Computer Support Forum

Trojan keeps coming back, help!!

Question: Trojan keeps coming back, help!!

I have had this trojan virus for weeks now, i have done everything possible to get rid of it. i have googled like crazy, ran avg, avast, kaspersky, spybot, spydoctor, and many more. i am so close to reformatting, but i really don't want to. can someone please help.

i will post a hijackthis log file, as soon as someone responds to this.

please help!!!!

Relevance 100%
Preferred Solution: Trojan keeps coming back, help!!

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Trojan keeps coming back, help!!

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new thread, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

------------------------------------------------------

1 more replies
Relevance 68.47%

Hi as the topic says trojan.agent.gen and svchost.exe is constantly detected by malware bytes and my other malware scanners after every restart, it's affecting my computer performance badly, especially my graphics card (it runs at 96%+ gpu load making games unplayable) I can stop that issue from happening by reinstalling my video drivers, after i install them i get the message svchost.exe has stopped working from windows, so i click on the option to close it, and my gpu load goes back to normal. Some malware/spyware scanners can remove them, but like i said once i restart my pc they just re-install themselves and i'm back at square 1.. I've tried literally Everything to remove them but they just laugh at any attempt at permanent removal. If someone can help me out here I would be hugely gratefull. thanks.
By the way if you need me to post any new information about the problem please let me know.

 dds.txt   27.64KB
  3 downloads
 attach.txt   17.77KB
  0 downloads

Answer:trojan.agent.gen keeps coming back after removal/Quarantine. Svchost.exe Trojan.

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.If you're not sure, or if something unexpected happens, do NOT continue!Stop and ask!In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!If I instruct you to downloada specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because th... Read more

18 more replies
Relevance 67.65%

 
I get popup adds and my Norton 360 is constantly quarantining files and asking for a restart.
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-10-2016
Ran by jabbe_000 (administrator) on STEPHENS (17-10-2016 18:42:36)
Running from C:\Users\jabbe_000\Downloads
Loaded Profiles: jabbe_000 (Available Profiles: jabbe_000)
Platform: Microsoft Windows 10 Home Version 1607 (X86) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
() C:\Program Files\Backblaze\bzserv.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
(Apple Inc.) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
(Microsoft Corporation) C:\Program Files\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(NTI Corporation) C:\Program Files\NTI\NTI Backup Now EZ\BackupNowEZSvr.exe
(Symantec Corporation) C:\Program Files\Norton 360\Engine\22.7.1.32\N360.exe
(Symantec Corporation) C:\Program Files\Norton 360\En... Read more

More replies
Relevance 66.42%

I've been working on a user's laptop (Win XP SP3) that wouldn't boot, even into safe mode. I ran a windows repair from a Win SP SP3 installation CD, which allowed me to at least get into safe mode. There I found several trojans and viruses, including (these are Symantec names) Trojan.FakeAV!gen29, W32.Harakit, Trojan.Gen, Trojan.FakeAV. After cleaning, Malwarebytes found registry entries for Hijack.FolderOptions and Trojan.Agent. Finally satisfied that the system was clean, I restored the drivers and downloaded and installed all the Windows updates. Both processes required several reboots. I then returned the laptop to the user. Unfortunately, I made the mistake of not running final scans of the system first. But there had been no symptoms during the system restoration, so I was lulled into what was obviously a false sense of security.

Immediately after booting the system the next day, he got an alert from Symantec AV about two infected files: DWH9F.tmp and DWH1E.tmp, both in his profile's Local Settings\Temp folder. They were identified only as "Trojans" - no specifics. He was not yet connected to the internet and had no external devices attached. Laptop back to me. Malwarebytes found two infected registry items: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) and HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent).

I'm conc... Read more

Answer:Trojan(s?) Keep Coming Back

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

2 more replies
Relevance 66.42%

i use windows XP home edition, mozilla to browse

about a month ago someone else was using my laptop and a bunch of infections were detected by the free version of AVG. i removed all the selected infections then ran malwarebytes which detected some more things and removed them. after rebooting and running malwarebytes again my laptop seemed clean. however, every time i have run malwarebytes since then (about 3 times), there will be no objects detected. BUT, AVG will pop up and say there are infections on my computer. so today, suddenly a bunch of internet popups show up on my laptop and AVG also shows up with a bunch of infections. i'll list some of the trojans that have been detected by AVG.

Trojan horse Pakes.DDT
Virus found Win32/Heur
Trojan horse Downloader.Zlob_r.EX
Trojan horse SHeur2.YNO
Trojan horse Small.BHD
Trojan horse Pakes.DDT
Trojan horse SHeur2.ZZF
(then there were a bunch of tracking cookies detected by AVG)
Trojan horse Agent2.DZZ
Trojan horse Generic13.ADTY
Trojan horse Agent2.EJA
Trojan horse Downloader.Generic8.AHTY

Answer:trojan that keeps coming back?

Run scans with Super Antispyware free and MalwareBytes AntiMalware free.Links to download and instructions in link below.Be sure to update both programs after downloading, installing and before scanning.http://www.bleepingcomputer.com/forums/ind...t&p=1087935Follow the instructions and post the logs in your next reply.Note that Super Antispyware scan is best run in safe mode per instructions.

16 more replies
Relevance 66.42%

Hey everyone, I'm new here but not to viruses. My weakness however happens to be dealing with Trojans...and this one is no exception! I've run every anti-spyware/malware/trojan program you can think of (Most of which won't update) and only Malwarebytes finds the Trojan...but when I remove the registry keys they are back within seconds.

Here is the MB log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

4/21/2010 10:56:25 PM
mbam-log-2010-04-21 (22-56-25).txt

Scan type: Full scan (C:\|)
Objects scanned: 150405
Time elapsed: 10 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.166.105 93.188.161.105 1.2.3.4 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{f6294753-90ce-45bb-a75c-e1c2e170fd1d}\DhcpNameServer (Trojan.DNSCh... Read more

Answer:Trojan - Just keeps coming back.

Welcome to Major Geeks!

The infection you have is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

If the above does not fix your problem, continue on with ALL of the below. Please note not to post any logs inline with your message like you did with the Malwarebytes log.


Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide



and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us w... Read more

8 more replies
Relevance 66.42%

Hello, everyone. After running Spybot, Ad-Aware, Norton Anti-Virus Corporate Edition, The Cleaner, and other anti-virus program, a virus keeps coming back on my computer. I've updated all my anti-virus software, but the ads keep coming, loading links and programs (mostly toolbars like Lycos SideSearch, Hotbar, SuperBar, and Wubar) into Internet Explorer and on my desktop. I've followed a great deal of instruction from members of this board, but it keeps coming back. I have posted my Hijack This! log below, so hopefully someone can figure it out. I do not know the name of this virus/trojan/worm, so I cannot pinpoint it down and find info. on it elsewhere. This morning when turning on my computer, There were over eight new icons on my desktop, most of which seemed to be from the same company. Titles like "casino online", "travel", and "card games" were beneath the icons, and I believe the host name (according to ad-aware) was Wubar or something fo the sort. To anyone who can help figure out how to get rid of this pest, please let me know. Thank you.

Logfile of HijackThis v1.97.2
Scan saved at 10:00:27 PM, on 9/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\sp... Read more

Answer:Trojan that keeps coming back....

6 more replies
Relevance 66.42%

Hi all,I have been suffering from a problem which is driving me crazy. For a while now, Symantic alerts me that it found a Trojan Horse and a virus W32.IRCBOT. It Quarantines them but never delete them. I usually go and delete them manually. Once I restart my computer the viruses come back again.I have tried online scanner (F-secure) it found several viruses and renamed them without deleting them. This did not solve the problem. I also ran it in safe mode, but still Symantic always finds it again.I noticed that when am not connected to the internet, through a wire or any way, symantic does not prompt me about the viruses after I delete them fro quarantine.Below is my Hijackthis logg.----------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:32:45 AM, on 1/3/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0013)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exeC:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exeC:\Program Files\... Read more

Answer:Trojan Keeps coming back

Problem solved using Malewarebytes anti-malware.

2 more replies
Relevance 66.42%

Trojan horse downloader Generic13.BVUR keeps reappearing after deleting it in avg..Please find attached files as requested. Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
Processor: AMD Athlon(tm) II X2 215 Processor, AMD64 Family 16 Model 6 Stepping 2
Processor Count: 2
RAM: 3839 Mb
Graphics Card: ATI Radeon HD 3200 Graphics, 256 Mb
Hard Drives: C: Total - 595439 MB, Free - 508533 MB;
Motherboard: Dell Inc., 0F896N
Antivirus: AVG Internet Security 2014, Updated and Enabled

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: BrowserJavaVersion: 10.51.2
Run by Wells at 11:36:29 on 2014-02-13
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3839.2048 [GMT -8:00]
.
AV: AVG Internet Security 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: IObit Malware Fighter *Enabled/Updated* {A751AC20-3B48-5237-898A-78C4436BB78D}
SP: AVG Internet Security 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
FW: AVG Internet Security 2014 *Enabled* {36AFA1E1-4CDC-7EF8-11EE-C77C3581ABA2}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\... Read more

Answer:Trojan keeps coming back.

16 more replies
Relevance 66.42%

I have had this trojan virus for weeks now, i have done everything possible to get rid of it. i have googled like crazy, ran avg, avast, kaspersky, spybot, spydoctor, and many more. done in safe mode as well as normal.
i am so close to reformatting, but i really don't want to. can someone please help.

most of them seem to be system32 files, and weird .dll files.

symptoms include: lagging of computer. random IE pages will load, when i do not use IE i use firefox mozilla. and randomly avg free will pop up and say trojan found. and the trojan will automatically turn off my avg free or firewall and i am forced to turn them back on myself.


if more information is needed, let me know.


here is my DDS log.



DDS (Ver_09-05-14.01) - FAT32x86
Run by Cody Crulz at 15:57:28.18 on Wed 20/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.235 [GMT 10:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spy Emergency *enabled* (Updated) {82117492-906E-4b02-A33A-84D42A2DD907}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {FDFE477F-8FE7-4B17-A05C-9D1F9EB603CB}

============== Running Processes ===============

C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\Program Files\... Read more

Answer:Trojan keeps coming back!!!

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

... Read more

8 more replies
Relevance 66.42%

Ok I have ran Ewido, Cleanup, and Killbox and the trojan changed it named on the second log.

PLEASE HELP.... Hijack this file:
Logfile of HijackThis v1.99.1
Scan saved at 8:03:30 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\iPod\bin\iPodService.exe... Read more

Answer:Trojan keeps coming back

7 more replies
Relevance 66.42%

This is the 3rd time in maybe 3 weeks I've seen this.

My AVG anti virus scan comes up (though I don't have it scheduled to scan at a certain time) and starts running, showing in a small box, changes and threats"

It has CHANGE

C\WINDOWS\SYSTEM32\KERNAL32.dll
and also the same with

user.dll
shell32.dll
ntoskml.exe

and: TROJAN HORSE GENERIC_CEQ in MY DOCUMENTS\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT IE5\030MDFWH\MOVIE(1).qtl

Usually I either delete the temp files and/or wait for the AVG to finish and get rid of it.

But, I notice it's doing it again, now. I'm not sure if this is the exact same changes and trojan name as the previous times, but I rememer there were changes, and a trojan and it was in the TEMP files.

I get movies from Netflix and play them on the computer, but I've been doing this for 1 1/2 years and this (trojan) just started a few weeks ago. That's the only connection I can think of to "movie". I have dialup and have a hard time watching things on YouTube so don't do that much. I did try and download a free movie from a site that was passed around, but that was 2-3 weeks ago, and after seeing how big it was, and figuring it would take 2-3 months to ever download it (if I could leave the internet on, without getting knocked offline that long) I gave up.

Since this is in the temp files it will get dumped when I clear these, or AVG will take it out, but I'm wondering why it comes back in the fi... Read more

More replies
Relevance 66.42%

here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1823
Windows 5.1.2600 Service Pack 2

3/5/2009 9:18:09 PM
mbam-log-2009-03-05 (21-18-09).txt

Scan type: Quick Scan
Objects scanned: 65386
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\meI6qj75.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Answer:trojan keeps coming back!

Please print out and follow these instructions: "How to use SDFix". When using this tool, you must use the Administrator's account or an account with "Administrative rights"Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.Please copy and paste the contents of Report.txt in your next reply.Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

10 more replies
Relevance 66.42%

So my problem is,  3 same trojans keep coming back after I remove them with Malwarebytes. I have tried 6 times with MBAM to remove the trojans, but they just come back. Also I do not know if this is related to the Trojans, but for some odd reason, my P2P program utorrent does not work anymore. I try to execute it, but nothing happens. So I tried to uninstall it, but it wouldn't let me and I ended up just deleting the actual folder with all the files. Another program I have trouble with is a game client file (.exe) I downloaded it off the correct site and I'm pretty sure it's clean but just like the utorrent problem, when I try to execute it, nothing happens. It just stand there. help would be appreciated. Other info: I run on Windows XP professional and I currently don't have an anti virus and I doubt I can get any in the near future with this computer, as this device is essentially ancient. The computer would be slow at incomprehensible speeds, so that is why I don't have an anti virus. MBAMQuoteMalwarebytes' Anti-Malware 1.44Database version: 3747Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.21802/19/2010 8:49:32 PMmbam-log-2010-02-19 (20-49-32).txtScan type: Quick ScanObjects scanned: 124567Time elapsed: 9 minute(s), 29 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:C:... Read more

Answer:trojan keeps coming back.

uggh there seems to be another problem now. my computer is running slower then usual. Could this be the effect of the svchost.exe trojan?

3 more replies
Relevance 66.42%

Hi. My problem seems similar to what others have posted, but I know that each system is unique.It seems like I am infected with some sort of malware. I was phished, but my norton symantec caught the trojan. However, now every two or three days the trojan comes back, only there are more and more of the infection. I tried a number of malware removal progams, which frequently find a problem. However, it has not solved the fact the trojan returns again in greater number in two or three days.Thanks.Below is my DDS file:DDS (Ver_2012-10-19.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16421Run by XXXXXXX at 15:56:52 on 2012-10-31Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.6118 [GMT -4:00].AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Program Files (x86)\Common Files\Comodo\launcher_service.exeC:\Windows\... Read more

Answer:Trojan keeps coming back

Interestingly, I just ran rkill.exe and the problem returned. So, a number of "tmp" files were created in my users/MYNAME/AppData/Local/Temp folder.

The rkill log was:
Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/31/2012 09:50:47 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\XXXXXXX\Desktop\rkill\rkill-10-31-2012-09-51-01.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

* gpsvc =&g... Read more

34 more replies
Relevance 66.42%

Last night I managed to remove an Adware Virtumundo problem using HijackThis,VundoFix, CleanUp! and an online scan.
I am now continually receiving a message from McAfee that a Trojan named "Exploit-ObscuredHtml" has been cleaned and deleted. The message has popped up several times, each with the same trojan virus name. Please help me get rid of it for good!

also here is my lates HJT report

Logfile of HijackThis v1.99.1
Scan saved at 4:56:54 PM, on 10/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA... Read more

Answer:Trojan Keeps Coming Back

16 more replies
Relevance 66.42%

Hi,

I have run an AVG scan several times and it keeps finding a Trojan virus. I also get warnings of infected files from time to time. They are usually in the Temporary Internet Files, System Volume Information, or System32 folders. Some of the names is finds are "Virus found Lop", Trojan Horse Generic10.SY, Trojan Horse Generic10.AEV.

I tried Super Anti Spyware and HJT but the Trojan keeps coming back. I have posted my HJT log below. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:15 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoi... Read more

More replies
Relevance 66.42%

Hello,
Yesterday my computer started acting up. It said that the Windows firewall was turned off (even though I didn't turn it off) and now it's saying automatic updates has been turned off (even though it's turned on). I've scanned the computer with ad-aware, AVG and my Norton antivirus. I've removed trojans at least three times. However, random IE windows keep popping up with fake antivirus dialog boxes. I'm not sure what else to do. Below is the HJT log. Thank in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:05 AM, on 12/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost... Read more

More replies
Relevance 66.42%

I get this every night have put it in virus vault in AVG, turned off system restore ran Malwarebytes and removed it and it has come back 3 nights in a row.. This is what reads in vault, Trojan horse Download.Generic9.YHX Path: WINDOWS\system32\sshnas.dll. Ran hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 10:05:35 PM, on 12/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Suzanne Wells\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Progra... Read more

More replies
Relevance 66.42%

Hi, everyone. I have something Malwarebytes calls Trojan.BHO that I can't seem to get rid of. Malwarebytes apparently gets it but it always ends up reappearing after a couple of reboots.

I think it first showed up on the 14th of February during a routine checkup. It wasn't until after I tried to get rid of it that I started having problems.

For wathever reason it wouldn't allow me to launch either Firefox or Chrome - in fact, the folders where they were installed were off-limits to all users, regardless of their admistrator status. I could temporarily gain control of the folders by running Malwarebytes and have since uninstalled both.

I can still run IE, but -

1. Whenever I try to open a link on a new tab, it will ALSO open a new window. Yes, I checked the settings, and it's definitely the trojan since this behaviour goes away - temporarily - after I run Malwarebytes.

2. The Trojan also shows up as a toolbar add-on for IE ("jscript proxy auto-configuration"). It claims to be by "(unverified) Microsfot Corporation" and the option to disable it is greyed-out. The only way to get rid of it is to run Malwarebytes but, again, it comes back after a couple of reboots.

3. It doesn't do anything else that's noticeable. There's nothing on my toolbar, no pop-ups, no redirecting, etc.

If it matters, I have tried running Malwarebytes under safe mode after disabling system restore (that was following someone els... Read more

Answer:Trojan.BHO keeps coming back

Hi and welcome.

Re run Hitman Pro and have it delete everything it finds.

Delete these:

C:\Program Files (x86)\GUM4751.tmp
C:\Program Files (x86)\GUT4752.tmp


Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Attach JRT.txt to your next message.



Re run Malware Bytes and attach the new log.

Now explain how things are.
 

3 more replies
Relevance 65.6%

Hi,

I have an amazingly annoying problem which keeps coming back (even after windows format), I keep getting errors which wont allow me to start,open,delete,install files. Just messes up the whole system.
The errors are:
When I want to install program - Nothing happens OR Internal Error: Failed to expand shell folder constant "userappdata"
When I want to start program - Nothing happens OR mpr.dll is missing OR netutils.dll is missing
If I want to delete a program - "An error occurred while trying to uninstall program. It may have already been uninstalled"
Startup programs won't start - netutils.dll is missing OR mpr.dll is missing

I did a fresh install on my SSD, everything was working great but after couple of days it came back.
What's going on here?

Answer:Virus/Trojan keeps coming back?

Sounds like a bad installation. Where did you get your Windows 7 installation media from?

7 more replies
Relevance 65.6%

Hi guys,i tried googling for answers and remove them but the browsela trojan alt.exe C:\WINDOWS\adsldpbf.dll1 keeps coming back, pls help me... i appreciate ur help... thanks man


Logfile of HijackThis v1.99.1
Scan saved at 3:36:58 AM, on 1/15/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.e... Read more

Answer:browsela trojan, alt.exe keep coming back

11 more replies
Relevance 65.6%

Hello,
I'm new here and all out of options. I apparently have this Trjan.Virtumonde on my PC that keeps coming back even after it seems to have been caught and disposed of by my Spyware from PC Tools because Trend Micro's Internet Suite couldn't seem to locate anything. I also can't enable/start my Automatic Updates. In addition I've tried VundoFix and VirtumundoBegone which didn't work either. Below is the log from Trend's HijackThis I just ran. Please help me out to get rid of this awful virus....I'm almost at the point to can this PC and just buy a new one.

Thanks,
David Lohouse

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:44:28, on 7/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\V... Read more

Answer:Trojan Virtumonde keeps coming back

Okay, I seemed to have solved this problem myself. First, I got rid of Trend Micro's Internet Suite since it did nothing to protect or rid me of this virus. Then I purchased PC Tools Spyware/Antivirus, Firewall, and Desktop Maestro (which includes registry cleaner). Total cost ran me just over $100 but much cheaper than buying a new PC. I disconnected the PC from the Internet and ran PC Tool's Spyware Doctor. It caught everything and deleted it. Then I ran it's registry cleaner and wow...was I surprised to find over 600 problems which it fixed by either deleting or repairing just by the click of a button. I rebooted with connection to the Internet and have no more issues....their firewall is awesome by the way, not letting anything suspicious in or out without your consent. Way to go PC Tools as I was already searching for a new PC on payday if I couldn't repair this issue.
 

1 more replies
Relevance 65.6%

Hi all,
I would appreciate any help in removing two Trojan Agents. I got them while trying to watch a streaming video.

I have used the following to get rid of this: Malwarebyte's Anti-Malware, Super Anti Spyware. and Symantec AV. I ran the scans in safe mode with system restore disabled, but the Trojan keeps coming back in the same place after it is deleted by MBAM.

II have Windows XP SP3.

Thanks you.

Mytrom

Answer:Trojan Agent keeps coming back.

Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails. Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to check for database updates through the program's interface (preferable way) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

8 more replies
Relevance 65.6%

I dl'd the dss.scr but it would not run! Something to do with the virus I think! However, I do have a hijackthis log and the rootrepeal logs...Background... Running DrWebcureit in safe mode tells me I have Trojan.pws.panda.122 in RAM and it gets rid of it (second run confirms it) A full system scan detects no virus. Re-boot to safe mode re-run DrWeb and virus is back in memory...Another feature...Task Manager and Registry Tools are disabled. Using RRT demo I can re-enable them for a second before they are disabled again.Logs....Logfile of Trend Micro HijackThis v2.0.2Scan saved at 14:19:58, on 08/10/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\... Read more

Answer:Trojan.pws.panda.122 - keeps coming back!

Hello,We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)Then please post back here with the following: log.txt info.txtThanks

2 more replies
Relevance 65.6%

Hi Guys,

My pc was infected by a few viruses, including netsky...have cleaned it, running symantec enterprise v11 and system restore is off. Each time the machine boots up it picks up irc.trojan and symantec quarantines it. What could be the cause ?

Need help reading this log - if you see any discrepancies please advise...

Logfile of HijackThis v1.98.2
Scan saved at 19:14:14, on 2008/10/14
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\hasplms.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Pr... Read more

Answer:trojan keeps coming back onto machine

Hello and Welcome, ranz. Apologies for any delay in replying, but we have been rather busy lately.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------



Quote:




system restore is off




Please re-enable System Restore now. Contrary to information on Symantec's pages, turning off System Restore while infected is NOT a good idea. Those of us in the malware removal community agree on this. An infected restore point is better than none to fall back on should things go wrong. Purging old, possibly infected System Restore points and setting a new, clean one after malware removal is the preferred procedure.



If you still require assistance with this issue, and since it's been several days since your original log was posted, please do this:
Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] butt... Read more

5 more replies
Relevance 65.6%

Hi, been having this problem for a few days now. I have done safemode virus scan, spyware scan both in safemode. Registry fix too. The virus is stopped by zonealarm but once it didn't stop it and my programs say empty from the start menu, desktop background changed, browser redirects. Have changed all my passwords but it still keeps coming back. Usually says trojan downloader js iframe just now when i got the email to activate my account here i got this one Trojan-Downloader.JS.Agent.fyk was found in C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\UYFOKBJ8\index[3].htm on 5/28/2011 10:50:00 (quarantined in zonealarm.) Here is the hijack this file. Thank you so much for any help!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:53:29 AM, on 5/28/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connec... Read more

Answer:trojan downloader keeps coming back

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

2 more replies
Relevance 65.6%

hi there,

i'm trying to find out why the heck my taskmanager won't open (even clicking on tskmngr.exe doesn't do anything). found a couple of trojans on my computer when i ran a scan with avast. oops! i think i deleted them, but i can't be sure. hijackthis showed this ridiculous "msupdate", which is said to be dangerous, or is it? i don't know. i think it's best if i post my log file. please help me clean my computer, i'll be eternally grateful for all your help and advice thanks

Logfile of HijackThis v1.99.0
Scan saved at 21:28:32, on 13.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Programme\Alwil Software\Avast4\aswUpdSv.exe
E:\Programme\Alwil Software\Avast4\ashServ.exe
D:\NORTON~2\GHOSTS~2.EXE
D:\Daemon-Tools\daemon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\S3hotkey.exe
C:\WINDOWS\System32\S3tray2.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\QuickTime\2\qttask.exe
D:\Programme\Zone Labs\ZoneAlarm\zlclient.exe
C:\Programme\MsUpdate\MsUpdate.exe
C:\WINDOWS\System32\scvhost.exe
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programme\Web\Webshots\webshots.scr
E:\Programme\Alwil Software\Avast4\ashW... Read more

Answer:Solved: Trojan keeps coming back

16 more replies
Relevance 65.6%

Hello,
I was recently browsing the internet and all of a sudden a green icon mimicking the windows update shield appeared on the system tray. It claimed that I was infected and a fake anti-virus program ran called Antivir Pro. I didn't click on its links to an obviously dodgy website but it infected me anyway. It changed my proxys so that I could not use my browsers so I fix those so I could research what was going on.

Before I figured out about the proxys I turned on my netbook and that almost got infected too! The same situation with the fake shield but as soon as it happened I shut it down, and since scanning it, it has been fine.

My PC however is not. I restarted it after the virus infected and in normal mode the virus would not allow any .exes to execute. Therefore I could not run Malware Bytes which I found would get rid of it. Therefore I logged into safe mode ran Malware Bytes full scan and it got rid of a trojan called Fakespypro. Went back into normal mode and scanned fully again and it found some more things. After that everything was ok until the next day.

The next day I ran Microsoft Security Essentials, and did a full scan however as soon as it discovered the trojan fakespypro the virus came back AGAIN! It is almost as if because it found it, it triggered it again. My friend said it must be hiding somewhere so he suggested deleting entries in my system restore by turning it off and on then rescanning etc. I rescanned with Malware Bytes and sinc... Read more

Answer:Trojan: Fakespypro keeps coming back!

72 Hour Bump

12 more replies
Relevance 65.6%

My Malwarebytes continuously detects a c:\windows\svchost.exe as a trojan threat and quarantines it but it keeps coming back. I've seen that help that others have received on this forum with the same issue and was wondering if someone here would be gracious enough to help me out. I start a virtual college class this week and need to get this taken care of asap.

I have run SuperAntispyware, Malwarebytes, AVG, AWDCleaner and Rogue killer while at work today. All said they did their job except Rogue Killer... limited internet access. Got "ZERO ACCESS" cue form RK. Malwarebytes continually detects "C:\Windows\svchost.exe"

I did a drive search under "my computer" and have come up with several svchost.exe incidents. Only 1 or 2 of which are actually in System32. Not sure if simply deleting the others would help or cause more trouble.

Thanks very much in advance to anyone willing to help

Burk
 

More replies
Relevance 65.6%

I've tried most things I can think of to clean this thing off here, but it keeps coming back after a day or 2. The user is having no problems on the computer except for the virus tries to add an autorun command at windows startup and the AV keeps taking the file away. So there is a file not found error or two at startup.I've tried the usual malwarebytes scan, regular SEP scans, and ESET OnlineScan.Also gmer is blue screening the computer so I've not been able to get a clean run, but I have a partial log.And yeah, I ran combofix a while ago too... I really hate relying on the helpers here to fix things. (When is the training program going to have some free slots?)Thanks in advance DDS (Ver_10-03-17.01) - NTFSx86 Run by dustin at 12:26:18.81 on Tue 09/07/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1298 [GMT -7:00]AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exesvchost.exesvchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Java\jre6\bi... Read more

Answer:Trojan.Zefarch keeps coming back

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

15 more replies
Relevance 65.6%

OS is Win XP Home with SP3 and McAfee identifies and quarantines Vundo!grb but it keeps coming back. McAfee shows original locations as C:\WINDOWS\system32. File names are random with .dll or .tmp extentions. I'm experiencing pop ups that usually advertise some type of virus scan software and have had the computer freeze a couple of times in the last three days. I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it?
Here is the DDS.txt copy:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bob Swanson at 9:14:21.45 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2884 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmo... Read more

Answer:Vundo!grb trojan keeps coming back

Hello and welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------


Quote:




I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it




That can always be a possibility but there are many different ways you can get infected now a days. P2P is just one of many different ways sadly

---------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

19 more replies
Relevance 65.6%

I have Symantec CE, Adaware, Spybot S&D all installed on a new WinXP Pro machine. I have ran everything from safe mode and it just keeps coming back. Here is my log file. ANy advide would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 12:31:05 AM, on 10/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1150209668\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\{2C446710-08A2-1033-0116-060901050001}\Update.exe
C:\WINDOWS\system32\ctfmon.ex... Read more

Answer:downloader.trojan keeps coming back

I'd like you to rename HijackThis.exe to GRich.exe. Navigate to C:\Documents and Settings\GRichburg.NETRICKS\My Documents\Business\HijackThis.exe
Right click on HijackThis.exe
Select 'Rename'
Type in GRich.exe
Press Enter.

Post a new log with this renamed executable.

1 more replies
Relevance 65.6%

I use Avast 4.8 to check my system and try first a "move to virus chest" when I was notified I had a virus. When I "move the virus to the chest" it just keeps coming back as a new virus almost immediately wit the virus warning. Then I tried the "repair" option in Avast, but it always said an error has occured... File name was: C:\System Volume Information\ _restore{7F7BE6F8-0D6A-488B-ABD ... Note Malware name: Win32: Trojan-gen(other)... I ran HijackThis and here is the log....



Please walk me through as I'm a novice on this computer stuff,,, thanks in advance...



Geof



Logfile of HijackThis v1.99.1

Scan saved at 8:38:24 PM, on 11/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps... Read more

Answer:Trojan virus keeps coming back!

11 more replies
Relevance 65.6%

Good Evening from Scotland

I am having a bit of a nightmare with the above and wonder if you could help. This started about two or three weeks ago - probably as a result of another user being on messenger / facebook and the likes.

I have been running AVG (free) 9 but it did not see it coming !

First signs of problem was when I clicked on a Google search result and was regularly redirected. I was eventually sent to a page which said my security had been bazooka'd by someone and gave me an email address to contact. I should have taken details but didn't.

I eventually downloaded Microsoft Security Essentials (MSE) and it found the trojan when I start the computer. It either suspends or removes it and then asks for a computer restart to complete the process. If I use the internet at this point it seems ok with no redirect but I am not sure what is happening in the background and the processor/fan seems to be working in overdrive.

On restart the trojan is back - MSE finds it and suspends or removes it and asks for a restart and we are back on the merry-go-round.

I regularly get an error message on restart saying MSE could not complete the process.

I followed all of your instructions in the Windows XP Cleaning Procedure Section. Before running anything I disconnected from the internet (unplugged from wireless box) but I did not run the programmes from safe mode - just normal.

Everything went fairly well until I started using ComboFix. It o... Read more

Answer:Trojan:DOSAlureon.A Keeps Coming Back

Final log attached

thanks

Davy
 

7 more replies
Relevance 65.6%

I've been running Malwarebytes Anti-Malware and every time I press "remove selected" the entries return upon reboot. I've reset my router and tried again, and it's all very exhausting. Here are my MBAM and Hijack This logs:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 2

12/29/2008 6:26:02 PM
mbam-log-2008-12-29 (18-26-01).txt

Scan type: Quick Scan
Objects scanned: 53231
Time elapsed: 4 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 14
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.106 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9e03f8a5-21dd-4568-bf12-531fa1975c83}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.106 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9e03f8a5-21dd-4568-bf12-531fa1975c83}\NameServer (Trojan.DNSChanger) -> Data: 85.255.113.150;85.255.112.... Read more

Answer:Trojan.DNSchanger keeps coming back

Nevermind, problem solved.
 

1 more replies
Relevance 65.6%

I have had three Trojan.BHO items showing up in Malwarebytes scan. Even after deleting the malware several times, they return. I've read a lot of posts on several blogs about ways to REALLY delete the malware and the most hopeful said to run Hijack This. But after running the program, I get a warning to have some expert help reading the log file to determine which files to delete. Can you help with this? Here's the log.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:19:27 PM, on 10/3/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\Ra... Read more

Answer:Trojan.BHOs keep coming back

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Relevance 65.6%

Hello,

I am having an issue very similar to other people on this forum where I my search links on Google and Yahoo are being redirected. I am able to remove the malware by running MBAM, but the problem keeps returning on re-boot, I also find the same issues as others in my HJT logs.

I don't really know exactly what to do in my case though. Please help.

J
 

More replies
Relevance 65.6%

Hi,
I deleted few files in safe mode, but now every time i log to internet 2 thing happen, first explorer start a page 'freeweb' and after Norton detect trojan lowzone ( 2 times) and delete it. But when i start internet again the same pattern happen...there is my HJT log, please tell me what do to to erase once for all that trojan...(a step by step procedure cos i'm not that great with computer)
Thanks/Merci

Logfile of HijackThis v1.99.1
Scan saved at 10:35:28, on 2005-05-30
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\ASSIST~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\Logitech.exe
C:\WINDOWS\System32\vhau.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPMon32.exe
C:\Program Files\Fichi... Read more

Answer:trojan lowzone keeps coming back

9 more replies
Relevance 65.6%

I've had malware before and tried the same fixes and more but nothing works...I went to a website and all of a sudden windows media player started and that's when the issues began. Here is a list of symptoms on my Dell/Windows XP system:

- Cannot visit certain websites like microsoft, mcafee, etc
- Launching control panel triggers the trojan. IE did as well until I uninstalled version 8 and reverted to 7 and now the issue above seems to be resolved (unless I use control panel)
- Now when I launch windows media player it fails with a message that says version 9.0.0.4503 was expected instead of 9.0.0.3250
- Cannot run System File Checker at all (even safe mode)

I tried combofix, avira, eset, gmer, tdsskiller and they all detected and cleaned some offending files but they keep coming back!! I would really like to fix this in a way that lets me keep all my files!

Thanks

Answer:Please Help - Trojan/Zero Access keeps coming back

Hi,Please do the following:Please download DDS from either of these linksLINK 1 LINK 2and save it to your desktop.Disable any script blocking protection Double click dds to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtAttach.txt. NEXTPlease download aswMBR to your desktop.Double click the aswMBR.exe icon to run itWhen asked if you want to download Avast's virus definitions please select Yes.Click the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as wellNEXTFor 32bit systems please download ListpartsRun the tool,check the "list BCD" boxclick "Scan" and post the log (Result.txt) it makes.

23 more replies
Relevance 65.6%

I've got a very irritating Trojan Horse on my computer. I don't even know how the virus got on my computer. I've got no idea where it's coming from. My Norton scanner keeps deleting the Trojan, but the Trojan keeps getting back. My Norton is making about 2100 quarantined items a day, from the same virus. It seems like it's stuck in Norton itself. Tried deleting all temp files, cookies and stuff, turned system restore off, seems to have worked for a few hours, but now the virus is back. Got no idea how it keeps returning while i deleted it. Can anyone help me?
 

Answer:Trojan Horse Keeps Coming Back.

11 more replies
Relevance 65.6%

norton antivirus keeps saying a have trojan lowzone.. have run lavasoft, spybot, cclean. at least now the stupid freeweb popup has stopped coming back.. LOL
this is what I got after running TD3

Scan Control Dumped @ 13:39:02 13-07-05
Positive identification: Adware.Sahat.ag
File: c:\windows\system32\pg5bscto.exe

Positive identification: TrojanClicker.Win32.Small.dw
File: c:\msdcom.exe
so what should I do next??
 

Answer:trojan lowzone keeps coming back

Hi and welcome to TSG,

I have split you off into a thread of your own.

Please do this. Click here to download HijackThis.

Close all open windows and open HijackThis. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to Notepad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
 

1 more replies
Relevance 65.6%

Hello,I've been trying to get rid of this trojan for the longest time now and have been out of luck. I've run ATF Cleaner, Malwarebytes, & Combofix both in safe mode and in normal mode, with MWB & ComboFix continuously deleting a file in programdata called api-ms-win-core-localregistry-l1-1-032.dll only to see it pop up and quarantined again. My Avast anti-virus will often times pop up and alert me that it has blocked Trojan.Tracur as it is trying to activate or something. I've been very reluctant to go on any site (except this one) that may require a password since this bad boy showed up. Luckily, I haven't encountered any type of Google re-direct or anything like I've read from some of the Tracur posts here and my computer seems to function like normal other than the avast and malwarebytes alerts. Please see my DDS log and attachments below..DDS (Ver_2011-06-23.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_20Run by Administrator at 23:51:45 on 2011-08-22Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.14326.12058 [GMT -7:00].AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:&#... Read more

Answer:Trojan.Tracur keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/415728 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 65.6%

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 12:34:15 AM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

i really appreciate any help!
 

Answer:trojan virus keeps coming back!

7 more replies
Relevance 65.6%

I have tried running malwarebytes, in safemode and normal mode. MB sees it and removes it and request a reboot. However, it keeps coming back. I will post a hj report in the morning
 

More replies
Relevance 65.6%

Hi,

I have norton anti-virus installed on my machine and it keeps on saying that I have trojan.vundo, trojan.vundo.b, downloader, and trojan.Metajuan. It says that it is deleted and needs to reboot but after I reboot my machine, those viruses keep coming back again. I already tried Symantec removal tool FixVundo.exe, VundoFix.exe, VirtumundoBeGone.exe. I also followed the instruction on turning off the system restore, boot in safe mode, and all other stuff. This is very annoying and I have been dealing with this for several days already. And I think my machine is getting worse. I keep on getting pop up windows, buffer overrun which closes other application like windows explorer, and now when my machine starts, it stays blank until I hit ctrl+alt+del to go to task manager and run the process explorer to display my desktop. But I'm afraid that it is doing something serious on my computer. I hope someone can help me asap. Please. Please find the texts from main.txt below and I also attach the extra.txt.


Deckard's System Scanner v20071014.68
Run by sherwin.cua on 2008-02-29 10:59:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-02-29 15:59:23 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-02-29 01:... Read more

Answer:Trojan.Vundo keeps coming back

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

If you already have HijackThis installed, please skip this step.

Download HJTInstall.exe to your desktop.
Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Save it to a convenient location.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Step 2

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
When the cleaner has completed, click Tools in the Left Pane.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save, then exit Ccleaner.

Step 3

Please visit this webpa... Read more

9 more replies
Relevance 65.6%

AVG keeps finding trojans, and they keep coming back.

system32\routing.exe system32\perfs.exe system32\indt.sys

downloader generic6 clicker.ksu

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:52 AM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Fil... Read more

More replies
Relevance 65.6%

Hi i am a first time poster here. My brother recommended i come here for help with this virus problem i have been having which drew me here.

I Am Running Windows 7 Home Premium service pack 1 64-bit operating system
now on to what i have done so far. I got this virus i think a month back not entirely sure when. I noticed something was up when my Google searches where getting hijacked. I noticed before every misdirect dbgame.info would pop up in the address bar. So i ran a Vipre anti virus scan first normal, then a safe mode scan nothing came up. so i tried changing antivirus over to Webroot Secure Anywhere Essentials still nothing turned up. I spent the next few days obsessing about dbgame.info trying to find out how to get rid of it but everything i found said i needed to go into the registry to remove it which i did not feel comfortable doing eventually my uncle recommended i try using the trial version of Malwarebytes which detected something called trojan.agent (2 instances) i assumed that was it so i removed it. I reconnected my computer to the internet and it seemed fixed for a few min but then it started redirecting again so i tried a safe mode scan it found trojan.agent again (2 instances) so i disconnnected from the internet and used a friends laptop to post here i am sorry if i forgot to post information needed

Answer:Trojan.Agent keeps coming back

Trojan agent is what it means. It's a Trojan Virus. It's a very serious matter. Remove it with Malwarebytes and immediately run another virus scan such as Comodo free . After confirming you don't have any more traces of the virus I would then change all of your passwords for all of your websites. Start with the critical ones first such as banking and email. Good luck.

13 more replies
Relevance 65.6%

The file mljgd.dll keeps coming back whenever it gets removed by vundofix. Please help! On another note, everytime i start my computer and open up task manager, a bunch of MSwin.exe start popping up.here is my HijackThis logfileLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:39:54 AM, on 1/12/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\WINDOWS\System32\CTsvcCDA.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Spyware Doctor\swdoctor.exeC:\Program Files\Spyware Doctor\sdhelp.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\Syste... Read more

Answer:Trojan Keeps Coming Back Even After Vundofix

Hi, and Welcome to Bleeping Computer My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic.As I am still training here, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.Sorry about the delay in responding If you still need help:Show all hidden files:Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Cli... Read more

2 more replies
Relevance 65.6%

help please it keeps coming back when ive cleaned deleted it many times
http://img366.imageshack.us/img366/7034/trojanov9.jpg

together with this error
http://img373.imageshack.us/img373/5444/mutexpn6.jpg
 

Answer:help please backdoor trojan keeps coming back

16 more replies
Relevance 65.6%

Hello everyone I'm new here and have been having a bit of a problem. I've been trying to get rid of this trojan that keeps popping up the last few days.Trojan.Win32.Monder.gen, and today I had this pop up:
virus Net-Worm.Win32.Bobic.ff. Anyways I'm running Kaspersky Anti-Virus 7.0 and tried to run in safe mode scan but takes an incredible amount of time accomplishing 3% overnight! So I end up canceling it in the morning. The win32.monder.gen trojan keeps returning daily about 2 or 3 times with Kaspersky claiming its detected but cannot be disinfected, so I delete every time but it comes back. What can I do? . Also I had read a little piece somewhere if I'm not mistaken that this trojan might be heavy Adware. The reason I ask is because my sister wants to pay some bills and is asking me if it's okay to put payment info on there right now, is it safe to purchase anything on my PC right now? Thank you for your time, any help would be greatly appreciated

Answer:Trojan Problem Keeps Coming Back

As a precaution I wouldn't purchase anything on that machine until it was clean.Run a full system scan with Malwarebytes' Anti-Malware in Normal Mode (Instructions).

14 more replies
Relevance 65.6%

Hi, I've noticed for a while that every time I scan my computer with AVG Anti Spyware, a treat called Trojan.Delf.Ndu appears. No matter how Many times I delete it it keeps showing up at the same place. C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

Once I delete it it deletes my firefox.exe so I have to reinstall firefox over and over again but it keeps coming back to the same place. Also, when I scan with Trend Micro it tells me new threats have been detected and to please scan again after I scan my computer. I was letting this go untill a few minutes ago when I plugged my flash drive in and a blue screen showed up! Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 1:38:50 AM, on 1/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\... Read more

Answer:Solved: Trojan Keeps Coming Back!

13 more replies
Relevance 65.6%

My computer has encountered some malware problems that just won't go away. It became infected with the vundo trojan, and I have tried using several programs to clean it numerous times. I have used Superspyware, Malwarebyte's Anti-Malware, and Avast antivirus, but the trojan keeps coming back (particularly the MS Juan-can't delete it from the registry). Initially I had popups when I was using firefox and then my computer would open the IE window. Currently I can't connect to the internet except in safe mode with networking so I haven't seen the popups although I am sure they are still there. Any help in getting rid of this pariah would be greatly appreciated! Below is my HiJackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:51 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\sys... Read more

More replies
Relevance 65.6%

I am having a major issue here. For some odd reason, I keep getting back the Trojans, Hijackers, and other Malware/Adware.

My computer's speed has been some what affected, especially internet browsing. Which reminds me, my browser redirects me to some random site.

I've tried running so many things, MBAM, SUPERAntiSpyware, but somehow, the things keep coming back after being removed - I even tried doing the removal processes both one after another and simultaneously, as well as with my internet cable unplugged.

Any suggestions?

Here's another thing I found off, thought I'd share it...

These are from my "temp" folder....

-130 (TMP File) - Unknown file type icon
-hxgmeu - Unknown file type icon
-jar_cache8144

None of these files were there before, they just got thrown in there... And ever since the infection, my task manager and "temp" folder both show files with names such as:

-asam.exe
-daltvqntssd.exe

and other randomly generated names such as hxgjjkl92m11.exe or ht9llnm32yckm.exe. the number of characters is always changing - and they keep coming back after every virus scan.

Thanks guys.

More replies
Relevance 65.6%

I've had no luck getting rid of this trojan. I've tried to delete it using Symantec AntiVirus 10.2.0.276. Symantec says that the delete has been successful, but then the trojan reappears the next time I boot the computer.Since the first time I tried to delete it, I've been receiving these messages on start up:Run DLLError loading C:\Users\MyName\AppData\Local\dcdexDal.dllThe specified module could not be found.andMicrosoft WindowsLanWhoIs Setup has stopped workingWindows can check online for a solution to the problem.--> Check online for a solution and close the program--> Close the programA few minutes after start up, I get a message that Symantec QuickScan has found Trojan.Zefarch and taken Partial action on it.I've also tried to get rid of it by following the steps listed here, but I was only able to find and delete the registry file that page describes as HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS]" = "rundll32.exe "%Windir%\[RANDOM CHARACTERS].dll",e" and none of the others the page refers to. Doing this doesn't seem to have made any difference, and the file I deleted is back in the registry.A side issue here is that I'd of course like to back-up my data to external hard disc before I try any other fixes, but I'm afraid of transferring the trojan to my storage device as well. How can I avoid that?Any help ... Read more

Answer:Trojan.Zefarch keeps coming back

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
Do not d... Read more

22 more replies
Relevance 65.6%

When opening IE an AVG resident shield window opens saying that it has detected a virus. The virus is: Trojan horse Startpage. 16.BDThe homepage has been hijacked with a searchpage. I've tried deleting, healing and moving to vault but the file se.dll keeps coming back. Tried Spybot s&d and Adaware both without success. Also a popup window appears:Error loading C:\WINDOWS\TEMP\se.dll

Answer:Trojan horse that keeps coming back

Try a˛ click here

8 more replies
Relevance 65.6%

Hi,

I got this Trojan Lootseek. It keeps coming back every now and then. Norton deletes it but apparently not completely.

I followed the READ & RUN ME FIRST post. Here are the attachments.

Thanks,
Fab
 

Answer:Need Help : Trojan.Lootseek keeps coming back 1

Need Help : Trojan.Lootseek keeps coming back 2

Here are the last 2 attachments...

Fab
 

22 more replies
Relevance 65.6%

I am in need of help as despite running every online scan I can find this AGProtect keeps coming back. Below are my logs from the dds.scr file and I will run a Kaspersky scan right away and post those logs when it is complete (likely tomorrow though). Can someone please help me get rid of this and if possible let me know their thoughts on the how dangerous they think this trojan is/was. Symantec doesn't seem to think it is a big deal but they also just say run a scan to remove it which I know is not true.
DDS (Ver_09-06-26.01) - NTFSx86
Run by rgraham at 15:00:26.76 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.266 [GMT -6:00]
============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Progr... Read more

Answer:AGProtect trojan keeps coming back

I finally got SuperAntivirus to run and it looks as though this is finally gone. I have restarted a few times and it has not come back. I am going to turn my system restore back on and hopefully this is behind me now.

I would still appreciate it if anyone had a look at my logs if they could let me know if there is anything else they think I should clean as well as let me know how bad they think the AGProtect malware is.

Thanks

3 more replies
Relevance 65.6%

I keep deleting it, but it comes back. I think it's been unloading a lot of spy ware because when I use ad-aware, hijackthis, spybot, cwshredder, and a ton of other programs, they keep coming back. This is so frustrating, why doesn't it delete.
 

Answer:Trojan that keeps coming back..msgked.exe

8 more replies
Relevance 65.6%

Hello, I have a persistent trojan called "Trojan.Downloader-Gen/Inst2.Process" embedded in a file called sdhjdsf.exe in the Windows folder. When Windows boots up, AVG instantly recognises the trojan and prompts me for an action to take. Whatever action I take, either Heal, Move to Vault, or manually deleting the file myself from the Windows folder, the file comes back the next time I boot up. I have checked the "Run" keys of the Windows Registry to see if something suspicious if set to boot up with Windows but they are all recognisable as safe processes. In fact there is no mention of this filename anywhere in the registry. There is also nothing in the Startup folder of the Start Menu.

I'm guessing that when Windows boots, a process is run that recreates this file and places it back in the Windows folder. But where could this be coming from? Is there another part of the registry that I need to check for this? Please help.

Cheers.

P.S. Does anyone know what is there purpose of folders called IME in the Windows folder and also in the System32 folder? Why does Windows need processes from these folders to run each time Windows boots?
 

Answer:Trojan keeps coming back after removal

Welcome to TSG

Please download HJT setup.exe Here
Let it Place Hijackthis in C:\Program Files\Hijackthis
Open Hijackthis.exe
Click on Do a System Scan and Save log file
Don't Fix any Items!!!
Just copy and paste the contents of the log file to your reply.
 

3 more replies
Relevance 65.6%

Hello I am having a really bad problem with my computer. I have some nasty trojan that keeps comig back. I cleaned up my computer with MalwareBytes Antimalware and it removed the trojan, i can say this because after i restarted the computer i did a new scan and it came out clean.
So the computer was doing ok for about 4 days and then again the trojan activated. I tried using again the malwarebytes but it didnt run, i then scanned with avg and remove some files that were trojans after this i could reinstall th Malwarebytes. It cleaned again the computer but after some days the virus activated again.
I ran combofix and i have attached the log, please help me fix this nasty problem thanks.

Answer:Trojan or Malware keeps coming back

Hello and welcome to TSF.

I Apologize for the late response.

If you still require assistance, we would like to see the latest state of your system. So, please post a fresh DDS log and a new GMER log as described in this topic. In your reply, I would also like to know any symptoms you may still have and how your computer is running at the moment.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don?t hear from you in three-five days this thread will be closed.

With Regards,
Extremeboy

3 more replies
Relevance 65.6%

I run Malware bytes on my computer periodically. The last week I have been afflicted with the Trojan. Goldun.

Here is my Malwarebytes report.

Can anyone please Help?

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5256

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

12/6/2010 5:29:55 PM
mbam-log-2010-12-06 (17-29-55).txt

Scan type: Full scan (C:\|)
Objects scanned: 75733
Time elapsed: 52 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\network associates\BOPDATA\_date-20101206_time-161556656_enterceptexceptions.dat (Trojan.Goldun) -> Quarantined and deleted successfully.
 

More replies
Relevance 65.6%

hi i'm new at this, please help. i can't get rid of trojan vondu my norton is forever popping up and telling me it has been detected . i downloaded the removal tool but when i run it it doesn't pick it . i;m also getting millions of popups
 

Answer:trojan vondu keeps coming back

14 more replies
Relevance 65.6%

I have a trojan virus that won't go away. It keeps getting discovered by Superantispyware, AVG, and now Avast. The programs say it was removed but there are always multiple files that were not able to be scanned because they are "password protected". Everytime I run a scan the virus is there again.

I had virtumonde a year ago and you guys were so helpful. Hoping you can help again because I'm not sure what to do now! Thanks in advance.

Michelle

editing...now noticing upon start up that "My Documents" window opens on its own, then computer clocks for awhile before regular applications start up

More replies
Relevance 65.6%

I have run Adware Se, Spybot and Webroot Websweeper in both safe and normal mode. Everytime I see virtumonde keep coming up. PLEASE HELP! How do I get rid of it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:58 PM, on 8/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program File... Read more

More replies
Relevance 65.6%

So I've recently gotten this trojan and tried many different ways to remove it. I use spybot S&D, AVG 9.0, MBytes and AD-Aware. I've tried running all of them in safe mode and AVG keeps finding it each time I restart my computer I don't know what to do Please help. This is my AVG Safe Mode log

AVG 9.0 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 9.0.663, engine 9.0.695
Virus Database: Version 270.14.50/2481 2009-11-04

C:\boot\bcd Locked file. Not tested.
C:\boot\BCD.LOG Locked file. Not tested.
C:\Documents and Settings\ Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\ProgramData\Desktop\ Locked file. Not tested.
C:\ProgramData\Documents\ Locked file. Not tested.
C:\ProgramData\Favorites\ Locked file. Not tested.
C:\ProgramData\Lavasoft\Ad-Aware\MiniMessage\3 Locked file. Not tested.
C:\ProgramData\Templates\ Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\Users\Default\AppData\Local\History\ Locked file. Not tested.
C:\Users\Default\Documents\My Music\ Locked file. Not tested.
C:\Users\Default\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Default\Documents\My Videos\ Locked file. Not tested.
C: ... Read more

Answer:tdlwsp.dll Trojan keeps coming back!

In normal mode:Update mbam and run a FULL scanPlease post the resultsThen runWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.----------------------------------Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to HighAlso try: right-click on rootrepeal.exe and rename it to tatertot.scr

1 more replies
Relevance 65.19%

Hi, new here. I'm posting because my computer started getting hit with random pop-ups, again, mostly whenever I'd run Mozilla Firefox. I ran Malwarebytes and found about 13 infections of the Trojan.Vundo.h virus. I was able to remove most of the files after the scan and some files after rebooting, however, I'm still concerned there might be some trace of the virus left getting through a backdoor of some sort.
DDS (Ver_09-09-29.01) - NTFSx86
Run by Marc Ravelo at 12:36:15.10 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.218 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1356 [VPS 091009-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin... Read more

Answer:Trojan.Vundo virus - keeps coming back

Hello JSpayde,I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove one of these. AVG Anti-Virus Free or avast! antivirus. ******************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ****************** Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at ... Read more

2 more replies
Relevance 65.19%

System:  Windows 7 Ultimate 64 bit
Real-Time Anti-Virus:  Microsoft Security Essentials (MSE)
 
Recently (perhaps within the past 2 weeks) I noticed MSE finding the trojan dorv.c!rfn.  I have tried a number of different things to remove this and it keeps coming back.  The following info is included with the detection:
 
The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.
Category: Trojan
Description: This program is dangerous and executes commands from an attacker.
Recommended action: Remove this software immediately.
Items:
process:pid:5876,ProcessStart:130871811473164914
Get more information about this item online.
 
Despite MSE listing Quarantined as the "Action Taken" nothing shows under the Quarantined items view under History.  The detected item only shows in the "All detected items" view.
 
The following is a summary of what has occurred and actions I've taken.  The first scans with a given product resulted in some PUP findings and other "low level" possible threats.  These were removed and have not since returned.  The system has been fully scanned several times.  Some with a fresh install from a "clean" thumb drive.
 
Full scan with MSE booted normally.  Nothing found
Full scan with Malware Bytes booted normally.  Nothing found.
Full scan with MSE booted safe mode.  Nothing found
Full sc... Read more

Answer:Trojan:Win32/Dorv.C!rfn Keeps coming back.

My apologies for the double post.  I received a timeout error on my browser.
 
Please delete one of the threads.
 
Also, in this post, I have attached the two txt files requested.

74 more replies
Relevance 65.19%

Hi, I am using Windows XP sp 2 and I have Virus that won't go away that hides in the windows registry in the MSSMGR folder. I used Malwarebytes anti-malware to get rid of it but everytime I rescan it finds it again in the same place. PLEASE HELP!

Here's my malwarebytes and Hijack this Log.

Malwarebytes' Anti-Malware 1.50.1.1100
Malwarebytes

Database version: 5570

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

1/22/2011 4:28:45 AM
mbam-log-2011-01-22 (04-28-40).txt

Scan type: Quick scan
Objects scanned: 157008
Time elapsed: 12 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
HERE'S THE HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 04:33:50, on 1/22/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.... Read more

Answer:MSSMGR Trojan Root key keeps coming back

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

15 more replies
Relevance 65.19%

Hi ! My laptop is infected by a Trojan horse, that, when I don't do something about it (AVS : "Cannot remove it, so ignore it, we'll take care it doesn't harm any file") cuts of the download of my internet connection.

member; apostel100

Trojaans paard BackDoor.Generic10.VWC
c\WINDOWS\system32\drivers\synsenddrv.sys

Please, help me, thanks a lot, lot lot,

Freddy
I made an OTL scan:cfr attachements


Merry Christmas !!!

Answer:Trojan horse coming back all the time

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Relevance 65.19%

Scanned with spybot 2 entries pressed delete. Then I scanned it again with spybot it came again and again reappearing

It is on c:\Windows/system32/mfc40.dll and
c:\Windows/system32mfc40.dll_tobe_deleted
(Kind: trojan c-05) everytime

Heres my log thanks for the help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:48:39 PM, on 11/28/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WNA1100\WifiSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WNA1100\WNA1100.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\klwtblfs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2010\avp.exe
C:\Program Files\Common ... Read more

Answer:Virtumonde Trojan coming back each scan

Edit looks like Spybot confirmed it as false positive
 

1 more replies
Relevance 65.19%

Basically what the topic says, they keep coming back even when the scan has happend.

Did a scan with MBAM and this is my recent log,

cheers

-----------------------------------------------------

Malwarebytes' Anti-Malware 1.35
Database version: 1945
Windows 5.1.2600 Service Pack 2

25/04/2009 6:02:00 PM
mbam-log-2009-04-25 (18-02-00).txt

Scan type: Quick Scan
Objects scanned: 69195
Time elapsed: 2 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 5
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Quarantined and d... Read more

Answer:Trojan/Malware/Backdoor bot keeps coming back

Hello, first I want to post a bit of advce about a Backdoo,bot IRC bot.. Mbam needs to be updated if we continue.One or more of the identified infections is a backdoor trojan.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.Rerun MBAMOpen MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post n... Read more

6 more replies
Relevance 65.19%

Hey new to the site hope you can help. I have run malwarebytes countless times but to no success. Here is my log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4673

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/24/2010 9:13:52 AM
mbam-log-2010-09-24 (09-13-52).txt

Scan type: Quick scan
Objects scanned: 119158
Time elapsed: 5 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{bce37e3b-1b23-65f1-40f9-b9049421c894} (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\program files\microsoft\desktoplayer.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe) Good: (userinit.ex... Read more

Answer:Malware and Trojan found and keeps coming back

Hello lets run a couple safe mode tools and see. You did reboot normally after that scan?Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".From your regular user account..Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click that browser at... Read more

13 more replies
Relevance 65.19%

Hey I'm still pretty new to this site, but I posted a thread in the "Am I Infected? What Do I Do?" (http://www.bleepingcomputer.com/forums/topic102174.html) and read around a bit. My concern is that I kept getting a popup from Trend Micro Antivirus saying it found "worm_rbot.fjx" even though I had already quarantined and deleted it. It keeps popping up every so often, but doesn't always appear on full system scans. In addition, I have Spy Sweeper and it has discovered "trojan-rbot-gr" a few times. Same story, I quarantine and delete, but it seems to come back. When I search Google for either one, I get no help at all.I downloaded Ad-Aware and Spybot - Search and Destroy like this site recommended and was able to scan successfully once with each. However, when I turned my computer back on later it kept freezing up after loading Windows. I eventually just had to boot in Safe Mode and uninstall the 2 programs.Now I'm at the point where I don't know what to do. Based on the HijackThis log file, can anyone tell me if I've actually gotten rid of the trojan/worm? Are they different or the same thing? It seems like some programs call the same malware by different names. Any help would be greatly appreciated. Thanks in advance!justsometallguyLogfile of Trend Micro HijackThis v2.0.2Scan saved at 12:43:28 AM, on 8/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning proces... Read more

Answer:Worm_rbot.fjx Or Trojan-rbot-gr Keep Coming Back, Help! Thanks!

Welcome to the BleepingComputer HijackThis Logs and Analysis forum justsometallguy My name is Richie and i'll be helping you to fix your problems.Please download OTMoveIt by OldTimer:http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exeSave it to your desktop.Please double-click OTMoveIt.exe to run it.Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):C:\RecyclersReturn to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.Click the red Moveit! button.Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it on your next reply.Close OTMoveItIf a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.----------------------------------------------------Copy and paste the following bold blue text in the Quote box below into Notepad.Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.Then double click on the fix.bat file on your desktopYou'll see a black screen flash,thats [email protected] offsc stop Messsaangersc delete MesssaangerRestart your pc.----------------------------------------------------Please download Combofix and save ... Read more

11 more replies
Relevance 65.19%

Although my anti-virus program is catching the trojan, it keeps coming back. I also get spyware that comes back after I have just removed it. So far I have used the following programs in my quest to remove all malware on my Windows XP computer: Ad-aware, Spybot, MS AntiSpyware, CWShredder, and True Sword. The following is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:59:46 AM, on 1/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Notes\ntmulti.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\System32\wm.exe
C:\WINDOWS\system32\rundll32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
c:\windows\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SY... Read more

Answer:Trojan.Dropper keeps coming back along with malware

You have multiple infections on this system....we'll address VX2/Look2Me first:

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Click "Install" to extract the contents to a newly created folder.

Close any programs you have open since this step requires a reboot.From the l2mfix folder, double click l2mfix.bat
Select option #2 for Run Fix by typing 2 and then pressing enter.
Your desktop and icons will disappear as L2mfix scans/disinfects your computer.
When finished, you will be required to press any key to automatically reboot.
On the reboot notepad will open with a log. Copy/paste the contents of that log back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

If after the reboot the log does not open double click on it in the l2mfix folder to locate log.txt.

If you receive an error - \system32\Autoexec.nt is not suitable for running MS-Dos applications, you will need to visit this website to download additional files.

9 more replies
Relevance 65.19%

I've been having recurring problems with the Shopperz trojan in Windows 10.  Each time I reinstall Windows, it comes back.  I find Shopperz by scanning Windows with ClamTK (GUI for ClamAV) from a linux partition. 
 
So last time I reinstalled Windows, I scanned after each change I made.  I started with a backup that I made yesterday from a backup I made a year ago.  This backup is basic Windows 7 that is up to date on updates as of 11 Dec 2015, Comodo Security Suite, and Chrome.  I can't think of anything else extra in the backup.  So after restoring Windows 7 from the backup, I made a linux partition and scanned Windows with ClamTK.  Windows 7 was clean.  Next I upgraded to Windows 10 without visiting any webpages or installing anything else, and scanned again.  This time ClamTK found the Shopperz trojan.  So I'm wondering if Microsoft made a change to dnsapi.dll that is just enough of an intrusion to register as Malware?  I also tried scanning the Windows 10 partition with Comodo for Linux, and it came up clean.  So it is just ClamAV that is finding Shopperz malware in Windows 10.
 
Here is the path and ID of the trojan from ClamTK, I just stop the scan after the first trojan is found since it takes several hours to finish...
/media/scott/eMachines/Windows/System32/dnsapi.dll      Win.Trojan.Shopperz-154   
 

Scan result of Farbar Recovery Scan Tool (FRST... Read more

Answer:Shopperz trojan keeps coming back with each reinstallation

Hi uberdorf My name is Aura and I'll be working with you on that issue. Please give me a few hours to analyse your logs, and I'll get back at you as soon as possible.Thank you!

10 more replies
Relevance 65.19%

Hi.I'm new here, but i hope somebody can help me.I got a trojan virus called "Trojan.Agent.Gen" or "Trojan.Agent.cn" by malwarebytes antimalware.It creates a file called svchost.exe in appdata\local\temp directory and everytime i stop it with malwarebytes antimalware it comes back again after restarting my computer.I provide some screenshots below, but the malwarebytes antimalware is in Norwegian language, but you can clearly see the Trojan name.PS: I'm using windows 7 home premium.

Answer:Trojan virus keeps coming back after removal

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

21 more replies
Relevance 65.19%

Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Swee... Read more

Answer:Trojan/Virus W32/IRCBot-xx Keeps Coming Back

6 more replies
Relevance 65.19%

Computer was infected around June 16 with Internet Security 2010. Utilized the removal guide on this site and all appeared well but I suspect something else is still occuring. Symptoms:1) Anti-virus Software (McAfee) will turn it self off momentarily then come back on.2) MBAM program has found recent Trojans and has prevented (blocked) going to several suspicious sites ( have inserted some the the logs)Downloaded dds but have been unsuccessful in running. I see a black box pop up the close - nothing else. Have renamed from scr to exe without results System Specs:Win 7 Home Premium (64 bit)HP Pavilion dv7 Notebook PC Log #1:Inital log when infection jumped out.Malwarebytes' Anti-Malware 1.51.0.1200www.malwarebytes.orgDatabase version: 6873Windows 6.1.7601 Service Pack 1Internet Explorer 8.0.7601.175146/16/2011 9:00:26 PMmbam-log-2011-06-16 (21-00-26).txtScan type: Full scan (C:\|D:\|E:\|)Objects scanned: 486540Time elapsed: 2 hour(s), 31 minute(s), 2 second(s)Memory Processes Infected: 1Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 2Registry Data Items Infected: 1Folders Infected: 0Files Infected: 4Memory Processes Infected:c:\Users\mom & dad\AppData\Local\sju.exe (Trojan.ExeShell.Gen) -> 5504 -> Unloaded process successfully.Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE&#... Read more

Answer:Possible infection with trojan Agent - keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412234 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following inf... Read more

16 more replies
Relevance 65.19%

I've scanned my computer a few times and it looks like I have a trojan. My computer is running really slow and its crashing a lot.

Answer:Trojan caught by malelwarebytes keeps coming back

Hello spalladino25 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the s... Read more

22 more replies
Relevance 65.19%

Avira first alerted me to this problem on 11/23. I had been getting loud annoying pop-up ads when I was browsing youtube, and then saw Avira found EXP/JS.Expack.AZ, EXP/Pidief.dme, and TR/Alureon.A.78. I googled it and found your website and followed the instructions and MBR check said nothing was found so I thought I had gotten rid of it. Avira did scans from 11/23 through 12/4 and no viruses/unwanted programs were found even though I was still having some intermittent problems with annoying pop up ads. Then on 12/5, I got a new Avira warning saying it found two unwanted programs, including TR/Alureon.A.74 and TR/Alureon AYQ Trojan. So I don't know if I got rid of it and it came back, or if it never went away, but I am ready to cry Uncle and humbly request for help! I really don't know how I have gotten this because all I do is browse the internet. Thank you so much for your help. It is greatly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.10.2
Run by Meredith at 9:44:50 on 2012-12-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.1264 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
... Read more

Answer:Trojan Alureon A Virus Keeps Coming Back :(

Hello merri23, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

20 more replies
Relevance 65.19%

hi guys...
i have both norton & AVG installed in my computer. recently after i uninstalled windows xp sp2 (as it couldnt run), AVG keeps telling me that i have this trojan horse dialer.7.B in my folder. no matter how many times i scanned & deleted it still comes back in 2 folders. one is C:/Documents and Settings/Huey/juck.exe, another one (also .exe) in a temporary internet folder which apparently couldnt found in my computer!
i search on the net & found that there r ppl facing the similar problem too, but couldn't find a cure...can anyone help?
thanx!

Huey
 

Answer:trojan horse dialer.7.B keeps coming back

6 more replies
Relevance 65.19%

Dear bleebingcomputer,
 
The problem with my computer is that my processor is always 70% used eventhough I'm not running any programs. Malwarebytes has detacted a trojan named svchost.exe. When I delete it with malwarebytes and reboot my computer the trojan keeps coming back. I've seen the same problem in this topic: " http://www.bleepingcomputer.com/forums/t/490284/trojanagentgen-keeps-coming-back-after-removalquarantine-svchostexe-trojan/ ",  so I tried to use the advise given in that topic to solve my problem as well. This didn't work for me so I opened this topic. As requested FRST files below:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:28-06-2015 01
Ran by Milan (administrator) on MILAN-PC on 03-07-2015 13:08:57
Running from C:\Users\Milan\Downloads
Loaded Profiles: Milan (Available Profiles: Milan)
Platform: Windows 7 Ultimate Service Pack 1 (X64) OS Language: Nederlands (Nederland)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(NVIDIA Corporation) C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpywar... Read more

Answer:Svchost.exe Trojan keeps coming back after removal

P.s. I'm from the Netherlands so my response maybe some what late due to the time zone difference.
 
You can adress me by my name: Milan
 
Greetz,
Milan

6 more replies
Relevance 65.19%

I am working on a friends Dell laptop that has a trojan virus that I can't get rid of? McAfee has identified it as AdClicker-FK GAMADRIL20071203. I have booted up in safe mode, deleted all temp files for all users that I could find. I ran McAffe Virus Scan, Adaware and Windows Defender until they found nothing. Everything seemed like it was okay and as soon as I went online again, the virus resurfaced. Virus Scan found it again and deleted it, but that doesn't stop it from sending me to different sites. Any help would truly be appreciated.
 

Answer:How do I remove Trojan GAMADRIL20071203, it keeps coming back

Welcome to Major Geeks.

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

9 more replies
Relevance 65.19%

It started out with a Trojan Vundo. I've run every free virus scan & removal (Malwarebytes, VundoFix, Superspyware, Combofix) and was able to get rid of the Vundo dll files.

Here's the problem. I've run SuperSpyware too many times to count & there are two that keep coming back:

adware.Tracking Cookie (24 items)
Trojan.Fake-Alert/Trace (1 item)

Note that the Trojan Fake Alert is on a registry key. I delete them, but they randomly show up in scans.

Is there a log that you need to see? I'M READY TO THROW THE COMPUTER OUT THE WINDOW. Thanks for any help!!
 

More replies
Relevance 65.19%

So my computer was infected badly. Reluctantly I backed up my music and files and formatted the C drive then re-installed XP pro. The trojan is back though, because if I leave it idling weird things will pop up like the IE security thing asking me if I want to continue. I come to you asking for your help in removing this nasty thing, as I'm usually wary about what sites I visit and filenames and such. So my computer doesn't get infected on a regular basis like some people I know. I deleted csrscc and winlogun before scanning, so they might not be in the log files.DDS (Ver_09-01-18.01) - NTFSx86 Run by Jory at 16:48:11.15 on Mon 01/19/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.759.412 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\System32\svchost.exe -k NetworkServiceC:\WINDOWS\System32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\alg.exeC:\WINDOWS\ALCXMNTR.EXEC:\Program Files\Winamp\winamp.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\wbem\wmiprvse.exeC:\Do... Read more

Answer:Formatted computer, trojan is coming back!

bump. It's also producing blank emails addressed to bogus web sites too.

2 more replies
Relevance 65.19%

For the past 4 days, Microsoft Security Essentials detected and removed the Win32/Alureon.CT trojan at exactly 9pm each day. The only previous detected item before these was on 7/30/2010: an Exploit:HTML/iframeRef.gen in a firefox profiles folder.My computer is running normally and I haven't experienced anything suspicious yet.I ran a Malwarebytes scan and nothing was detected.I googled around and found out that this was a rootkit which would be difficult to removeI ran Kaspersky's TDSS rootkit removing tool and it detected and quarantined C:\Windows\system32\Drivers\sptd.sys Then I found this site I followed your preparation guide but I couldn't run GMER because it gives me the error "C:\Windows\system32\config\system: The system cannot find the file specified" when I open it.Should I start backing up my files now? Would moving files from the C: drive to a different partition on the same drive be sufficient, or should I invest in an external HD? What shouldn't I do until this gets fixed? Anyways, here is the DDS log:DDS (Ver_10-03-17.01) - NTFSX64 Run by Tom at 22:02:23.26 on Fri 08/06/2010Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_21Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.4063.2578 [GMT -5:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.... Read more

Answer:Trojan:WIN32/Alureon.CT keeps coming back

Hello,You may backup your personal files and documents to offline media; just do consider them suspect until any rootkit or malware issues are resolved.Other than that, do not make changes or additions (hardware or software) without checking here first.Do not run or start any other programs while these utilities and tools are in use! Do NOT run any other tools on your own or do any fixes other than what is listed here.If you have questions, please ask before you do something on your own.But it is important that you get going on these following steps.=Close any of your open programs while you run these tools.Step 11. Go >> Here << and download ERUNT (ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)2. Install ERUNT by following the prompts (use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)3. Start ERUNT (either by double clicking on the desktop icon or choosing to start the program at the end of the setup)4. Choose a location for the backup (the default location is C:\WINDOWS\ERDNT which is acceptable).5. Make sure that at least the first two check boxes are ticked 6. Press OK7. Press YES to create the folder.Step 2Set Windows to show all files and all folders. Set Folder options to show all hidden files and folders:Click the Start button , click Control Panel, click Appearance an... Read more

9 more replies
Relevance 64.37%

Trying to clean out my friends laptop and this virus keeps returning on me. I've run avgfree and spybot. It will be fine for an hour or so and then avg virus pops up that it is back. Any help is greatly appreciated. Here is the DDS. Thanks again.DDS (Ver_09-05-14.01) - NTFSx86 Run by Circuit City at 15:22:57.30 on Sun 05/17/2009Internet Explorer: 7.0.5730.11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.88 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: eTrust EZ Antivirus *On-access scanning enabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Apoint\Apoint.exeC:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exeC:\W... Read more

Answer:Trojan horse generic13.ampu keeps coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 64.37%

Help! I can't seem to get rid of the Win32:BitCoinMiner Trojan in my laptop. Tried deleting them but they just keep on coming back. If i don't get rid of this soon, what will most likely to happen with my PC? 
 
Hope someone might be able to reply to this asap.

Answer:BITCOIN MINING Trojan keeps on coming back and I don't know how to deal with it.

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.06.17.05
 
Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16599
Mitzi :: MITZI [administrator]
 
Protection: Enabled
 
6/18/2013 9:04:09 AM
MBAM-log-2013-06-18 (09-24-14).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237437
Time elapsed: 14 minute(s), 27 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
C:\Users\Rey\AppData\Local\Temp\iswizard\iswizard.7z (Trojan.BitcoinMiner) -> No action taken.
 
(end)DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16537  BrowserJavaVersion: 10.5.0
Run by Mitzi at 8:15:18 on 2013-06-18
Microsoft Windows 8  6.2.9200.0.1252.1.1033.18.8064.4969 [GMT 8:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
AV: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB... Read more

15 more replies
Relevance 64.37%

Hello,

About a week ago, I did a malwarebytes scan and a threat was detected: Trojan.Agent - Malware - File - C:\Windows\hosts. I had it removed via malwarebytes, and after doing a repeat scan, it's gone. But I think after every restart or shutdown, it comes back.

Here is a photo of my latest malwarebytes scan.
 

More replies
Relevance 64.37%

I obviously have malware because Kaspersky keeps finding it and deleting it but it keeps coming back.  I'm not sure what else I might have.  This has been going on for a week or two.  In case this helps, here is the location of the files that Kaspersky keeps deleting:
 
c:\users\j\appdata\local\microsoft\windows\temporary internet files\content.ie5\hur2zkla\protectupdater20151102[1].exe
 
c:\users\j\appdata\local\microsoft\windows\temporary internet files\content.ie5\hur2zkla\protectupdater20151102[1].exe//data0001
 
c:\users\j\appdata\local\temp\file_to_run551193.exe
 
c:\users\j\appdata\local\temp\file_to_run551193.exe//data0001
 
c:\users\j\appdata\local\temp\file_to_run5579.exe
 
c:\users\j\appdata\local\temp\file_to_run5579.exe//data0001
 
In the past few weeks there are over 100 of these files that Kaspersky deleted.  They all start like the first four above but the numbers are different.
 
Also, two files just showed up in my downloads folder that I didn't put there and my computer won't let me delete them.
 
downloads\webscr
 
downloads\i
 
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:17-11-2015
Ran by J (administrator) on MOMHPLAPTOP (17-11-2015 15:20:44)
Running from C:\Users\J\Downloads
Loaded Profiles: J (Available Profiles: J & Kids)
Platform: Windows 8 (X64) Language: English (United States)
Internet Explorer Version 10 (Default browser: Chrome)
Boot Mod... Read more

Answer:Kaspersky is telling me I have malware & trojan. It keeps coming back

Hi & to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.
Before we move on, please read the following points carefully:
My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
If I don't reply within 24 hours please PM me!
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
Step 1
Please download TDSSiller and save it to your Desktop.
Start tdsskiller.exe with ... Read more

21 more replies