to exit the tool and reboot your computer...The tool will produce a log in the same directory the tool was run from.Copy and paste the contents of that log in your next reply.Note: If the log is too long...you may need to split it and use multiple replies in order to post all the information.

35 more replies
Relevance 74.21%

Hi  This morning my notebook will not start. Is there a bug in the bios? This is the third time that this happens to me. After the removal of the battery and the power plug for 30 seconds and replace, restart the computer normally.Time for a bios update? Lex from the netherlands

Answer:Notebook does not start. After the removal of the battery and the powerplug start the computer?

Hi Lex63,
 
Welcome to the Forums  
 
As per the query we understood that you are facing issues with system not powering in your Lenovo laptop.
 
Does the system works only on power adapter i.e without battery and try uninstalling the energy management and check for the issue.
 
Hope this helps. Do post back if the issue persists.
 
Best regards,         
                                                                            
Ashwin. S





Did someone help you today? Press the star on the left to thank them with a Kudo!If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.Follow @LenovoForums on Twitter!

2 more replies
Relevance 74.21%

Hi Guys,
Recently I have gone through a serious virus which is not catchable by updated anti-virus symantec 14 october 2009.
When i put my pendrive, the system shows autorun.inf deleted. But the underlying virus,
autorunme.exe exists in location Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe.

Even I delete this virus, this gets automatically generated by itself or recreates itself.
autorunme.exe is not the actual virus, but it is just a duplicate.

Then actual underlying virus which triggers autorunme.exe is SERVCE.EXE
Note SERVCE.EXE is not service.exe or services.exe. It is new named SERVCE.EXE

Manual removal autorunme.exe process:
After connecting your pendrives, when it shows the file RECYCLER in hidden state,Open your task manager and end the process SERVCE.EXE

Now delete the entries Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\autorunme.exe , Drive:/RECYCLER\S-1-6-21-2434476501-1644491937-600003330-1213\desktop.ini and Drive:/autorun.inf.
They will not recreate now.

Then open C:/WINDOWS and find SERVCE.EXE and to be on safe side just make a local copy of file to some other place and delete SERVCE.EXE

Now even if you restart your computer, since SERVCE.EXE is not running at start up of system, the system is safe and manual removal of virus is complete.

SERVCE.EXE is the actual culprit. http://static.techguy.org/smilies/biggrin.gif
 

More replies
Relevance 73.8%

MS Removal Tool is a rogue software. It restricts you from accessing your desktop. You cannot start Task Manager, and you cannot open Internet Explorer or any other programs. This situation is the result of malware (a variant of Win32/Winwebsec) that is infecting your computer.
To remove the MS Removal Tool, follow the steps below: Boot your computer into Safe Mode.
Windows XP and Windows Vista:Start your computer and press and hold the F8 key.A Windows Advanced Options menu will appear. Use your arrow keys to scroll to Safe Mode and click the Enter key.Click the Start button, and then click Run.Type cmd then click OK. A black command prompt window will appear.Locate the affected directories:
Windows XP:Type cd c:\Documents and Settings\All Users\Application Data\ and press the Enter key.Type dir and press the Enter key.
Windows Vista:Type cd c:\ProgramData\ and press the Enter key.Type dir and press the Enter key.Type c:\Users\All Users\ and press the Enter key.Type dir and press the Enter key.Scroll through the list to find directories with random names that contains 18 characters. For example: cHl08200gMhHd08200 , pJg08200fBmPl08200.Type rd /s /q <random name>, and then press the Enter key. Replace <random name> with the 18 character name. Repeat this step for each random name you find.Type reg delete hkcu\software\microsoft\windows\currentversion\run once /v <random name> /f, and then press the Enter key. Replace <random name> with the 18 cha... Read more

More replies
Relevance 73.39%

Hi all, my first post in here, so hello to everyone.

Could anybody be able to tell me how to completely remove Windows malicious software removal tool as it keeps coming up every time I turn on the laptop.
I have tried all usual channels like add/remove etc but can't see it anywhere. Could someone shed some light, many thanks

Answer:[SOLVED] Removal of 'Malicious software removal tool'

Have you let the MRT finish? The MRT is an On Demand anti virus scanneer with a very limited impact on the PC or
resources. there are NO reasons to remove it.

The utility is...
%windir%\system32\MRT.exe

Command line switches...

/? or /HELP = displays the command line switches
/Q = quiet
/N = detect only
/F = force extended scan
/F:Y = force extended scan and automatically clean infected files

If you really want to remove it browse to C:\Windows\System32 and delete MRT.exe

4 more replies
Relevance 72.98%

I recently started my daughters laptop to find a Windows Security window pop up prior to desktop starting up. It mentioned there is a Worm, WIN32.NETSKY that has infected my system, and that I should perform a full scan to remove the worm. I have McAfee on my computers so I contacted them for help. They concurred with the Windows suggestion. I did a complete scan of the system. 14 infections were found. McAfee quarantined them all and I deleted them. I re booted. After the Windows XP boot screen I got a standard blank screen with the shut down immediately going into process. It would restart and go through the same process again. Shutting down and restarting. I have found out through this site what the WIN32.NETSKY worm/virus is, i can imagine how it got into the computer, So how do I fix this? I might also add the computer will NOT let me enter safe mode. So at this point I can do nothing but go through an eternal reboot! Also I can't figure out weather I removed the worm or not!

Thanks in advance, Tom
 

More replies
Relevance 72.98%

Hi there,

Recently I got a virus on my Laptop - 'Worm.win32.netsky'. I couldn't start up the computer but managed to run it in safe mode and download Malwarebytes. I ran a scan and it got rid of the virus but when I started up the computer again the laptop started using the start up repair tool and can't get past that stage.

I have tried booting up the computer with the Windows Vista CD and selected the repair Windows option but it just ended up going back to the startup repair.

What I need to know is how to get the files off the computer. I could take it to my local computer shop but they will charge around ?100 to get the data. Is there any way I can do this myself?

Any help would be much appreciated!

Answer:Had Worm.Win32.NetSky, now cant start Laptop

Do you have access to another computer?

If so please do the following:


We will need to make a BOOT CD

Print these instruction out so that you know what you are doing.

Two programs to download

First

Please download ISOBurner and save it to your desktop. This program will allow you to burn OTLPE.ISO to make a bootable CD.Double click the ISOBurner set up icon to install the program, from there on in it is fairly automatic.
There are Instructions for the iso burner here if you need them.

Second
Download OTLPE.iso save it to your desktop. Now burn OTLPE.iso to a CD using ISO Burner. {NOTE: This file is 292Mb in size so it may take some time to download.)
When downloaded double click OTLPE.iso > this will then open ISOBurner to burn the file to CD

Reboot the infected system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
Your system should now display a REATOGO-X-PE desktop.
you will find an icon on the desktop called OTLPE > Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the box "Automatically Load All Remaining Users" is checked and press OK
OTL should now start. Change the following settingsChange Drivers to SafeList

Press Run Scan to star... Read more

2 more replies
Relevance 72.98%

Yesterday, my computer was infected with the Department of Justice virus from Youtube. After doing some research, I followed a tutorial that said to start the PC in Safe Mode, and type in "rstrui.exe" to prompt the System Restore to start. I selected a date that was just before my infection. When my computer restarted, I ran Malwarebytes Anti-Malware, and it came up with a clean report. I tested out various things, and everything seemed fine on my computer. I shut it down for the night with no problems. When I went to start it up today, however, the computer will not respond. Pressing the power button does absoutely nothing. I have tried unplugging the tower, waiting, and plugging it back in for various amounts of time and while holding down the start button, but nothing has worked. None of the fans go on, no sounds are made, and the only light that is on is in back of the tower underneath the main power cord. I'm completely stumped at this point, and have no idea where to turn for a solution. I have many files on my computer that I didn't get a chance to back up, so I'm hoping I can at least access and save them to my flash drive. Any help would greatly be appreciated!
 
I have a HP Pavilion (made about 2007) that runs Windows Vista with IE 9.
 

More replies
Relevance 72.16%

Hello everyone! I used the information on your read and run me first thread to fix an older computer of mine so thank you for that! This post is about my father's computer. My sister was online and paying little attention to what she was doing. She clicked a pop-up and something began downloading on the computer. She then received a message after the download that I'm sure you all have seen, which read: your computer is infected! Windows has detected spyware infection...and so forth. She ran Norton and apparently found nothing, but later my father ran the same scan and found worm.win32.netsky. He said he ran the fixes built in to Norton and then the computer was shut down. My first instinct was to do everything from your read/run me first page, but I cannot log in to any profile on the computer. It begins to load and then reverts back to the log in screen. I tried safe mode and starting from the last working conditions but both sent me to a blue crash screen. Any help would be greatly appreciated.
 

Answer:worm.win32.Netsky popups and start issues

Welcome to Major Geeks!

Sounds like you have either lost the userinit.exe file or the registry keys responsible for loading it have been corrupted. Normally this requires booting to the Recovery Console of your Windows boot CD to fix; however you could also try the below procedure which you can use even if you do not have a CD.


http://thinkinginpixels.com/quick-fixes/fix-windows-xp-log-onlog-off-loop/
 

3 more replies
Relevance 72.16%

At start up a blank notepad comes in view,would like to manually remove it or a link to assist with removing it, usingWin7(x64)...

Answer:[SOLVED] Removal of Motepad on Start up

Hi lucaya, welcome to TSF

Go to run and in the run box type msconfig, on the startup tab uncheck everything and apply then restart computer and see if it the blank notepad comes up if it doesn't then one of those you unchecked is cuasing it then you can narrow which one it is by checking a few at a time until you find the one it is.

3 more replies
Relevance 71.34%

I had a computer infected with the Win 7 Antispyware 2012 rogue anti-spyware program. I removed it using the the instructions located at http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012. Now, a week after the initial removal, the user suddenly cannot connect to other computers on the network. The "Computer Browser" and "TCP/IP NetBIOS Helper" services will not start, failing with Error 1060 and Error 1075, respectively. The user has also informed me that they were still seeing Google redirects during the past week, which leads me to believe that there is still a rootkit installed. I have tried running tdsskiller again, but it says there are no infections. I need help removing whatever is still installed on this computer, as I would rather not have to wipe it clean.

Thanks,
Yogi

Answer:Cannot start Computer Browser service after malware removal

I am having the same issue but it was last night that I removed everything. I'll keep searching and post if I find a solution.
Steve

8 more replies
Relevance 70.93%

I have adware or a virus on my computer that i cant seem to get off. Did a online free scan, ccleanup, and 2008 lavasoft adaware scans with no success. The virus/adware makes my desktop be a message warning spyware detected on computer, saying that it detected the viruses Win32/Adware.Virtumonde Win32/PrivacyRemover.M64 are on my computer and i have to buy some software to get it off. here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:25 PM, on 9/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Progra... Read more

Answer:Wallpaper Takeover Win32/Adware.Virtumonde Win32/PrivacyRemover.M64 Removal help

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

1 more replies
Relevance 70.52%

Hi, I recently had a virus on my computer and TimW was nice enough to help me delete it. Unfortunately I can only start my computer in safe mode now, I get a blue screen error. TimW has sent me to the Software forums for help in resolving my problem. Here is the link to my malware removal process in case you need to reference it.
http://forums.majorgeeks.com/showthread.php?t=210341

My computer is a Dell netbook running XP and I do not have any of the system discs.

This is the error I get when I start my computer.

A problem has been detected and windows has been shut down to prevent damage to your computer.
IRQL_NOT_LESS_OR_EQUAL
(More info about errors msgs, restarting, disable newly installed hw or sw and the following...)
Technical Information:
*** STOP: 0x0000000A (0x00000201,0x00000002,0x00000001,0x806E6A2A)
 

Answer:Blue screen error - can't start computer after Malware removal

IRQL_NOT_LESS_OR_EQUAL is usually a Harware problem. This could be bad ram, CPU overheating, etc.

Use this to test your ram: http://www.memtest86.com/

EDIT: Can't be your ram if it boots in Safe Mode. this has to be a piece of hardware that is used when booted to safe mode, but not in regular mode. I'm a networker, not a hardware geek. All I know is this is a driver issue.
 

2 more replies
Relevance 69.7%

Hi, please can you help me get rid of this virus?? Worm.win32.netsky

I have tried for a week now but i dont know what im doing!!!

I dont know where i got it from but i cant erase it, i have tried using smitfraudfix and it has gone temporarily but when my computer has been turned off and then turned back on next time, the malware has returned.

I really need a step by step guide to remove this properly....can you help plz??

Thanks in advance

:wave
 

Answer:worm.win32.netsky on my computer..plz help

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 69.29%

A few days ago this virus has took over my whole computer. When I turn it on there are no icons nor the desktop, just my background and 2 warning messages that say Worm.Win32.NetSky is detected, it also says
Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista 7
Security Risk (0-5): 5
Recomendations: It is necessary to perform a full system scan.
When I click "OK" my computer automatically restarts and it happens again. I also tried every safe mode. But, the main problem is, I can't download anything to protect my computer, I've even tried using a flashdrive but no luck. Does anyone have suggestions of what I could do?
Thanks,
Kamp

Answer:Worm.Win32.NetSky Virus on Computer

Kamp, read the instructions on this page NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum. See if you can download the programs mentioned to a flash drive and run them on the infected computer. Then create a new thread in the Virus Forum with the info you have here, as well as any logs you're able to attach. If you can't run the 2 programs needed by the Virus staff, just let them know, they may have another option. If they want you to come back here and get instructions on something else, just post back in this thread.

1 more replies
Relevance 69.29%

hi there

i downloaded a "codec" recently and afterwards i got bombarded with pop-ups through IE.
i am running windows xp sp2. amd 2600+ 1.5gb of ram and a nvidia 7600 graphics card.
i have alot of system alerts stating that i have a virus named worm.win32.NetSky

here is my HJ log if you need anything else please let me know
thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:37 AM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Linksys\WUSBF54G\NICServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System3... Read more

Answer:Solved: worm.win32.netsky

9 more replies
Relevance 69.29%

I have a serious issue with my laptop. When I launch the computer, I receive the following error message:

Windows Security Alert
"Windows has detected an Internet attack attempt&#8230;Somebody's trying to infect your PC with spyware or hamrful viruses. Run full system scan now to protect your PC from Internet attacks hijacking attmepts and spyware! Click to download spyware remover for total protection."

From there it launches "AdwareRemover2007" at http://scanner.adwareremover2007.com/5/?advid=1216, which I do not believe is actually anything other than the malware program running b/c it runs while I am not connected to the internet.

A series of other websites launch, including www.safenavweb.com/index.php?sid=502&aid=645%said=0&pn=5&...

When I close out, I get the following error = Your PC is still infected with spyware! Return to www.AdwareRemover2007.com and download spyware remove tool!

One other warning I also receive is:
Spyware Alert
Security Warning!
Worm.Win32.NetSky is detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process should be removed from your system.
Type: Virus
System Affected: Windows 2000, NT, ME, XP, Vista
Security Risk (0... Read more

Answer:Solved: worm.win32.netsky

HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:38:33 AM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Cybe... Read more

2 more replies
Relevance 69.29%

Hi!
Hi my computer recently got infected. The computer said that it was infected with worm.win32.NetSky. I continually get two pop-ups that says ...detected on your computer... and ...has detected an Internet attack.... Upon closing them, they launches Internet Explorer with a website such as udefender or pcsecuresystem. Please help, I need my computer for my work asap! Thanks. - I saw someone else on the forums seems to have the same problem but hasn't appeared to solved it yet! Please Help!

System information:

Operating system: Windows XP - Professional (5.1.2600)

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33:45, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\S... Read more

More replies
Relevance 69.29%

I wasn't able to do most of the 5 steps that you would like us to do. I went through the add/remove programs and I was able to download the Deckard's System Scanner and Hi Jack and get logs.

I'm not sure what site or what file it was but an active x control was installed on my computer. It installed a toolbar called enlfxgw. It constantly pops up virus warnings wanting me to install these "cleaners". I'm not able to log on my browser and when I am its VERY slow. I have included the Deckards Scan and a Hi Jack This Log.I have also attached a few print screens of the pop ups that I get. Along with the extra.txt that you wanted.

Deckard's System Scanner v20071014.68
Run by HP_Administrator on 2008-03-05 20:32:59
Computer is in Normal Mode.--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
111: 2008-03-06 04:33:09 UTC - RP425 - Deckard's System Scanner Restore Point
110: 2008-03-06 04:19:57 UTC - RP424 - Software Distribution Service 3.0
109: 2008-03-06 04:16:56 UTC - RP423 - Removed Windows Live Messenger
108: 2008-03-06 04:14:45 UTC - RP422 - Removed Microsoft Office Word Viewer 2003
107: 2008-03-06 04:08:38 UTC - RP421 - Removed Microsoft Office Publisher 2007 Trial


-- First Restore Point --
1: 2007-12-07 04:53:50 UTC - RP315 - System C... Read more

Answer:[SOLVED] Worm.Win32.NetSky

Hi there,

Welcome to Tech Support Forums. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading SELECT Show hidden files and folders.
UNCHECK the Hide protected operating system files (recommended) option.
UNCHECK the Hide extensions for known file types option.
Click Yes to confirm.
Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:Re-Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Brute Force Uninstaller to your desktop... Read more

19 more replies
Relevance 69.29%

I am in the same position as jamesthorn (26-Oct-2007 4:40PM). He wrote: "Hi my computer got infected yesterday. According to the computer is said i was infected with worm.win32.NetSky. I continually get a pop-up that says "Windows has detected an Internet attack attempt..." Upon closing it, it launches Internet Explorer with a website such as udefender or pcsecuresystem. Also, my background has been changing to a red and black image saying that my privacy is in danger and to download all of this stuff to stop it. The CPU is running at 100% use constantly! Please help i need my computer for my work asap! Thanks. - I saw someone else on the forums seems to have the same problem but hasnt appeared to solved it yet! Please Help!"

I read his reply and have done what he was told to do. The HJT log file read:

Logfile of HijackThis v1.99.1
Scan saved at 19:49:58, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Mc... Read more

Answer:Solved: worm.win32.netsky

15 more replies
Relevance 69.29%

I believe my computer is infected with the worm Worm.Win32.NetSky right now, as I am getting multiple popups about my computer being infected with it, supposedly from the worm itself. My mother unfortunately is not very knowledgeable with computers and is not sure how or where she got this worm from, and might have clicked on some unwanted malware. Any help at all would be appreciated, as my mom uses this computer for her personal stuff and would not want anything to happen to it. I've tried running ad-aware but it didn't seem to remove it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:43 PM, on 12/27/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\PSIService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
... Read more

Answer:Solved: Worm.Win32.NetSky

16 more replies
Relevance 68.47%

I think this is a virtumonde infection under a different name. I know the location of of one but can't seem to delete it at all- it poses as the zone alarm executable and my every attempt at deletion has failed and all the virus online scanners can't clean it either. avast log for infection:2/18/2008 10:11:51 AM Administrator 1768 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe\[Embedded#0e35e8]" file. 2/18/2008 10:12:29 AM Administrator 1768 Sign of "Win32:Agent-PSG [Drp]" has been found in "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" file. 2/18/2008 10:13:07 AM Administrator 860 Sign of "Win32:TratBHO [Trj]" has been found in "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe\[Embedded#0e35e8]" file. my renamed hjt log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:59:14 PM, on 2/18/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\Explor... Read more

Answer:Win32:inject-ev [trj],win32:tratbho [trj] Removal Help

and i forgot to say thanks! to whoever may attempt to decipher what is wrong with my overrun machine! THANKS!!

oh and heres a massive log of winpfind35 's findings, in multiple parts due to file size!

5 more replies
Relevance 68.47%

I had something called worm.win32.netsky and it's been a problem for a few days now. I lost explorer.exe and could no longer access the task manager. When I clicked links on websites it would redirect to some advertisement/popup.

I managed to download kaspersky internet security (trial) and it supposedly found things and deleted them.

I still could not access task manager or restore explorer.exe.

I downloaded ComboFix and ran it - within a couple hours I tried Ctrl Alt Del and my task manager was back somehow

The screen of ComboFix is now stuck at "However, scan times for badly infected machines may easily double" and {it would seem} has not progressed for several hours.

The machine is a Windows Vista.
What should I do now? Close the Combofix? Reboot? ??? ???

Answer:Computer virus/malware - worm.win32.netsky

Update: The combofix must have finished overnight and then rebooted. The computer is not worse off than before, nor is it better.
What do I do?

Thanks.

1 more replies
Relevance 68.47%

Hi, i have windows xp and i have the Antivirus Plus and Worm.win32.netsky viruses (possibly more.) i couldnt access the internet while in normal startup mode b/c the worm wold spam email and cuase my internet to crash. So i opened the computer in safe mode and downloaded SpyBot search & destroy. I ran Spybot and it detected many trojans and various spy/malware and so i hit the delete infected files button. It cleared almost everything except for one; which it then said if i would allow S&D to restart my computer and then it could delete the remaining infection. so i did. when the restart came up, it opened it in normal settings and then the desktop wouldn't appear (just the background picture-no icons, toolbar, start menu) so then i turned it off and started it up in safe mode where it took me to the log in screen. two appeared- owner and adminstrator- i was locked out. when i clicked either it would have small print underneath- logging in..settings blahblhablah. i dont even know if i deleted any viruses. help please.
Problems:
-Antivirus Plus
-Worm.Win32.netsky
-Locked out of computer

-if need more info, ask and i will divulge into further detail. thank you so much.
 

Answer:Antivirus Plus; Worm.Win32.Netsky;computer locked

-Locked out of computerClick to expand...

Until you can gain access again I cannot assist you in malware removal, so moved your thread to software where they can help get you into a fit state ready for malware clearance.
 

5 more replies
Relevance 68.47%

Hi, i have windows xp and i have the Antivirus Plus and Worm.win32.netsky viruses (possibly more.) i couldnt access the internet while in normal startup mode b/c the worm wold spam email and cuase my internet to crash. So i opened the computer in safe mode and downloaded SpyBot search & destroy. I ran Spybot and it detected many trojans and various spy/malware and so i hit the delete infected files button. It cleared almost everything except for one; which it then said if i would allow S&D to restart my computer and then it could delete the remaining infection. so i did. when the restart came up, it opened it in normal settings and then the desktop wouldn't appear (just the background picture-no icons, toolbar, start menu) so then i turned it off and started it up in safe mode where it took me to the log in screen. two appeared- owner and adminstrator- i was locked out. when i clicked either it would have small print underneath- logging in..settings blahblhablah. i dont even know if i deleted any viruses. help please.
Problems:
-Antivirus Plus
-Worm.Win32.netsky
-Locked out of computer

-if need more info, ask and i will divulge into further detail. thank you so much.

Answer:Antivirus Plus; Worm.Win32.Netsky;computer locked

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Let's try creating a boot disk that may allow me to get you to boot normally:

Using OTLPE

This file is quite large, and requires a CD/DVD burner, and a blank CD on a clean machine. A USB device would be handy as well.Download and install ISOBurner. This will allow you to burn OTLPE.ISO to a bootable CD. Here are ISO Burner Instructions

Download OTLPE.iso and burn to a CD using ISO Burner Or your own burning application). NOTE: This file is 270Mb in size so it may take some time to download.
Once the download is complete, double-click on it. This will open ISOBurner to burn the file to CD.
Reboot your affected system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

Your system should now display a REATOGO-X-PE desktop.
Double-click on the OTLPE icon.
When asked "Do you wish to load the remote registry", select Yes
When asked "Do you wish to load remote user profile(s) for scanning", select Yes
Ensure the... Read more

5 more replies
Relevance 68.47%

Im on a DELL Studio 1537 laptop with a 30 day trial of ZoneAlarm Extreme Security. The trial ran out today so my virus protection and firewalls were down for a short period of time. Then all of a sudden a Windows Security message pops up in the task bar saying that ive been infected and to click to update. I usually just close these messages but instead I clicked it and then a bunch of ZoneAlarm alerts pop up and I choose "deny." I realized that something was up and ran Spybot Search & Destroy and got a bunch of Windows Security issues pertaining to certain settings being changed like firewall override and task manager override. There were also trojans on the list. So I clear all those problems and do a restart. Now windows reboots to the Welcome screen and I log in. Then a message that pops up saying Spyware Alert! worm.win32.netsky detected on your machine. I click OK and then my desktop loads for about 10 seconds and the background changes to a random color with a picture saying youre infected. Then it quickly blinks a blue screen with error messages and then restarts itself to start the cycle again. This happened for about an hour. Now when I reboot and login i get the same Spyware Alert message but when I click OK none of my icons load and neither does the taskbar. And instead of the "youre infected" background its my original picture. Also, now it doesnt reboot itself it just sits there with only the background displayed. Ive tried to startup in ... Read more

Answer:worm.win32.netsky...computer restarts and cycles

bump

someone please help me out with this. any ideas?

2 more replies
Relevance 68.47%

Hi, i have windows xp and i have the Antivirus Plus and Worm.win32.netsky viruses (possibly more.) i couldnt access the internet while in normal startup mode b/c the worm wold spam email and cuase my internet to crash. So i opened the computer in safe mode and downloaded SpyBot search & destroy. I ran Spybot and it detected many trojans and various spy/malware and so i hit the delete infected files button. It cleared almost everything except for one; which it then said if i would allow S&D to restart my computer and then it could delete the remaining infection. so i did. when the restart came up, it opened it in normal settings and then the desktop wouldn't appear (just the background picture-no icons, toolbar, start menu) so then i turned it off and started it up in safe mode where it took me to the log in screen. two appeared- owner and adminstrator- i was locked out. when i clicked either it would have small print underneath- logging in..settings blahblhablah. i dont even know if i deleted any viruses. help please. Problems:-Antivirus Plus-Worm.Win32.netsky-Locked out of computer-if need more info, ask and i will divulge into further detail. thank you so much.

More replies
Relevance 68.47%

Hello,
I'm having all of the problems that user ccmint was having on 11/25 when he posted http://www.techsupportforum.com/secu...32-netsky.html
I followed all of the steps provided by forhockey (#3 on that thread), several times and the fix works but the problem keeps coming back after a couple of hours or so. Even if, after I complete the last step, I shut down the PC for the evening and check it in the morning, the problem comes back.
Here are the log file that forhockey requested back on the 25th on that other thread. I cannot attach all of the AVG Anti-Spyware logs (I would like to since each time I completed the whole procedure, the tool found different files) so I attached the first and the last
Please help and I'm sorry if this should have been posted in another way.

Thanks,

Step

Deckard's System Scanner v20071014.68
Run by William Stepalovitch on 2008-02-05 10:25:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as William Stepalovitch.exe) --------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:12 AM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDO... Read more

Answer:[SOLVED] Popups, Worm.Win32.Netsky

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cl... Read more

9 more replies
Relevance 68.06%

I can't believe this i only have had this computer for 3 days and it got some kind of internet redirect virus that changed my desktop backround and runs a false scan while disabling my task manager and infected AVG. Heres the logs:

====
DDS
====


DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 22:19:27.76 on Sat 07/11/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.269 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
svchost.exe
C:\WINDOWS\sySTEM32\SvchoSt.ExE -k sfx
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://home.peoplepc.com/search/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost;*.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A8F... Read more

Answer:[SOLVED] New computer got a virus already! Help in removal.

Bump. Please help.

19 more replies
Relevance 67.65%

This on my mother's computer, running on windows XP. She gets constant popups saying computer is infected, homepage for windows IE is set to Ultimater Cleaner 2007 and can't be changed. Her background was also changed. She believes she got the virus when downloading a birthday card, but she doesn't know what she downloaded and uninstalled it right away.

I ran dss but don't know if i was supposed to run hjt.

Here is the log dss created:


Deckard's System Scanner v20071014.68
Run by susan ryan on 2008-03-02 12:33:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as susan ryan.exe) ------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-03-02 12:34:28
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM32\SMSS.EXE
C:\WINDOWS\SYSTEM32\WINLOGON.EXE
C:\WINDOWS\SYSTEM32\SERVICES.EXE
C:\WINDOWS\SYSTEM32\LSASS.EXE
C:\WINDOWS\S... Read more

Answer:[SOLVED] popup says infected w/ Worm.Win32.NetSky

Hello, kryan11 -

I see you've marked this as solved. Just want to make sure that was not in error.

2 more replies
Relevance 67.65%

It appears I am a victim of the popup w/ the WORM.WIN32.NETSKY warnings (among others). I have made several attempts to resolve this issue and it 'appears' to go away only to return a short time later. I have run thru the 'before you post' recommendations.

However, for some odd reason I was unable to run the entire Panda Virus Scan. When I run the online scan I see it run about half way thru the scan, it begins to identify some errors and then it just closes the IE windows.

I have attached the DSS output for review. Hopefully, this will be enough to assist with identifying the issues. Any help is much appreciated.

Deckard's System Scanner v20071014.68
Run by ZZZ on 2008-02-19 00:22:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
126: 2008-02-19 07:22:14 UTC - RP248 - Deckard's System Scanner Restore Point
125: 2008-02-18 08:43:42 UTC - RP247 - Installed Windows XP KB946627.
124: 2008-02-18 07:17:17 UTC - RP246 - Installed SUPERAntiSpyware Free Edition
123: 2008-02-18 07:00:17 UTC - RP245 - ComboFix created restore point
122: 2008-02-17 14:48:25 UTC - RP244 - System Checkpoint


-- First Restore Point --
1: 2007-11-21 23:42:06 UTC - RP123 - System Checkpoint


Backed up registry hives.
Performed di... Read more

Answer:[SOLVED] Popups and the infamous WORM.WIN32.NETSKY

The extra.txt attachment above is not correct. I have attached the correct corresponding extra.txt file to this post.

1 more replies
Relevance 66.83%

Don't know how it happened, but I started getting those fake "antivirus" pop ups. I used CTRL+ALT+DEL to end that program. Then my computer began to restart. I used the power switch to turn it off. When I turned it on, it would keep rebooting. I tried Safe mode, Last good known configuration, All the options, it wasn't until I tried "Debugging mode" that it actually looked like it might be working. It led me to a black screen with the "Worm.Win32.Netsky" alert. I turned it off without clicking anything. Help :/(Moderator edit: post moved to more appropriate forum. jgw)

Answer:Computer won't stop restarting, won't load. Worm.Win32.netsky virus

Can you boot now? To Normal and/or Safe mode?Is this an XP system?Can you follow our Removal Guide here http://www.bleepingcomputer.com/virus-remo...t-security-2010You will move to the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:After you completed that post your scan log here,let me know how things are.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

1 more replies
Relevance 66.83%

OK, Yet another Win32.NetSky Virus thread. I'm usually pretty good getting rid of these but this one is a little bugger. I've read through a lot of the threads and can basically take my PC back, but the virus inevitably respawns itself. The following is a timelne of what I've done to get to this point.

It started with a message stating that I had a Windows Security Alert and asked me to download something to clean it up. It sounded funny, and wouldn't let me select cancel. Here's the window:
I tried CAD to get to the task manager and got the message "Task manager has been disabled by your administrator." I'm connected wireless so I disconnected and hit the Yes and it tried to launch me to

h-t-t-p://www.safenavweb.com/index.php?sid=502&said=0&aid=934&pn=5&pid=1
Then I get a second alert about the Worm.Win32.NetSky:

I think this one tries to put me to this webpage:

h-t-t-p://directnameservice.com/r.php?sid=502&said=0&aid=934&pn=5

At some point in time, The following is saved as my homepage:

h-t-t-p://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2

And I got shortcuts to some official looking spyware shortcut icons that are shortcuts to URLs.
Reading a Microsoft KB, I got my Task Manager back.

Reading some of the other pages, I ran ComboFix.exe.(Log Below)

This seemed to correct the issue. and I was good to go. However, on my next reboot I got another security alert then all ... Read more

Answer:Solved: Worm.Win32.NetSky and Privacy Protector Virus

7 more replies
Relevance 66.83%

Apologies in advance as first time user to Techguy.
I am unable to turn my system off from the start menu Turn off computer. The pop up to log off or shut down down not appear now. It just freezes.
Also when I go to the computer control panel and click on Add or remove programs, it also freezes and me program list does not appear.

I recently added Windows Live One Care.

Should I go to my computer panel and try a system retore?

My op.system is Windows XP Professional.
 

Answer:Solved: Computer shutdown and program removal problems

8 more replies
Relevance 66.83%

Hello everyone,

I would like to say thank you for taking yor time and looking at my problem. It seems I have a worm downloaded onto my laptop.

Can anyone please help get rid of it?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:43 PM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\TPSrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AntiSpam\pskmssvc.exe
C:\Program Files\Panda Security\Panda Internet Security 2008\AVENGINE.EXE
C:\P... Read more

Answer:Solved: I have this file on my computer: jar_cache48776. Need help with removal pleas

Why are you trying to get rid of it? It saves you redownloading Java content that you use often. If you want the file to be smaller, change the cache settings in Control Panel > Java.
 

2 more replies
Relevance 66.42%

I bought an HP laptop with windows 8 (upgraded to 8.1) last June and my girlfriend and I used it quite a bit until recently, when I was able to get my desktop set up. Now, she mainly uses the laptop under her own user account. It has the free version of Avast as the main AV program. Lately, when she first gets into her account, it sends her an alert that it has blocked the win32:evo-gen Trojan. To my knowledge, only her account does that. Now, I have tried following several instructions to get it removed but to no avail. However, when I tried to get into safe mode with networking, the laptop will not go in to safe mode with networking, only regular safe mode. I'm not sure if that is due to the Trojan or not. I tried two different approaches 1) press shift while restarting and 2) run msconfig, then hit the boot tab and check off safe mode and networking, then restart. Simply cannot get the networking with safe mode. So, I tried working in just safe mode by downloading malwarebytes to a flash drive from my desktop and running it on the laptop but the program won't run for some reason. It will on my desktop, though. Very weird situation. So, I'm not sure if the Trojan virus has anything to do with it or if there is something going on with the Windows 8 program. For scanning, I use superantispyware and malwarebytes and both don't seem to find it.

She can still use the computer but something is causing Avast to continually block the win32:evo-gen trojan. Any... Read more

Answer:Win32:evo-gen removal help

She can still use the computer but something is causing Avast to continually block the win32:evo-gen trojan. Any help is appreciated.Click to expand...

You should follow these procedures...

READ & RUN ME FIRST - Malware Removal Guide
 

1 more replies
Relevance 66.42%
Question: win32 help removal

Deckard's System Scanner v20071014.68
Run by JessicaP on 2008-06-30 16:37:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
105: 2008-06-30 20:37:12 UTC - RP283 - Deckard's System Scanner Restore Point
104: 2008-06-30 18:15:34 UTC - RP282 - Spybot-S&D Spyware removal
103: 2008-06-30 04:16:09 UTC - RP281 - System Checkpoint
102: 2008-06-29 02:07:39 UTC - RP280 - System Checkpoint
101: 2008-06-28 01:01:29 UTC - RP279 - System Checkpoint


-- First Restore Point --
1: 2008-04-10 18:25:10 UTC - RP179 - Spybot-S&D Spyware removal


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JessicaP.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:57 PM, on 6/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Fi... Read more

Answer:win32 help removal

Welcome to TSF.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

PermissionResearch - if you know what this is, you may keep it
Viewpoint

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - AppInit_DLLs: c:\program,files\permissionresearch\prai.dll,c:\program files\permissionresearch\prai.dll
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\program,files\permissionresearch\ - if you know what this is, you may keep it
C:\Program Files\Viewpoint\

Run Deckard's System Scanner again, using the below instructions.

Go to Start->Run and copy/paste the following and click OK:

"%userprofile%\desktop\dss.exe" /daft

Click on Scan. Check the boxes which should appear for these entries:

.cpl

Then click on Fix.

Click Scan again. You should get a message All Associations OK! Click Next, then Save Log and post this log in your next reply.

Go to http://www.bleepingcomputer.com/comb...o-use-combofix a... Read more

1 more replies
Relevance 66.42%

[attachment=6063]
 

Answer:Win32;Evo-gen removal

Hi,
Before we start:

Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
Like everyone, I have a private life, so be patient with me. Sometimes I will respond immediately, sometimes it will take a coupe hours.
Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
The absence of symptoms does not mean your PC is fully disinfected.
If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

Because of this, I advise you to backup any personal files and folders before you start.
<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD L... Read more

1 more replies
Relevance 66.42%

Ok, well I used spybot to do a weekly scan I do and it came back with win32.vb.jl and it "removed" it. It keeps coming back and I think it is what has been giving me trouble today with installing a few programs. I tried installing macromedia shockwave standalone player and said that I wasn't an administrator (I am). So, I did what would make it work no matter what and went into safe mode and went into the window's administrator account and received the same error.Thanks for the help in advance!-James------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, May 19, 2008 7:28:58 PM Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 19/05/2008 Kaspersky Anti-Virus database records: 786342-------------------------------------------------------------------------------Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: trueScan Target - My Computer: C:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\Scan Statistics: Total number of scanned objects: 194226 Number of viruses found: 2 Number of infected objects: 4 Number of suspicious objects: 0 Duration of the scan process: 00:54:28Infected Object Name / Virus Name / Last ActionC:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skippedE... Read more

Answer:Win32.vb.jl Removal, Please

HelloApologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.Thanks and again sorry for the delay.Please download Deckard's System Scanner (DSS) and save to your Desktop.alternate download siteDSS will do the following:Create a new System Restore point in Windows XP and Vista.Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.Check some important areas of your system and produce a report for an analyst to review.Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.You must be logged onto an account with administrator privileges when using.Close all applications and windows.Double-click on dss.exe to run it and follow the prompts.If your anti-virus or firewall complains, please allow this script to run as it is not
malicious.When the scan is complete, two text files will open in Notepad:main.txt <- this one will be maximizedextra.txt <- this one will be minimizedIf not, they both can be found in the C:\Deckard\System Scanner folder.Please copy (Ctrl+C) and paste (Ctrl+V) the c... Read more

8 more replies
Relevance 66.01%

I bought a Compaq Evo N600c that works will on AC but has but can't remember cmos
settings at start up so I use f1 to start XP. I may need a new battery but I have not let
it charge up enough to really tell at this time.
Since is a unkknown used machine, what do I need to do to check it out. I need to check its battery for corrison in which I don't know how to get to it. I may need to replace a CMOs battery. Is there a manual that I can download and do you have any advice for my compter checkup?
Thank You,
 

Answer:Solved: Compaq Evo N600c Battery Removal & Computer Check Up.

16 more replies
Relevance 65.6%

Hi there,

New to this site, and I need help removing the Win32:Rootkit-gen [Rtk] virus/malware. Have looked at other threads with this problem but can't quite grasp what I need to do.

Cant seem to run/double click on any files. It is quite frustrating.

Thanks for your help in advance

Edit: OK, I have tried to run Malwarebytes Anti Malware & Hijack This to post Logs but cannot even open these, either in normal or safe modes. They come up with "Runtime '0' Error" messages.

What else can I do to give more information?

I am using Win XP SP2 with Avast Antivirus.
 

More replies
Relevance 65.6%

Good morning all, m y friend emailed me to say he has win32 trojanand has asked how to remove it, I have searched this forum and googled it, but cannot find a definitive answer, can anyone with experience of removing this trojan please advise me, many thankshe has a Medion desktop about 6 months old with Vista premium installed. Am off to work know so will ceck any postings this eveningmany thanks

Answer:win32 trojan removal

Download and run a full scan with malwarebytes click here Also do an online scan with Eset click here using internet explorer and see if they remove it.

4 more replies
Relevance 65.6%

Hi

I need some help with win32.brontok worm removal. This affected my computer badly. I cannot open internet explorer. It ways unsecure browing and it shut down by itself.

Any help will be greatly appreciated.

thanks
Sam

Answer:win32.brontok removal help

Moved from HJT forum

2 more replies
Relevance 65.6%

Hi,

Have reviewed previous threads relating to this subject. Avast found Win32-Rloader-B in the system32 folder.

I read the advice in previous threads relating this nasty and have run ComboFix, following the instructions carefully. The CF log file is pasted below.

This seems to be the last of a multitude of infections on a friend's PC which had been used for maybe 2 years with no AV/MW protection. Trying to avoid a reinstall of XP as she has no discs/backups, etc. Not too clever.

Would be very grateful if someone could review the log file and let me know if it's clean . . . or where to go with this next.

Many Thanks!
 

Answer:Removal of Win32:Rloader-B

Note: Avast shows in "Running Processes" but all Avast shields were disabled during the ComboFix scan.
 

4 more replies
Relevance 65.6%

See above. (I can copy and paste it in here if needed - just didn't want to repeat myself unnecessarily).

I've tried all the steps in your article (http://malwaretips.com/blogs/win32-downloader-gen-trojan/), but none of the programs found the threat, but SpyBot is still picking it up. Not sure what's going on there?

As a second question, do you think the images that were recovered are virus free? I presume so, and feel this is just something that was added by the recovery program(s) installation package(s).

Thanks in advance for your time.

Jo
 

Answer:Win32.Downloader.gen removal help

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to nece... Read more

16 more replies
Relevance 65.6%

It appears I have a virus trojan.win32.117472455 and trojan.win32.8347584445How do I get rid of them? The anti virus does not seem to be working.

Answer:trojan.win32 removal

Try downloading Malwarebytes, update and run a full scan.http://www.malwarebytes.org/If you have no luck download Superantispyware free version, update and run a full scan.http://www.superantispyware.com/

2 more replies
Relevance 65.6%

Hello,
I recently installed AVG on my gaming PC and found out that it was infected with a Trojan named ''Win32 / Heur''. I've tried to remove it with Ad-aware, AVG, Malwarebytes' Anti-Malware and i even formatted my PC. But AVG still reports infection due to the same spyware.

I've read the posts of other user in this forum but every answer seems to be user specific so i am asking for help. Either a solution to get rid of this spyware or a direction where i could find such instructions.
HiJackThis :

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:12:30 PM, on 08/09/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Syste... Read more

Answer:Removal of Win32 / Heur

I'll go ahead and bump this since I've tried everything i can thing of and I still have the same infection.

Any chance someone know how to help? I would really appreciate.
 

1 more replies
Relevance 65.6%

Hello, I am trying to remove a virus that Spybot S&D calls Win32.Flux.fm but every time it removes it, it just comes back next time I scan. So I went and found the path to the trojan, which is located in the registry, and manually deleted it. Unfortuntely, it still reinstalls itself, so I was hoping somebody would be able to help me with this.
The path to the trojan is: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\ReportBootOk according to spybot S&D

Thank you all in advance.
 

Answer:Win32.Flux.fm Removal Help (please)

Welcome to MajorGeeks.com!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.


READ & RUN ME FIRST. Malware Removal Guide


If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.
Notes:
If you run into problems trying to run theREAD & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

1 more replies
Relevance 65.6%

My CA Antivirus program keeps indicating that win32/Sillyautorun.ABS was found and deleted, but it keeps coming back again. Previous to this I also had the Vundo and Haxdoor E virus, but that seems to be gone although I am not sure if they are lurking somewhere on my computer.

Any help to resolve this would be appreciated.

paul
DDS (Version 1.1.0) - NTFSx86
Run by Dad at 14:07:02.26 on Fri 12/26/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.894 [GMT -10:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)
AV: *On-access scanning enabled* (Outdated)
FW: CA Personal Firewall *enabled*
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour... Read more

Answer:Win32/Sillyautorun.ABS Removal and Maybe Others Help!

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your issue.Disable Realtime ProtectionAntimalware programs can interfere with ComboFix and other tools we need to run. Please disable all realtime protections you have enabled. Refer to this page, if you are unsure how.Download and Run ComboFixDownload Combofix by sUBs from any of the links below, and save it to your desktop. If you have already run ComboFix, delete your copy and download a new one. If the computer is unable to download ComboFix, use a removable media to transfer the file. Link 1, Link 2, Link 3 Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.If you did not have it installed, you will see the prompt below. Choose YES.
When the Recovery Console has been installed, you will see the prompt below. Choose YES.
When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.Please also include a new HijackThis or DDS log.... Read more

9 more replies
Relevance 65.6%

I'm not a whizz at computers but I'm not a total beginner either. All appropriate google searches have led to registry values I can't find to remove or Free scans that want money later.

I saw a similar topic in this forum where explorer.exe was cleaned using BlitzBlank, and as the virus only gets detected in explorer.exe for me too, is this an option?

Any help anyone could offer would be greatly appreciated, I am close to putting this laptop through a window but could not possibly affored to replace it

Answer:Win32/Bamital.a Removal?

Hello,Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Orange Blossom

1 more replies
Relevance 65.6%

I have been using zone alarm and have little or no problems with malware until today. I am constantly being told by zonealarm that this file has been removed. Its causing no problems with my computer at the moment as its dealt with by zonealarm. But its certainly not a good thing that it continues to return. I have tried all the usual softwares recommended here, but because zonealarm removes it straight away I haven't been able to fully remove it without risking closing zonealarm thus risking it causing problems. Any help is greatly appreciated, I'm suprised there are no topics on this.
Thanks
Malax
 

Answer:win32.beovens removal?

Malax said:



I am constantly being told by zonealarm that this file has been removed.Click to expand...

What file? You did not give a file name!

Note sometimes it is necessary to allow an infection to manifest itself so that it can be completely removed. We shall see after you do the below.

Sounds to me like you have a SmitFraud problem and there is a topic on this. See the Special Removal Procedures sticky (which is also mentioned in the READ & RUN ME).

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.
 

1 more replies
Relevance 65.6%

I have run Spybot S&D multiple times and everytime I run it, it says that Win32.AutoRun.Tmp has been deleted, but it always seems to always come back when I re-run Spybot. Is there anyway to permanently delete this trojan?

Thanks

More replies
Relevance 65.6%

Hi,
How to remove this Win32/Patched.HF trojan from my PC. I am currently using AVG Internet Security 2013 and it says it cannot be removed.
Please help.
Thanks
 

Answer:Win32/Pacthed.HF removal

follow advice here and post the logs those programs make

Did you see the big red message telling you what to do when you tried to make your first post in this topic or did you just decide to ignore it.

and tell us EXACTLY what file AVG says is infected and where it is

The detection is usually in a game or other program activation hack when somebody tries to install or use a pirated version of the game or program
 

3 more replies
Relevance 65.6%

I've recently picked up a nasty trojan and downloader that is not going away. I'm running XP Pro SP2 and my anti-virus software is NOD32. NOD32 is telling me about the trojan Win32/TrojanDropper.agent and Win32/TrojanDownloader.Small. I'm assuming the dropper is setting up the downloader after startup. I'm also asssuming I got this through an outdated version of Java I was running, because it happened when I was loading a website using Java. I've since updated my version of Java to current. I've run Spybot S&D, Ad-Aware 2007, BitDefender, Panda's online scan, HouseCall, and Stinger, but none of them have successfully removed it.Here's my HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:38:34 PM, on 7/28/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\System32\inetsrv\inetinfo.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlserv... Read more

Answer:Help With Removal Of Win32/trojandropper

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Biermaken My name is Richie and i'll be helping you to fix your problems.Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will receive a prompt asking if you want to remove the files, click "YES".Once you click yes, your desktop will go blank as it starts removing Vundo.When completed,it will prompt that it will reboot your computer,click "OK".Post the contents of C:\vundofix.txt into your next reply.Note: It is possible that VundoFix encountered a file it could not remove.In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.------------------------------------------------Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. ------------------------------------------------Now go to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe... Read more

7 more replies
Relevance 65.6%

everytime i double clicked my local disks and removable disks, AVG notifies me about this virus and i couldn't see my hidden folders..'

the logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:17:16 AM, on 2/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Ya... Read more

More replies
Relevance 65.6%

Hey guys, i need help removing this virus. I've tried everything within my knowledge but to no avail (maybe i'm just dumb lol). So can anyone help diagnose my Hijack this log?
Thankyou.
Logfile of HijackThis v1.99.1
Scan saved at 12:11:49 PM, on 24/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\LG Soft India\forteManager\bin\Monitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\A... Read more

Answer:Win32.Agent.pz Removal

Also here is my ComboFix log.

ComboFix 08-09-22.06 - user 2008-09-24 14:12:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1514 [GMT 9.5:30]
Running from: C:\Documents and Settings\user\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\user\Cookies\[email protected][1].txt
C:\Documents and Settings\user\Cookies\[email protected][1].txt
C:\Documents and Settings\user\Cookies\[email protected][2].txt
C:\Documents and Settings\user\Cookies\[email protected][2].txt
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
C:\Program Files\Common Files\{38C9F~1

C:\Program Files\Common Files\{F8C9F~1

C:\Program Files\Common Files\{F8C9F~1\system.dll

C:\Program Files\Common Files\{F8C9F~2

C:\Program Files\Common Files\{F8C9F~2\system.dll

C:\Program Files\Common Files\{F8C9F~2\Update.exe

C:\Program Files\Common Files\crosof~1

C:\Program Files\outlook



----- BITS: Possible infected sites -----



hxxp://www.graboid.com

.

(... Read more

1 more replies
Relevance 65.6%

HelloMy Dell laptop is infected with the win32.delf.uc trojan and I cannot remove it.I have been reading these forums and have tried many of the solutions and I just cannot get rid of it so I decided to post for help.Here are my specs, Hijack this log and smitfraud log.When I scan with spybot it brings up the win32 file each time.I went into the registry editor and removed them there are two of them but they return on restart.Also this thing has completly disabled my internet drivers so I have no internet access on the laptop and certain programs I cannot use because I cannot download the updates.Unfortunately I dont have anything to re-install the drivers for my wireless stuff the website probably has them but there is just so many files and I dont know what I'm looking for.If someone can help me I would appreciate it.I will be around all night doing some homework so if anyone decides to help ill get back right away ill check every 5 min or so.Thanks in advance.Dell Inspiron 9400Windows XP homeHijack This Log------------------------Scan saved at 18:01, on 2009-02-21Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:&#... Read more

Answer:Win32.delf.uc removal

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for p... Read more

2 more replies
Relevance 65.6%

Please help a newbie! My AVG anti-virus free software keeps detecting the win32 Cryptor virus in my temp folder in files ending with svchost.exe (File name is always C:\\WiNDOWS\temp\ random four letter name.tmp\svchost.exe and the process is C:\\WINDOWS\system32\svchost.exe and the ID is 1164). It doesn't seem to be doing anything too malicious (at least I hope) but obviously I'd rather have it removed sooner rather than later. The symptoms are that it often redirects me to spam sites when I click on links, and pop up ads have started appearing randomly. Another symptom is that in my windows/temp folder I keep having new folders created with randomly generated four letter names. This happens every few minutes, and deleting them does nothing as they just start reappearing again after a while. I feel like I have run every virus scanner under the sun and they all come up clean. I have kept Malware bytes as that was the only one to have found anything at all. i have found no help in any other online posts, so this is my last resort as I really do not want to reinstall windows. I am not sure about posting logs etc. as I am not too computer literate but I have read the instructions and should be able to follow them successfully. Thanks in advance for your time and effort!
 

Answer:Win32 cryptor removal

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe modea

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a differ... Read more

5 more replies
Relevance 65.6%

Help please. I've got a virus Trojan.Win32.FraudPack.zfa I think from an email from DHL courier. I use Kapersky Internet Security 2010 which brings it up and when I try to fix it there are 2 options 'delete archive file' and skip which is the recommended action. I clicked on skip because this was the recommended action but how can I get rid of it and clean my pc - its not in Kaperskys virus removal tools list. Any info would be appreciated.

Answer:Win32.FraudPack removal help

try downloading updating then running malwarebytes and then superantispywareclick here

5 more replies
Relevance 65.6%

Hi my PC has been out of action for some months now.

Avast 4.8 is detecting C:\WINDOWS\system32\drivers\plvodftu.sys as infected by the Rootkit from my thread title.

I'm at a loss on how to clean things up. Firefox has been knocked out and IE only works slightly. Spam Emails are generated and sent out which Avast makes alerts for.

Feeling quite sheepish and the amateur

Please help!

Here's the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:54 PM, on 2/12/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\USB Disk Win98 Driver\Res.EXE
C:\Program Files\Common Files\Real\Update_OB\... Read more

Answer:Win32:Rootkit-gen [Rtk] Removal Help

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 65.6%

I have been through previous threads searching for solution but could not find an exact one.
I have symantec norton antivirus v10 installed on my pc. The antivirus is unable to clean it as i keep getting pop-ups from auto-protect removal. I am adding the hijackthis log file for your reference and request your guidance.

Regards,
Mandeep

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:11, on 23/03/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\CBA\pds.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\sfmsvc.exe
C:\WINNT\System32\sfmprint.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\RsFsa.exe
C:\WINNT\system32\RsSub.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
E:\Tally\tallylicserver.exe
E:\Tally\Tally9.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
... Read more

More replies
Relevance 65.6%
Question: Win32 Heur Removal

Ok so last week my antivirus program detected this threat in my computer. I have tried many different things to try to get rid of it but so far I don't seem to be successful. I have run scans with SuperAntiSpyware, Malware. I have tried to run Combofix also to fix the problem but so far it will not execute properly. Please can you help as I seem extremely stuck at the moment, my antivirus program periodically finds the file.

C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll

I also need to know whether these files are a threat or whether they are associated with Combofix:
hidec.exe
psexec.exe
psexecf.exe

I will attach all the logs I have to date... thank you in advance.
View attachment 113716


View attachment AVSCAN-20090504-144722-8F1AD360.LOG


View attachment hijackthis.log


View attachment mbam-log-2009-05-04 (01-25-23).txt
 

Answer:Win32 Heur Removal

View attachment SUPERAntiSpyware Scan Log - 05-04-2009 - 22-01-18.log


View attachment avenger.txt


View attachment DDS.txt
 

2 more replies
Relevance 65.6%

Avast has detected Win32:Tiny-ADY in my computer. I have already deleted the offending file but i fear this has spread to my computer, slowing it down. Do I still have a problem? OS is Windows Vista Home Premium. CPU is Intel® Core™2 Duo CPU E7300

Deleted all programs with the virus.... at least, those detected by avast.

Answer:Win32:Tiny-ADY removal

Hello, do you have redirects and/or pop ups?.One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, [b]steal critical system information[/b] and [b]download and execute files[/b]... If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. please scan with DrWeb-CureItBefore we start fixing anything you should [b]print out these instructions[/b] or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet. alternate download link Note: The file will be randomly named (i.e. 5mkuvc4z.exe). Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with Dr.Web CureIt as follows:Double-click on the randomly named file to open the program and click Start. (There is no need to ... Read more

1 more replies
Relevance 65.6%

Hello,

I am new to this.....today I have managed to pick up the Win32/Alureon.H Trojan Horse, i have no idea how. I have carried out several security scans, 2 of which have picked it up, however were unable to remove it. I have read alot about it and it doesnt sound good and i am really worried about loosing important data on my computer. I am unable to use Windows update tool and i also keep getting random website pop-ups that i havent clicked on. I would be so happy if someone could point me in the right direction to remove this horrible thing? I have read that cleaning the computer to factory settings may be the easiest way to deal with this. I have already carried out some of the things listed in other posts i.e. DDS and attach.txt and also the gmer scan. Please help!!!

Thanks tonnes in advance.

Elise
 

Answer:Win32/Alureon.H Removal

16 more replies
Relevance 65.6%

Hello,
My laptop has been infected with win32.zifi.b. I followed all the steps listed and ran the downloaded programs. The infection seems to be gone. At least the pop up has not appeared for the last 15 minutes. But is there anyway to know for sure. I have the log file that combofix created. The only program I have not run is MG tools. Shoud I?

Thanks,
Sue
 

Answer:win32.zifi.b removal

Welcome! to MajorGeeks.com!

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
To avoid additional delay i... Read more

1 more replies
Relevance 65.6%

Hi,

I am running 64-bit Windows 7. A day ago, Firefox and Internet Explorer began to crash frequently. They would operate for a few moments, then they would either crash directly to the desktop, or an error message would pop up saying that they encountered a problem and need to close. Shortly thereafter, Microsoft Forefront Client Security found a file called Win32/DelfInject.gen!CV I imagine that my problems with the browsers stems from this virus. I completed the Windows 7 Malware removal procedure, but Forefront still detects the virus upon booting. Hitman Pro detected several malware/trojan threats. Attached are the logs requested in the malware removal instructions.

Please recommend the best course of action for me to remove this malware from my system. Thank you for your time and this wonderful resource!

YHF
 

Answer:Removal of Win32/DelfInject.gen!CV

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:
[RUN][SUSP PATH] HKCU\[...]\Run : 6oXUUCv4 (C:\ProgramData\BhqOOhEPIheY\LUW6vikLqkdD\CRsZ2Lz31uYuRtT\WGqbqh9rk2n7sSU\kHj8LnB9KJ.exe) -> FOUND
[RUN][SUSP PATH] HKCU\[...]\Run : Sony-c (C:\ProgramData\sonyc.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2133070821-165314584-233933925-1000[...]\Run : 6oXUUCv4 (C:\ProgramData\BhqOOhEPIheY\LUW6vikLqkdD\CRsZ2Lz31uYuRtT\WGqbqh9rk2n7sSU\kHj8LnB9KJ.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2133070821-165314584-233933925-1000[...]\Run : Sony-c (C:\ProgramData\sonyc.exe) -> FOUND
[HJ] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Wow6432Node\System : EnableLUA (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach[/URL])
Do not reboot your computer yet.

Rescan with HitmanPro.
Choose to Delete these files... Read more

5 more replies