Computer Support Forum

Rootkit changes found by GMER, win32/daurso found by MS Defender

Question: Rootkit changes found by GMER, win32/daurso found by MS Defender

I have ESET anti-virus and it has quarantined a few things trying to access my comp. Win32/daurso found by MS Defender. Ran combofix and malware bytes to try and get rid of stuff, but Defender and ESET still block high risk things. After following instructions (ie. defogger to GMER) GMER also said Rootkits may have changed something. Please help! I have posted most recent logs for your review. I did not post Attach.txt as it said not to unless requested. Thank you. GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-05-25 12:59:29Windows 6.0.6002 Service Pack 2Running: gmer.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pxldrpog.sys---- Kernel code sections - GMER 1.0.15 ----? System32\Drivers\pmeamhy.sys A device attached to the system is not functioning. !.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DA0D340, 0x345217, 0xE8000020].text bridge.sys 8E498462 519 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[316] kernel32.dll!SetUnhandledExceptionFilter 7796A84F 4 Bytes [C2, 04, 00, 00].text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[2320] kernel32.dll!SetUnhandledExceptionFilter 7796A84F 5 Bytes JMP 6D695335 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation).text C:\Program Files\Pando Networks\Pando\Pando.exe[2564] kernel32.dll!SetUnhandledExceptionFilter 7796A84F 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}? C:\Windows\System32\svchost.exe[3248] image checksum mismatch; time/date stamp mismatch; unknown module: imagehlp.dll---- Devices - GMER 1.0.15 ----Device \FileSystem\Ntfs \Ntfs 87F2EE90AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)Device \Driver\BTHUSB \Device\0000009c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)Device \Driver\BTHUSB \Device\0000009e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sysAttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)---- Services - GMER 1.0.15 ----Service (*** hidden *** ) [BOOT] pmeamhy <-- ROOTKIT !!!---- Registry - GMER 1.0.15 ----Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197ed92567 Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 1Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] 0Reg HKLM\SYSTEM\CurrentControlSet\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet002\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet002\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet003\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet003\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet004\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet004\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet005\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet005\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet006\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet006\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet007\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet007\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet007\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet007\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet008\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet008\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet008\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet008\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet009\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet009\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet009\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet009\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet010\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet010\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet010\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet010\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet011\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet011\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet011\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet011\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet012\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet012\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet012\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet012\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet013\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet013\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet013\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet013\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet014\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet014\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet014\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet014\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet015\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet015\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet015\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet015\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet016\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet016\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet016\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet016\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet017\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet017\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet017\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet017\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet018\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet018\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet018\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet018\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet019\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet019\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet019\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet019\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet020\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet020\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet020\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet020\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet021\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet021\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet021\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet021\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet022\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet022\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet022\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet022\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet023\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet023\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet023\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet023\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet024\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet024\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet024\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet024\Services\[email protected] Boot Bus ExtenderReg HKLM\SYSTEM\ControlSet025\Services\BTHPORT\Parameters\Keys\00197ed92567 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet025\Services\[email protected] 1Reg HKLM\SYSTEM\ControlSet025\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet025\Services\[email protected] 0Reg HKLM\SYSTEM\ControlSet025\Services\[email protected] Boot Bus Extender---- EOF - GMER 1.0.15 ----DDS (Ver_10-03-17.01) - NTFSx86 Run by Ryan at 11:37:33.75 on 25/05/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_07Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.2.1033.18.2045.986 [GMT -4:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\spoolsv.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Windows\system32\svchost.exe -k bthsvcsC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestrictedC:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\DellTPad\Apoint.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\DELL\MediaDirect\PCMService.exeC:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeC:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exeC:\Windows\System32\mobsync.exeC:\Windows\system32\svchost.exe -k imgsvcC:\Windows\System32\svchost.exe -k WerSvcGroupC:\Windows\system32\SearchIndexer.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Digital Line Detect\DLG.exeC:\Program Files\DELL\QuickSet\quickset.exeC:\Windows\System32\rundll32.exeC:\Windows\system32\DRIVERS\xaudio.exeC:\Program Files\Pure Networks\Network Magic\nmsrvc.exeC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\ehome\ehmsas.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\DellTPad\ApMsgFwd.exeC:\Program Files\DellTPad\HidFind.exeC:\Program Files\DellTPad\Apntex.exeC:\Windows\system32\taskeng.exeC:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE"C:\Windows\System32\svchost.exe"C:\Program Files\Pando Networks\Pando\Pando.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Ryan\Downloads\Defogger.exeC:\Windows\system32\conime.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\sdclt.exeC:\Windows\system32\svchost.exe -k SDRSVCC:\Users\Ryan\Downloads\dds.scrC:\Windows\system32\wbem\wmiprvse.exe============== Pseudo HJT Report ===============uStart Page = hxxp://lamoot.ca/home.phpuInternet Settings,ProxyOverride = *.localuURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - mURLSearchHooks: H - No FileBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dllBHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dllBHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dllBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllBHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dlluRun: [ehTray.exe] c:\windows\ehome\ehTray.exemRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hidemRun: [Apoint] c:\program files\delltpad\Apoint.exemRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"mRun: [ECenter] c:\dell\e-center\EULALauncher.exemRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startupmRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -bootmRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStartmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,StartmRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exemRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXEmRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservicemRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscriptStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exeStartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exemPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)mPolicies-system: EnableUIADesktopToggle = 0 (0x0)IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htmIE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htmIE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htmIE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dllIE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLLDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dllDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabHandler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dllHandler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp3.dllHandler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLSEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll================= FIREFOX ===================FF - ProfilePath - c:\users\ryan\appdata\roaming\mozilla\firefox\profiles\tdx0eul6.default\FF - prefs.js: browser.search.selectedEngine - Ask.comFF - prefs.js: browser.startup.homepage - hxxp://socialmediaatwork.com/category/statistics/FF - prefs.js: keyword.URL - FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dllFF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: general.useragent.extra.zencast - Creative ZENcast v1.02.10); user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.10);user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, );user_pref(general.useragent.extra.zencast, c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);============= SERVICES / DRIVERS ===============R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-10-7 35168]R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-10-7 472280]R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-2 179712]S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-9-25 21504]=============== Created Last 30 ================2010-05-25 15:33:02 0 ----a-w- c:\users\ryan\defogger_reenable2010-05-19 16:52:09 0 d-----w- c:\program files\Trend Micro2010-05-18 20:57:16 0 d-sh--w- C:\$RECYCLE.BIN2010-05-18 20:31:35 0 d-----w- C:\ComboFix2010-05-12 17:41:05 738816 ----a-w- c:\windows\system32\inetcomm.dll2010-04-28 03:44:40 0 ----a-w- c:\windows\system32\drivers\4173892269.sys==================== Find3M ====================2010-05-25 15:37:40 741376 ----a-w- c:\windows\system32\drivers\pmeamhy.sys2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe2010-04-26 19:58:12 256512 ----a-w- c:\windows\PEV.exe2010-04-26 14:33:19 266804 ----a-w- c:\users\ryan\appdata\roaming\nvModes.dat2010-03-05 14:01:02 420352 ----a-w- c:\windows\system32\vbscript.dll2010-03-02 06:06:20 117192 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT2009-11-26 15:33:03 51200 ----a-w- c:\windows\inf\infpub.dat2009-11-26 15:33:03 143360 ----a-w- c:\windows\inf\infstrng.dat2009-11-26 15:33:03 143360 ----a-w- c:\windows\inf\infstor.dat2009-11-17 16:41:23 665600 ----a-w- c:\windows\inf\drvindex.dat2008-11-15 09:31:24 174 --sha-w- c:\program files\desktop.ini2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat2007-08-02 16:42:15 76 --sh--r- c:\windows\CT4CET.bin2009-12-01 14:36:57 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat2009-12-26 22:44:10 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat2009-12-26 22:44:10 49152 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat2009-12-26 22:44:10 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat2009-10-26 15:06:06 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat2009-11-02 12:49:34 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat2007-08-03 00:23:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT============= FINISH: 11:40:06.58 ===============

Relevance 100%
Preferred Solution: Rootkit changes found by GMER, win32/daurso found by MS Defender

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Rootkit changes found by GMER, win32/daurso found by MS Defender

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HEREPlease download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode.

13 more replies
Relevance 100.45%
Question: GMER found rootkit

closed

Answer:GMER found rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/438680 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 99.22%

I have six computers that have been affected by a virus or some kind of issue. This computer i scanned as instructed and have the following results. Every computer was hit a little different but I found the vundo trojan on two that I removed, but this and 3 others I did not even find any malware when scanning with malwarebytes. I figured I would start with this computer and hopefully it will give me a way of fixing the rest or at least tell me how to look. Below is the DDS.txt log as requested.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by VIP at 13:04:30 on 2012-08-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.22 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost -k DcomLaunch
svchost.exe
C:\windows\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\windows\system32\spoolsv.exe
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.exe
C:\windows\system32\pctspk.exe
C:\windows\system32\slserv.exe
C:\Program Files\Norton 360\Engine\5.2.2.3\ccSvcHst.e... Read more

Answer:GMER Scan found rootkit

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

16 more replies
Relevance 99.22%

Please help someone.

Answer:GMER found rootkit activity. LOG

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/540022 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Relevance 99.22%

Hello, 
 
I have had 6 rootkit activity logs in gmer (C:\WINDOWS\system32\svchost.exe (*** hidden *** ) so I've run popular bleeping computer scans because I am an active reader and big fan of Bleeping (Malwarebytes Anti-Rootkit and antimalware, Rogue Killer, Eset nod online scanner, JRT, TFC, adwcleaner, sofos antivirus and sofos hitmanpro and Norton power eraser that found a dns problem and solved it). After the scans  - I repaired alot of infections and junk programs, about 7 includng some junk program   -  I've run windows repair all-in-on and repaired everything I could. I can already see an improvement since I am able to start and finish antivirus scans. Ok why I did the scans: laptop behaved as if it was hijacked with pop up windows opening and closing randomly and sometimes very fast, also the touchpad has become unresponsive and the right button stopped working (might be a hardware problem I thought because with mouse it behave better). After all these scans and repairs I can still see the ''gmer has found rootkit activity'' but the number of rootkits is reduced to two:
 
C:\Windows\system32\ikeext.dll (*** hidden ****) [Manual] IKEEXT
C:\Windows\system32\Tabsvc.dll (*** hidden ****) [AUTO] TabletInputService 
 
all the above in red, 
 
now usually I am able to resolve the aforementioned problems alone with the above programs but not this time, these programs are unable to solve the gmer log p... Read more

More replies
Relevance 99.22%

As I was told to do so I have created a Gmer log and this is what I find.MRT Edit: Link to thread in AII Forum: http://www.bleepingcomputer.com/forums/topic404490.html/ --STGMER 1.0.15.15640 - http://www.gmer.netRootkit scan 2011-06-17 12:33:26Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: I:\DOCUME~1\Owner\LOCALS~1\Temp\kftiypod.sys---- Disk sectors - GMER 1.0.15 ----Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior---- EOF - GMER 1.0.15 ----Well this sure seems interesting.I also seem to be getting a DCOM error with Blue Screens which is getting out of hand. I just got another bsod and had the file named nv4_mini.sys. This is seriously getting ridiculous and pissing me off. Sorry I'm just getting frustrated.I apologize if I didn't post the log correctly yesterday. This time I used combofix which gave me a whole log.ComboFix 11-06-17.04 - Administrator 06/18/2011 13:02:24.1.2 - x86 NETWORKMicrosoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.469 [GMT -4:00]Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Start Menu\Programs\Startup\MWN-USB54G Wireless Client Utility .lnkc:\program files\Search Toolbarc:\program files\Search Toolbar&#... Read more

Answer:Gmer Log - Rootkit Found In Sector

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

8 more replies
Relevance 99.22%

Please Help.
First, my netbook internet stop working.
The safe mode prompt screen has been changed so I couldn't get in.
The computer at time would not resume from closing the lid.
Finally, I got into to safe mode, after that I was able to update Malwarebytes, sybot search and destroy.
Malwarebytes, sybot search and destroy and Norton found stuff and there was no problem removing it.
I rescan using all three, which came up clean.
Then Norton keep popping up blocked attack message due to Tidserv Activity2, Tidsevr Activity, and exploit kit variant activity.
Internet doesn't stay up. I have to reboot.
So, I ran GMER which found rootkit [email protected]
Thanks

DDS.txt

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mie at 13:13:32.93 on Wed 05/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.143 [GMT -4:00]
.
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Instant Restore\BOTService.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\wdm\STacSV.exe
svchost.exe
C:\... Read more

Answer:GMER which found rootkit [email protected]

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

12 more replies
Relevance 98.4%

Hi there,I am back after a few busy months and need assistance please. My regular XP prof computer, which had previously been fixed by your wonderful 'doctor' Grinler, now it has been hit again because it won't start up in windows. It starts up but never quite comes to the desktop screen. The screen appears to be hiding behind another layer or something and it had a strange wallpaper showing before it got unstable. It was working great and suddenly it was acting wierd. I was able to only run malwarebytes in safe mode. So I am using now my newer other Xp prof computer. This one got hit too so I ran malwarebytes and posted the log below to show you it found the worm Prolaco. Then I ran gmer on it and it showed rootkit activity with a lot of instances of IEXPLORE. It also started failing at windows updates which made me be on alert that it too might have been hit. After running malwarebytes it did better with windows updates and only failed on one update which was the net framework. I did not do any removal with gmer. I only ran the program in hopes I would get your help so I don't lose the only working computer in this attack. But I am needing to cure both of them. They both got hit at about the same time I believe. I'm not sure if that could happen at the router that they both plug into. The one that is not booting up, I did not quite finish getting it all backed up onto DVD before it stopped working in windows so because of that I am needing assistance ... Read more

Answer:Rootkit activity from Gmer and Worm found

Hi gabstercol,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like give a few guidelines so that we can fix your problem as quickly and efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the step... Read more

86 more replies
Relevance 98.4%

I have been fighting my PC for 6 months. I use Trend Micro Internet Security. 4 months ago I got it back to an acceptable level of flakyness by using their Housecall removal tool. The previous problem was that I kept being redirected from Google.

Current problems are that anytime I click a google link, I have to refresh, otherwise it just brings up a blank IE screen and stops. Also, the PC has a varying amount of lag, seems to act like it is taxed for memory.

(I replaced my full name with "user" in the log files)
also, the Attach.txt file says not to attach it unless specifically asked so I have not loaded it.

I had to restore my PC to a prior date after trying to run GMER and crashing 5 or 6 times. This machine was running at 25% speed. Sometimes the machine would just turn off in the middle of the test, sometimes it would freeze up with an error (I have a clear picture of the error if mre info is needed). That is why the dates are a few days old.

Please help me straighten out my PC. Thanks.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by USER at 7:04:40.74 on Mon 04/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.34 [GMT -4:00]
.
AV: Trend Micro Titanium Internet Security *Enabled/Updated* {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Firewall Booster *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:... Read more

Answer:RootKit ? [email protected] code found by GMER

to BC.(I replaced my full name with "user" in the log files)also, the Attach.txt file says not to attach it unless specifically asked so I have not loaded it.I need fresh logs from DDS (both DDS.txt and Attach.txt) and GMER (ark.txt).Do NOT change anything in the logs. The fixes I will provide will then cause more problem instead of fixing them.

2 more replies
Relevance 98.4%

So cutting it short I have been a victim of creep ware. A friend put smt on my computer to spy on me and make threats. When I told my mom she didnt believe me and so Im being forced to take antipsycotics for it. I need to prove to her that its true.  I found the rootkit with gmer but to my mom it's not enough; can I find the IP adress of who is doing this? Thank you so much
 

Answer:Found the rootkit with Gmer,how do I go from here to prove I have been spied on?

You already have an open topic here and are receiving assistance. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues when asking for and receiving assistance elsewhere. Further, it necessitates staff spending time with housecleaning to remove or close those duplicate postings...time which could have been provided to others needing assistance.Please continue in your other topic. To avoid confusion this thread is closed.The BC Staff

1 more replies
Relevance 98.4%

So cutting it short I have been a victim of creep ware. A friend put smt on my computer to spy on me and make threats. When I told my mom she didnt believe me and so Im being forced to take antipsycotics for it. I need to prove to her that its true.  I found the rootkit with gmer but to my mom it's not enough; can I find the IP adress of who is doing this? Thank you so much

Answer:Found the rootkit with Gmer,how do I go from here to prove I have been spied on?

If i read that right it appears your friend is the culprit , problem solved.  Not the best friend in the World imo but i suppose there could be worse.

3 more replies
Relevance 98.4%

I ran GMER, & it found & removed a possible rootkit  -  system32\drivers\mferkdet.sys
My search of the internet found that this driver is from McAfee so I am confused how it could be a rootkit. To which McAfee application does the driver belong? The only McAfee products I have are McAfee Site Advisor and McAfee Stinger. Can someone shed more light on this driver? Is this really a rootkit or was this a false positive from GMER?
 
Thank you.
 

 

Answer:Posible rootkit mferkdet.sys found by GMER - what is this?

It looks like McAfee file.
 
GMER is just a scanner. How did you actually remove that file with GMER?

5 more replies
Relevance 96.35%

A month ago I discovered I had Rootkit infection. Went to Google and tried a few Rootkit removals with no luck. One was Sophos Anti-Rootkit I can not remember what other programs I also used.Then last few days the Win32/Dauros.A started showing. I came to your site and followed a few self helps with no luck to remove. I ran Super AntiSpyware that still showed I had 5 infections from severe to mild. I ran my Avast pro, Windows Defender.I have/run a Sony Vaio VGN-FW21E Vista Home Premium Service Pack 2 Intel? Core™ Duo CPU P8400 @ 2.26GHz 2.27Ghz 4 gig 32-bit all my systems products are genuine and legal. I have followed each step of prep guide and am attaching the log requested. I thank you in advance for all your help and it is very much appreciated. Thank you.

Answer:Infected with Rootkit: PWS:Win32/Daurso.A

Just bumping this up as it has been 4 days. FYI..Seems when I boot up the Rootkit and Win32 virus are not popping up but I am not sure if it is because I have a few things not running that you all requested to shut off in the follow-up steps.Computer is still slow and dragging though and I haven't really been on here since I posted as I want to make sure all is good before I start going on line again and using my passwords etc. Hope there is help on the way soon as my family is getting stressed as I will not even Skype with them..Cheers and look forward to a reply.Mish

55 more replies
Relevance 96.35%

Hello,

My normally agile system cannot load web pages today. I'm normally extremely cautious while navigating online and rarely have virus problems, however I may have inadvertently clicked a dubious link last night, and now sites take forever to load. Other computers on my home LAN are working fine. I've generated HJT, DDS and GMER logs per the instructions. I had to stop GMER after 90 minutes because I have work to do today. Upon clicking Stop a dialog informed me that GMER had found modifications due to a rootkit. Please advise. Thanks.

Jerome
 

Answer:Web pages loading very slowly / GMER found rootkit modification

16 more replies
Relevance 95.94%

I ran gmer and it found the following disk problem

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-29 13:32:58
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.3.16
Running: wi6o2vsl.exe; Driver: C:\DOCUME~1\MARCD~1\LOCALS~1\Temp\pxtdypog.sys
---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\DRIVERS\ati2mtag.sys section is writeable [0xF70F5000, 0x1894F8, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2812] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2812] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2812] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program F... Read more

Answer:malicious win32:mbroot code found by gmer

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Relevance 95.12%

Hi (and thanks).  I've been noticing various suspicious activity on my system, so I scanned with MBAR.  It found/removed Trojan.Agent.ED and a few PUPs.  On next login Windows reported 5 failed logins since the last interactive login, none of which were due to me.  So I scanned with GMER and it is reporting many entries in the rootkit tab (and a much smaller number of roootkit entries when running in safe mode).
 
The trojan was detected in an app from the Leap Motion App Store.  My Leap Motion Controller's has been acting strangely (high CPU even when no Leap Controller plugged in) so I've recently removed the Leap Motion Service (but not the Leap Motion Control Panel software).
 
 
 
Examples of the initial suspicious activity:
 
- Network Connections shows no NIC / is blank (although I'm here on your site now so definitely have one).
 
- Firefox started to show Yahoo as the default search engine about a month ago.  I had it set to Google.  At the time I thought it was because I had accidentally clicked yes to a "Set search default to Yahoo" when running the setup.exe for some free software I had downloaded.  Now Im not sure it was me that made the change to my default search engine.
 
- I disable Internet Connection Sharing but it keeps re-enabling itself and trying to start (but fails to because I have Remote Access Connection Manager disabled).
 
- MSConfig says my pc has several services who... Read more

Answer:Found and removed (?) Trojan.Agent.ED using MBAR, now GMER reports rootkit?

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.Type Notepad and and click the OK key.Please copy the entire contents of the code box below to the a new file.

start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-18\...\Run: [] => [X]
GroupPolicyScripts: Restriction <======= ATTENTION
GroupPolicyScripts\User: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2975365810-1069161605-3862974675-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
FF Plugin: @java.com/DTPlugin -> C:\Program Files\Java\jre6\bin\npDeployJava1.dll [No File]
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.24.7\npGoogleUpdate3.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [{F003DA68-8256-4b37-A6C4-350FA04494DF}] - C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt => not found
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/c... Read more

15 more replies
Relevance 93.07%

Hello, I'm running Windows 10 on my older desktop computer. Windows Defender had given me an announcement that it found root kit Patched, and to take action. By this point, I had lost all internet capabilities. I used the defender tooltip to quarantine and restarted the computer. Determining that the issue had already taken hold, I tried to run MBAM to see if I could clear anything up. MBAM will not run, as it says DNSAPI.dll is not found on the computer. Also, went ahead and started running tools that you guys have asked me to use in the past. Security Check came back with nothing unusual, but FSS was unable to use ipconfig, Localhost returned errors, Localhost was blocked. If you need anymore information I'd be grateful for the assistance in dealing with this issue.

Answer:Defender found rootkit Patched

Please follow the instructions in the Malware Removal and Log Section Preparation Guide starting at Step 6.
If you cannot complete a step, then skip it and continue with the next.
In Step 6 there are instructions for downloading and running FRST which will create two logs.
When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team.Start a new topic, give it a relevant title and post your log(s) along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. If you cannot produce any of the required logs...start the new topic anyway. Explain that you followed the Prep. Guide, were unable to create the logs, and describe what happened when you tried to create them. A member of the Malware Removal Team will walk you through, step by step, on how to clean your computer.
After doing this, please reply back in this thread with a link to the new topic so we can close this one.
 
DO NOT bump your new topic. Wait for a response from one of the Team Members.

2 more replies
Relevance 91.43%

Started having popups on my wife's laptop so I ran a scan with Avast and it detected win32:rootkit-gen[rtk].
I used Avast to try and get rid of win32:rootkit-gen[rtk] and it said it was successful.
I ran another scan and now there are about a dozen files with win32:webcake-a[adw].
I am currently running a boot scan with Avast.
The operating system is windows 8.
Any help would be appreciated.

Answer:Avast found win32:rootkit-gen[rtk] now I have win32:webcake-a [adw]

Hi BoneFish -win32:rootkit-gen[rtk] seems to be a favorite of avast! Antivirus (I assume you have avast! installed) -  While this program runs see How To Temporarily Disable Your Anti-virusScan your machine with ESET OnlineScanThis is best done with Internet Explorer as it uses Active X to download -Directions for alternate browsers are included if you do not use Internet Explorer1. Hold down Control and click HERE to open ESET OnlineScan in a new window.2. Click the ESET Online Scanner button.3. NOTE :.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)  - 1. Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.- 2. Double click on the ESET Online Scanner icon on your desktop.  4. Check "YES, I accept the Terms of Use." 5. Click the Start button. 6. Accept any security warnings from your browser. 7. Under scan settings, check "Scan Archives" and "Remove found threats"8. Click "Advanced settings" and select the following:Scan potentially unwanted applications (PUPs)Scan for potentially unsafe applicationsEnable Anti-Stealth technology 9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this will take some time to download the program for a first time, and then download updated data base (1 to 2  hours is not unusual)10. When the scan completes, click List Threats11. Click Export, and ... Read more

12 more replies
Relevance 91.02%

Hi, I suspected there may be a virus on my PC, I have a VGA cable to my monitor and a HDMI to my TV which I use 90% of the time but the otherday there was a pop, It may have been my AV receiver clicking but it sounded like a fuse blowing near my PC, I lost my picture on the TV so had to restart the PC but no Joy, however my monitor was working, my Onkyo AV receiver was connected to the net and this had frozen on all outputs though once I powered off at the plug my Cable and console was fine but nothing from my PC via the HDMI.
I then set about playing with Catalyst Control center to try to get the display back but it just would/will not detect my TV anymore, I turned my PC off during this time and when trying to access CCC it said drivers were not installed?, I have reinstalled the latest drivers and all and atm have the PC connected via VGA (I think, standard blue with 2 screws)
I ran Malwarebytes (Found 1 PUP only - removed)  today to see if a virus could have caused these issues and whilst doing so Win Defender popped up for the first time i remember and said Trojan.Win32 dynamer!Dtc had been found, so I searched that and here I am
obviously i'd appreciate a fix but I would also like your opinion on whether this is likely the prob with my display, I mean for the AV receiver to freeze and the pop noise I did wonder if my HDMI slot on m AMD Saphire HD 6770 had failed?
The only other thing to note is that both Java and adobe have asked me to update recently, I often... Read more

Answer:Win Defender found Trojan.Win32 dynamer!Dtc

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/532227 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

17 more replies
Relevance 89.79%

Hi, I recently acquired a new laptop which is approximately a week old. I have Spybot Search & Destroy, Malwarebytes and Windows defender enabled by default, all of which are the free version.
Since yesterday, Windows Defender has been periodically informing me about a new infection(about once everyday) ;Trojan.Win32/FakeChrome.A.
 
I'm running Windows 8.1 Home edition which is probably why I'm unable to run DDS(stated in the preparatory guide) It gives me an error about compatibility issues.
 
I have ran a full scan with Spybot Search and Destroy, Malwarebytes and Windows Defender.
Spybot Search and Destroy came up with multiple results, Malwarebytes and Windows Defender empty.(This is post removal of the trojan via Windows Defender)
 
Thanks in advance!

Answer:Trojan.Win32/FakeChrome.A found by Windows Defender

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/541324 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

15 more replies
Relevance 89.38%

Annoying rootkit infection, I ran the most current TDSSKiller available; it is able to detect Rootkit.win32.backboot.gen but there is no option to "cure" it. Starts up an annoying "winrscmde" that eats up my memory. Argh I knew I should have reinstalled and fixed my AVG when I had the chance... O well I reap what I sow.

Thanks~
Hiriko

No GMER log because I'm running 64bit.


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_22
Run by Hiriko at 23:44:34 on 2011-12-10
Microsoft Windows 7 Home Premium 6.1.7600.0.932.81.1033.18.4094.2409 [GMT -7:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG10\avgchsva.exe
C:\PROGRA~2\AVG\AVG10\avgrsa.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\s... Read more

Answer:Rootkit.win32.backboot.gen found

I managed to fix it.

If anyone else is having issues you can also use the "Restore" option. Then run kaspersky's Virus Removal to get rid of anything left over.

2 more replies
Relevance 89.38%

tried to run a computer game earlier and got a warning by avast that said "rootkit blocked" and then said it was "win32:rootkit-gen [rtk]". ran malwarebytes and it didn't find it, just two "trojan.agent" viruses

im pretty sure it came from a pop-up ad because AVG actually detected the same exact thing right when the pop-up came up (about 3-4 days ago) but since then I have had no issues with it and ran avast/AVG scans and they both found nothing.

can someone help me get rid of this? thanks in advance
 

Answer:win32: rootkit-gen [rtk] found by avast

hijack this log:

Running processes:
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe
C:\Program Files\ASUS\ATKOSD2\ATKOSD2.exe
C:\Windows\System32\rundll32.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\AsScrPro.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http:... Read more

1 more replies
Relevance 89.38%

Tonight an Avast virus scan detected the following virus in a Fox News Talk .dll file on my laptop (Vista):

Win32:Rootkit-gen[rtk]
Status: Threat
Severity: High

I quickly aborted the scan to dispose of the virus. Avast recommended a Move to Chest, but that didn't work. ("Error: Access Denied," or something like that.) So I decided to delete the infected file, and, thankfully, that action was successful. I am currently running a full virus scan to see if anything else shows up.

Since the virus has been deleted, do I have anything to worry about? How can I determine if any damage has been done to my laptop as a result of having had the virus?

Thank you.
 

More replies
Relevance 89.38%

My last Avast 4 deep scan revealed the above rootkit in Crogram Files\btbb-wcm\MccTrayApp.exe
I would appreciate any advice on how to remove it.
I have scanned the pc with HiJackThis, resulting in the following log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:24:58, on 09/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\Home Cinema\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\PROGRA~1\VCOM... Read more

Answer:Avast found Win32:Rootkit-gen[Rtk]

I forgot - I also run the Zonealarm free firewall. Looking at some of the other posts, I have downloaded and run Malwarebytes Anti-Malware 1.28. Here is the log :- Malwarebytes' Anti-Malware 1.28 Database version: 1248 Windows 5.1.2600 Service Pack 3 09/10/2008 20:03:33 mbam-log-2008-10-09 (20-03-33).txt Scan type: Quick Scan Objects scanned: 60002 Time elapsed: 7 minute(s), 41 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Hope this helps (although probably not as it found nothing) Phil. (PS I have no idea where the line feeds went, I re-edit some in and they still vanish when I post. I hope this is not too unreadable)
 

3 more replies
Relevance 89.38%

tried to run a computer game earlier and got a warning by avast that said "rootkit blocked" and then said it was "win32:rootkit-gen [rtk]". ran malwarebytes and it didn't find it, just two "trojan.agent" viruses. odd that it only comes up if i try to run a certain game (nascar racing 2003 season)

im pretty sure it came from a pop-up ad because AVG actually detected the same exact thing right when the pop-up came up (about 3-4 days ago) but since then I have had no issues with it and ran avast/AVG scans and they both found nothing.

can someone help me get rid of this? thanks in advance

Answer:win32:rootkit-gen [rtk] found by avast

Try running malwarebytes again and see if the two trojan.agent viruses come up again.

16 more replies
Relevance 89.38%

I have recently had some issues with programs taking longer to load then they used to with no changes to hardware or software. I have gone through a few free virus protections and when I recently installed Avast, it found multiple files infected with Win32:Rootkit-gen [Rtk]. I am not sure what to do next to try and remove it. Any help would be appreciated.

EDIT: I forgot to mention my OS is Win7. Also, I just ran a boot-time scan with Avast, and it found mirc.exe to be infected with PUP: Win32:Mirc-Z [PUP]. I don't know if these issues are related or not.

Answer:Win32:Rootkit-gen [Rtk] found by Avast

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may take some time to comp... Read more

3 more replies
Relevance 89.38%

Hi Iam new here, just scan my p.c and it fond somthing, Iam very careful with my pc so not sure how this gotten in? But ok This s what it found I use Avast, C:\ program files[x86] \Googletoolbar notifier 1.5.1.1309.3572 Win32: Rootkit-gen RTK the results are it was moved to the vault, Also, it says [ Embedded_R#4a898] I have windows Vista home premium service pack 1 and I have a 64 bit. If some one can Please Please help me with this. Also, should I delete it from the vault. I know for sur I have not downloaded anything so not really sure how I got this, and I had just scanned my pc two days ago and was al fine Thank you so very much nancy also it was a SWG.DLL fileLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:21:49 PM, on 4/5/2009Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Program Files (x86)\Lexmark X1100 Series\LXBKbmgr.exeC:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exeC:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\hp\support\hpsysdrv.exeC:\Program Files (x86)\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files (x86)\Common Files\aol\1223181017\ee\aolsoftware.exeC:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exeC:\Program Files\Alwil Software\Avast4\ashDisp.exeC:\Program... Read more

Answer:avast found Win32: Rootkit-gen RTK

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

2 more replies
Relevance 87.74%

Hello, folks! I originally posted this in the XP forum, but now it seems a malware is involved, so I started a new thread here. The first part below is my original post with description of the problem; the second part is what I figured out so far...

-----------------------------------------------------------------------------
I am barely computer literate at a basic level, so please be gentle !

I have an older Dell 2400 with Windows XP home version, SP2.something. A couple days ago, it began locking up on startup; it would open up the screen that lets you select the user account, then begin to open up the user's page/desktop/account (not sure of the proper term), then would freeze in process after all the desktop, icons, etc. were displayed. The mouse cursor will move around, but that is about it. Nothing "highlights" when the mouse is over it, nothing can be selected, the Avast symbol stops turning, and the hard drive light quits flashing. It acts like it is trying to start a program that just jams the thing to a dead stop. It does this with all users on the computer. The task manager will not open at this point, either.

I started it back up in safe mode, and the accounts opened up fully (with limited programs, of course). I then ran several different virus scans (Adaware, Malwarebytes AW, Avast) and could find nothing.

Thinking it is something in the startup process, I went to run/msconfig/start, disabled everything there with "select all&quo... Read more

More replies
Relevance 87.74%

OS: Windows XP
Avast software & virus defs up to date as of 6/1/2011
Malwarebytes Anti-Malware software & virus defs up to date as of 5/29/2011
No new software or systems changes before infection.

Surfing search results when Avast encountered Win32:ZAccess-D.
Immediately turned off wireless connection. PC is not connect to Internet.
Ran rkill to terminate possible rogue processes.
Scheduled Avast boot scan and rebooted pc.

Results: viruses found.
1) MIDI:CVE-2010-1885-G
2) Win32:ZAccess-D
3) Java:Agent-IF
4) MIDI:CVE_2010_0842

The Avast scan log only lists viruses #3 & 4 found & moved to virus chest but all 4 are listed in the virus chest at the time the scan took place.

After booting the avast virus real-time & web shields are turned off. They can not be turned back on.
The Windows Firewall is turned off and can't be turned on. When trying to turn the firewall back on the following message is given:
'Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service? Yes/No' Clicking Yes results in this message: 'Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.'

There is a considerable time difference in booting completely to Windows XP post infection.
Difficult time diagnosing other virus/rootkit issues because cpu is running at 100%.

Finally able to have MBAM complete its full scan. N... Read more

Answer:Infected: Win32:ZAccess-D rootkit found by Avast!

Hello FerrisBueller, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users... Read more

8 more replies
Relevance 87.74%

Hello tech pro's

I understand you guys are really busy, so if it takes time to get to my thread, I understand and I am being patient.
I am a music lover. This morning I found myself on this website [http://idmbreakingnews.blogspot.com/] where I clicked on a link to download some music. Silly me for being so trusting. I ended up with a Trojan called Rootkit.Win32.Agent.pp

I have Norton Antivirus installed (with definitions as current as this morning) and I ran a full system scan. Norton picked up the Trojan and 'supposedly' repaired the problem. I, however, dont trust that all the 'baddies' are gone from my machine. The reason for this is because I did some research on the specific Trojan and what I read is that it hides other programs in your computer. I know antivirus programs sometimes miss things, so my question is this.... Can somebody please help me to thoroughly scrub my computer of any potential 'bad guys' that may be hidden? I would be very appreciative.

I am currently using a different (clean/fresh OS install) computer in my house to write this thread.

Thank you for your time

Answer:Rootkit.Win32.Agent.PP found.. supposedly removed..

IMPORTANT NOTE: Rootkit.Win32.Agent.pp is related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:What danger is presented by rootkits?Rootkits and how to combat themr00tkit Analysis: What Is A RootkitIf your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. ... Read more

4 more replies
Relevance 86.51%

Hello, I have a serious problem!First of all: I'm running Windows XP on an HP Mini 1000. I am currently downloading Microsoft Security Essentials. I am on a public college wifi network. I have backed up my data.I have asked for help elsewhere and have not been able to receive it yet. (All other topics online have been closed, offline resources have been exhausted- my IT department is currently closed and the only worker there told me to just run TDSS Killer. :/ )At the insistence of others, I have run Malwarebytes and TDSS Killer. I have used TDSS Killer and done a reboot. My computer has been acting strangely afterwards- I have had pharming problems, desktop problems (when I logged in everything was gone, I had to use Task Manager to open command prompt and do a restore? not sure what to call it, but it worked), and issues with logging off and shutting down (it has slowed). Also, when I log in a Microsoft Security Essentials notification pops up saying there is a severe Win32 error (a trojan on YahooAU.exe, which just sounds silly) and that it has been suspended. I'm wondering if this could be a false Antivirus, or if it is actually a message from my network administrators. I ran Malwarebytes to get rid of the Malware, which seemed successful, but I began having problems such as my computer freezing, Youtube videos skipping, and my icons on the desktop deleting themselves and then reappearing after logging back on. When I ran TDSS Killer (I was told to by an IT w... Read more

Answer:\HardDisk0\MBR Rootkit.Win32.TDSS.tdl4 Found, how to remove?

Hello gundanium_freak ,Let's go about this a little differently. Though you actually did right by running TDSSKiller, sometimes that isn't the only problem, and it isn't designed to deal with anything but that.This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 1. Download this file - combofix.exe http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe & follow the prompts.3. When finished, it will produce a log for you. Post that log in your next reply please.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.If you have trouble running it the first time, then rename ComboFix.exe to gundanium.exe and try again.Thanks,tea

5 more replies
Relevance 86.51%

tdss killer picks up a suspicious item rootkit.win32.backboot.gen and avg is catching and quarintines trojan.backdoors several times a day I need help to remove and stop what ever is letting them in. Will greatly appreciate any help..DDS (Ver_2011-08-26.01) - NTFSAMD64 Internet Explorer: 9.0.8112.16421Run by Administrator at 18:18:18 on 2011-09-20Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8157.5040 [GMT -5:00].AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}.============== Running Processes ===============.C:\PROGRA~2\AVG\AVG10\avgchsva.exeC:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\nvvsvc.exeC:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exeC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Program Files\NVIDIA Corporation\Display\nvxdsync.exeC:\Windows&#... Read more

Answer:Rootkit.win32.backboot.gen found by tdss and trojan backdoor by avg

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/419795 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 86.51%

My AVG Free picked up a trojan horse and locked up. I tried to download the fix from AVG, and it unlocked, but did not fix it. My browser was re-directing. I followed some online instructions and ran OTM, Goredfix, and TDSSkiller in that order. It seemed to fix the problem, but I could no longer connect to the internet or my network. I dowloaded the microsoft patch to repair the TCP/IP and ran it and it did not work. I then ran Kapersky virus detection and it found and cleaned 4 items, all the same called "Rootkit.win32.Zaccess.J". I belive that the computer is now clean, however, I cannot connect it to the internet or my network. There are no connections to HTTP, HTTPS, or anything. I have been busy downloading your instructions and programs and shuffling them to the computer via a zip drive. Attached are the logs you requested. Please help!! I do not know much about fixes, just what I read online and I am hoping that I didn't make this problem worse by what I have done.

Bob
 dds.txt   12.53KB
  5 downloads
 GMER.log   5.67KB
  1 downloads

Answer:rootkit.win32.zaccess.j virus found but no network connections available

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

5 more replies
Relevance 86.51%

Operating system: Windows XP Professional 2002 Service Pack 3:

After a recent infection of a Trojan I was able to remove the problem using my anti virus software but I was still getting pop-up tabs in Firefox (I do not use IExplorer). Malwarebyts' Anti-Malware found four risks: Trojan.Hiloti, Trojan agent (x2), Trojan Agent SETUP.EXE, and PUP.BHO. Further scanning with TDSSKiller found Rootkit.Win32.TDSS.tdl4 and removed it upon shutdown and restart. However, I am still having problems as IExplorer resets the start page to hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&clcid=0x0409&pver=6.0&ar=home and will not allow changes to settings. Also, I am unable to set any properties of folders, such as view hidden files and folders, or change desktop settings though I have administrator rights on this account - I get no errors when attempting to make changes they just don't take.

I'm not certain what to try next. Thank you for any light you may shed on these problems.

As per the instruction on "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" I have run the DDS and GMER tools.
DDS (Ver_10-12-12.02) - NTFSx86
Run by Kevin at 12:54:10.18 on Tue 02/08/2011
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23

============== Running Processes ===============

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared&... Read more

Answer:TDSSKiller Found Rootkit.Win32.TDSS.tdl4 and removed

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

42 more replies
Relevance 85.69%

Hi and thanks for a very helpful forum. I read through all the malware removal instructions and have completed the step-by-step cleaning process (which seems to have worked) and now would like to confirm that my system is actually clean. Please see attached logs. Note: ComboFix did run but then froze during the "preparing log report" phase, so the attached ComboFix log is just the txt I found in the folder, not the full zip log. Also, RootRepeal failed to run at all (in normal or safe mode).

More infor about infection:

AVG found Crypt.AQLW but couldn't fully clean it
CPU & HD constantly at 100%, firewall had been disabled, internet traffic going mad & link redirection - immediately disconnected from internet
SUPERAntiSpyware found and cleaned Trojan.Agent/Gen-Loader
MalwareBytes Anti-Malware found and cleaned Exploit.Drop.CFG
ComboFix found and cleaned Rootkit.ZeroAccess ... but failed to generate full report. CPU dropped to normal after this!
RootRepeal failed to run
MGTools ran normally

Note: Before finding this forum, I also found advice to run Kaspersky TDSSKiller which I did, and it did find something, but didn't fix the issue. Log for that attached as well.
 

Answer:AVG found Crypt.AQLW and subsequent scans found Rootkit.ZeroAccess

More logs ...

Note: It says in the ComboFix.txt that AVG was still enabled (and it also gave me that warning message) but I had already used the recommended AVG removal tool and AVG was no longer installed or running at the time.

I've now updated my OS and all my software, have switched to MS Security Essentials and re-enabled firewall etc.
 

17 more replies
Relevance 84.05%

After using several different malware/adware, rootkit, and virus scan tools I attempted to clean up my system of multiple issues. Some of these are recurring and it seems I have an increase in " <====== ATTENTION" entries on the Farbar log from previous scans. Obviously, I don't have the expertise to fix any remaining issues and need help. Here are the 2 Farbar scan logs:
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-03-2016 01
Ran by xnamex (administrator) on GW01 (09-04-2016 14:06:52)
Running from C:\Users\xnamex\Desktop
Loaded Profiles: xnamex (Available Profiles: xnamex)
Platform: Windows 8.1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Apple Inc.) C:\Program Files\Bonjour\mDNSResponder.exe
(Intel® Corporation) C:\Program Files\Intel\iCLS Client\HeciServer.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\Jhi_service.exe
(Symantec Corporation) C:\Program Files (x86)\Norton 360\Engine\22.6.0.142\n360.exe
(NTI Corporation) C:\Program Files (x86)\NTI\Gateway MyBackup\ISch... Read more

Answer:Farbar found: LinkSwift while EEK found: Application.Win32.WSearch (A)

Hello chriffan and Welcome to the BleepingComputer.   
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
Ensure your external and/or USB drives are inserted during always the scan.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
If you have illegal/cracked software, cracks, keygens, etc. on the system, please remove or uninstall them now!
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  t... Read more

28 more replies
Relevance 83.23%

I'm not sure when my computer was infected, but on Wednesday morning I logged into my email and saw that my eBay selling account had been hacked, and the hacker(s) made 55 transactions through my PayPal account (draining my existing PayPal funds, then my bank account, then my credit card...the latter two were attached to my PayPal account and those transactions were still pending). I made all the necessary phone calls, then changed my eBay and PayPal emails using a friend's computer (which had just been reformatted the day before and hadn't been online before I used it that day). I neglected to change the password for the email I had associated with my eBay account, and the next day, my eBay account had been hacked again, but eBay had unlinked my PayPal account due to the suspicious activity the day before so no transactions went through. I then changed all passwords again, including my email password. That seemed to do the trick. I got home today and got back on my computer, then ran a scan on avast, which found Win32-Spyware (I clicked "Move to Chest"). I also ran Malwarebytes and it found Codec-C.exe (Affiliate.Downloader), I quarantined this. And I'm not sure what else may be lurking on my computer, so I would be very grateful for any help.
DDS.txt log:
DDS (Ver_2012-11-07.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_37
Run by Dad at 21:47:29 on 2012-11-10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033... Read more

Answer:eBay, PayPal accts hacked - avast found Win32-Spyware, Malwarebytes found Codec-C.exe (Affiliate.Downloader)

Hi nachtkitten and welcome to BC. Can you please post the resulting log of MBAM and Avast if they are still available.Download TDSSKiller.zip from Kaspersky and save it to your Desktop.Extract the zip file to its own folder.Double click TDSSKiller.exe to run the program (Run as Administrator for Vista/Windows 7).Click Start scan to start scanning.If infection is detected, the default setting for "action" is Cure (Please click on it and change it to skip).Click on Report to generate a log. Please post that log when you reply.

6 more replies
Relevance 82.82%

Windows 5.1.2600 Service Pack 3Excessive disk thrashing led me to investigate the cause. Several scans of various online and installed tools turned up nothing but tracking cookies.  So I started uploading the running processes to virustotal using their uploader. The results for ctfmon.exe. and lsass.exe were returned as Win32.Banker from eSafe.  I then uploaded C:\Windows\system32\drivers\atapi.sys. eSafe returned a result of Win32.Rootkit.  I ran GMER and got this dialog box;"GMER has found system modification, which might have been caused by ROOTKIT activity."listed in red in the initial scan;"Service c:\documents (***hidden***) [AUTO] STacSV "Several scan attempts ended with BSODs before finally finishing in safe mode. Winlogon.exe maxed out one cpu core for most of the time during the scans. The resulting scan was copied to a txt file. Doesn't look good. "GMER has found system modification caused by ROOTKIT activity."I've change my financial info from a secure computer fearing the worst. I feel this repair is way above my DIY skill set. I prefer not to format/clean install. Hopefully this can be repaired.Waiting patiently for directions from the experts.  Thank you for your time!

Answer:atapi.sys:Win32.Rootkit ctfmon.exe/lsass.exe:Win32.Banker GMER:system mod

http://www.computerhope.com/forum/index.php/topic,46313.0.htmlgo to above and complete and post the 3 logs an expert will look at them , harry

13 more replies
Relevance 77.9%

Good evening:

About two hours ago I ran a key generator and my !Avast came up with the following message:
Sign of "Win32:rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\drivers\beep.sys" file.
It suggested I put it in the chest (quarantine) so I did. I immediately ran spybot and ccleaner and nothing important came up. I restarted the computer and everything seemed ok upon reboot. I used a scan feature !avast has in the quarantine section and it said: action is completely successful - no virus. I did the scan a few more times and it still said no virus. Just to be sure I ran microsoft's malware removal tool and again I had no infections.

Here is my Hijackthis link I ran upon rebooting my computer for the second time after running ccleaner, spybot and the microsoft malware removal tool:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:55, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Progra... Read more

More replies
Relevance 77.49%

I downloaded what I believe is the Vundo virus ( http://en.wikipedia.org/wiki/Vundo ) which kept bringing up a false spyware company, I downloaded and ran Vundofix which seemed to get rid of it but now I keep getting the following errors whenever I log onto my computer in Windows Defender:

Trojan:Win32/Hiloti.gen!A
PWS:Win32/Daurso

I have found my problems to be very similar to another thread ( http://www.techsupportforum.com/f100...up-404528.html )

I performed the combo-fix steps exactly as explained in forhockey's post and created the following file named ComboFix.txt on my C:/

ComboFix 09-09-23.02 - Owner 24/09/2009 16:42.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1257 [GMT 10:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\wiaserva.log
c:\documents and settings\Owner\Start Menu\Programs\Startup\ikowin32.exe
c:\documents and settings\Owner\Start Menu\Programs\Total Security
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\windows\Installer\1208efd.msi
c:\windows\Installer\2af1c73.msp
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serv... Read more

Answer:Trojan:Win32/Hiloti.gen!A PWS:Win32/Daurso.A repeated errors.

Sorry to bump this thread early but I found the following thread. http://www.techsupportforum.com/f50/...lp-305963.html

In response, here is the DDS.txt, and attached 'attach.zip'. I apologise for not doing this earlier, I tried to spend as little time online and missed this thread completely.


DDS (Ver_09-09-24.01) - NTFSx86
Run by Owner at 18:07:39.32 on Sat 26/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1377 [GMT 10:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft Offi... Read more

1 more replies
Relevance 77.49%

Hi,I've been chasing this issue for a couple of days and would appreciate another set of eyes to look at my problem. I was helping a colleague who had a Fake.AV malware infection and have infected my own PC in the process. When the fake alert popped up, I immediately shutdown my PC, booted into safe mode and ran Super Anti Spyware. It found the infected files and removed them. I thought I had dodged the bullet, but over the next couple of days, I started having issues with my internet connections, so I continued to scan with other tools to identify the problem. I've run Spybot SD, MBAM, Gmer and Hijackthis and the only thing I can see from these logs is a reference to mbr.sys and catchme.sys in the Gmer log files. Not sure if the catchme.sys is a false positive based on my running gmer, but the mbr.sys has me really concerned that I have a rootkit infection. Here are the Gmer.log results:GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-07-17 23:09:31Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:\DOCUME~1\SMcEvoy\LOCALS~1\Temp\ffliykog.sys---- System - GMER 1.0.15 ----Code \??\C:\DOCUME~1\SMcEvoy\LOCALS~1\Temp\catchme.sys pIofCallDriver---- Kernel code sections - GMER 1.0.15 ----? SYMEFA.SYS The system cannot find the file specified. !? C:\DOCUME~1\SMcEvoy\LOCALS~1\Temp\catchme.sys... Read more

Answer:mbr.sys found with Gmer

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OT... Read more

2 more replies
Relevance 76.67%

Didn't know where to put this since its not a hi-jackthis log. I got online, a road runner page popped up saying I sent them unsolicited/spam and that it's most likely from my computer being unsafe and to fix it or they'll shut off my internet, then I had to click a link to turn my internet back on. So I scanned with gmer and it said RootKit detected. Can anyone help, I'll post the log.GMER 1.0.15.14878 - http://www.gmer.netRootkit scan 2009-03-10 01:21:48Windows 5.1.2600 Service Pack 2---- System - GMER 1.0.15 ----SSDT \SystemRoot\System32\drivers\50b0607c.sys ZwCreateEvent [0xF6A34815]SSDT \SystemRoot\System32\drivers\50b0607c.sys ZwCreateKey [0xF6A32905]SSDT \SystemRoot\System32\drivers\50b0607c.sys ZwOpenKey [0xF6A329B9]INT 0x01 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F681459AINT 0x03 \SystemRoot\system32\DRIVERS\ati2mtag.sys (ATI Radeon WindowsNT Miniport Driver/ATI Technologies Inc.) F6814655---- Kernel code sections - GMER 1.0.15 ----? C:\WINDOWS\System32\drivers\50b0607c.sys ... Read more

Answer:Root Kit Found (Gmer)

I have already responded in your other thread here. Please do not start new threads or duplicate topics as this causes confusion and makes it more difficult to get the help you need to resolve your issues. Thanks for your cooperation.This thread is closed. If you have any questions. Please PM me or another Moderator.

1 more replies
Relevance 75.85%

Hey. My last AVG scan showed a trojan in with the java files, which I hope it has dealt with. I thought i'd post on here just to make sure, but now I have another problem.

I ran dds but only got one of the logs back, i'll post that below. gmer was a bigger problem. First time I ran it, it got so far, "stopped responding" then closed. I tried to run it again and got the blue screen of death.

Rebooted and tried again. It got further through scanning this time then went straight to a BSOD. Any ideas why this happened? Here is the DDS log below.



DDS (Ver_10-11-27.01) - NTFSx86
Run by Ash Chick at 0:25:39.30 on 30/11/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_22
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.3326.2124 [GMT 0:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System3... Read more

Answer:Trojan found - gmer crashes

72 hour bump.

1 more replies
Relevance 75.85%

Computer runs very slow, multiple take managers open, constant pop ups in Mozilla- so I unistalled it.

I ran Avira and removed
TR/Crypt.EPACK.Gen2
HTML/Infected.WebPage.Gen2
TRIAlureon.Dx155

I ran ESET and removed RECYLER/S

They just keep coming back!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Browser at 8:54:26 on 2011-08-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.99 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Fi... Read more

Answer:[email protected] code has been found by GMER

Hello and welcome. Please follow these guidelines while we work on your PC:Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I?ve given you the ?All clear.? Absence of symptoms does not mean your machine is clean! Please do not run any scans or install/uninstall any applications without being directed to do so.Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed. Download TDSSKiller.zip and extract TDSSKiller.exe to your desktopExecute TDSSKiller.exe by doubleclicking on it.Press Start Scan
If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"Then click Continue > Reboot now
Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txtPost that log, please. Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this linkDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Con... Read more

12 more replies
Relevance 75.85%

I started cleaning up my cousin's computer because a Generic Host Process for Win32 services error was occurring which opened a timer box (DCOM Server Process Launcher terminated unexpectedly. System will shutdown in 60 sec.) forcing computer shutdown. In the process of fixing that, I updated and ran MBAM and found nothing. I updated and ran AVG Free and got an AVG Alert that said "Accessed file is infected. Threat successfully blocked."File name: 94.102.55.10/index.htmlThreat name: Exploit Rogue Scanner (type 1027)Process name: C:\Windows\system 32\svchost.exeProcess ID: 1232I decided to run DDS and GMER and ask for your help. Here are the logs:DDS (Ver_09-12-01.01) - NTFSx86Run by Theofiel Dib at 1:55:46.82 on Sun 02/21/2010Internet Explorer: 6.0.2900.5512Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.87 [GMT -5:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exeC:\Program Files\AVG\AVG9\avgcsrvx.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Internet Content Filter\SafeEyes.exeC: ... Read more

Answer:GMER found suspicious modification

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.If you have already posted a log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.We need to see some information about what is happening in your machine. Please perform the following scan:Please download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will o... Read more

23 more replies
Relevance 75.85%

Have been having tons of trouble with my PC. It is running very slow with many strange processes and things in the task manager. Usually they are bundled under: Browser_Broker, AMD External Events and several other generic looking names. Ran several antivirus software programs and they turned up nothing, but I came across the GMER program online and it turned up a bunch of rootkit activity, whatever that means.
Also have noticed that websites look different on this PC than I would expect them to, and weird files are in my downloads. A few examples: jdk-8u101-windows-x64.exe, desktop.ini etc.
I have no idea what is going on. Please help me!!!
 
 
Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 21-08-2016 01
Ran by someone (administrator) on DESKTOP-N876J87 (26-08-2016 17:15:55)
Running from C:\Users\someone\Downloads
Loaded Profiles: someone & New User (Available Profiles: someone & New User)
Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Realtek Semicondu... Read more

More replies
Relevance 75.85%

As I have read on past posts I have downloaded DDS and GMER and ran them both. I have attached the text file to this post. The DDS scan ran fine and i have both txt attachments. When I ran the GMER, at 25% I noticed the mbr.sys file was found and after sitting at 25% for a few minutes I received the BSOD. After rebooting, I ran the GMER again and it did not find anything and so there is no GMER log to save. Below is a description of the problems I am having.

After Windows Vista starts up, any program I try to run or window I click on, the blue wheel starts spinning and will not open at all or takes forever to process. If and when I can open task manager I have verified that the running processes are the normal windows processes and no additional programs are running. I have done battery & memory tests and they check out fine. I have 2.50gb of ram and they operate as they should. When I boot into SafeMode with Networking it appears to run somewhat faster but the wheel will still spin often and take awhile to load things.

I use my laptop for everything including work and its as good as useless right now as nothing will run.

All your help will be much appreciated and I hope we can find the solution. Thank you.

Answer:mbr.sys found with Gmer Possible Root Kit Infection

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for post... Read more

2 more replies
Relevance 75.85%

Hello,

My computer is infected with this virus/spyware System Security Version 4.52. I am unable to open a browser to get the logs files mentioned in the instruction on how to remove the malware. I tried using my laptop to download dds.scr and gamer.exe and copied to the infected PC. But the program wont run or do anything. It seems that the whole computer is hijacked. Please help.
Thanks
Anu

Answer:rundll32.exe not found error. Cannot run dds or GMER

Here is the latest update. When I logon now, I get the popup saying cannot find rundll32.exe Application not found. After I click ok, nothing works. I cannot open any application.

19 more replies
Relevance 75.85%

I'd posted elsewhere about a problem I was having with Cyberghost VPN communicating with my computer, even though I uninstalled it completely about six months ago.  I'd starting using Glasswire, and that showed I was getting a lot of communication throughout the day from them, but for no good reason.  Very confusing for a dummy like me. In Glasswire  those communications were listed as a SVCHOST process.  And that's interesting, because I just ran GMER for the first time, and sure enough it found some stuff, including some SVCHOST.exe's.  I'll attach a pic of this, hopefully someone can tell me if this is something I need to worry about.
https://plus.google.com/104526436738082001314/posts/buNP8rbXeBa
 
,,,and that unknown MBR code concerns me too.

Answer:GMER Antiroot found something. Should I worry?

Cancel this for now.  I'm going to do a system recovery.  I have other issues too and my recovery drive should fix everything--I hope.  If somebody has some useful feedback about my earlier post then feel free to respond.
 
Thanks

2 more replies
Relevance 75.85%

I really can't believe this.. I did an update from Windows and updated the New Windows Media Player (I hope this new player don't track what i play).. than my computer ran sluggish and my IE ran slow but Firefox ran fine.. WTF! I Did combo fix.. fix the sluggish problem.. then did SPFIX but could not remove the Two Root Kits that was in the Windows TEMP folder (told me to go to gmer)... fa56d7ec.$$$ bca4e2da.$$$ Now I have two more in there: ZLT042ca.TMP ZLT0428b.TMP
I ran Gmer.. Now what do I do??? How do I delete those bad Root Kits Please? It didn't give me an option. I ran RootKitRemover (it found alot) but don't know how to use that too??? Please help! Thank you! Windows XP service pack 2. Is that all rootkit bad guys on the list?
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-06-20 07:30:14
Windows 5.1.2600 Service Pack 2
---- System - GMER 1.0.14 ----

SSDT 82B67F30 ZwAllocateVirtualMemory
SSDT sbhr.sys ZwClose [0xF7B24514]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xEEE0B040]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xEEE07930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xEEE12A80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xEEE0B510]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateP... Read more

Answer:Gmer found Root Kits Now what do I do?

Can someone please help! How do I delete the files that gmer found? Gmer can delete those Rootkit files right? please help!!! Thank you!
 

1 more replies
Relevance 75.85%

So, this is a newer netbook, almost 8 months old, i dont know how i got these because i have had anti-virus runing from day one

Anyway it all started when i was on facebook it just went to a diffrent page and i never clicked on anything, then MS security center popped up saying everything was infected, and kept tellin me that i didnt have an antivirus program and i coudlnt do anthing thing but keep going to this ADD to buy one... Which was odd because Avast was running. I opend avast and did a quick check and found the first one Dracur_c, But when i tied to do the the action to mvoe to chest it was telling me that there was not enough room on disc... and my disc is NOT FULL ODD, so i deleted it and it worked i can not coppy and paste the results if i can i dont know how But i will tell you it was in: C:/system volume information/_restore{ number letters}.dll and .EXE and it was also in C:/windows/system32/fwcfg32.dll listed TWICE

I then restarted the computer in safemode and did a full scan and it then found it again in system volume information/restore{letter numbers}.DLL twice And then in Windows/system32/75.tmp..

this morning it was still acting wierd when i started EI redirecting me when i would use google and When i would send an error log to MS the page never loded and then i would get a poppup add So i ran another Avast scan and GOT the win32:trojan-gen,win32:alureon-hd, win32crypt-gwl that came up... This time it was found in my TEMP folder as an EXE and one in my ... Read more

Answer:avast found win32:dracur_c, win32:trojan-gen,win32:alureon-hd, win32crypt-gwl

14 more replies
Relevance 75.03%

Referred from here: http://www.bleepingcomputer.com/forums/topic416290.html ~ OBI ran TDSSkiller and Rootkit.Win32.ZAccess.c and a hidden file came up. clicked cure and relogged. when I ran scan again, they came up again. tried to follow the prep guide but couldn't get DDS to work so was told to run RSIT.exe instead. I'll include both logs. I then tried running gmer.exe but half way through the scan it shut off. had the same issue with MBAM. I have a screen shot of the TDDSkill results and logs if they are required I'll post them in my next post. Here are the RSIT.exe results. Let me know if there is anything else you may need.Thank you Logfile of random's system information tool 1.09 (written by random/random)Run by Customer at 2011-08-29 22:56:11Microsoft Windows XP Professional Service Pack 3System drive C: has 50 GB (88%) free of 57 GBTotal RAM: 1014 MB (63% free)======Scheduled tasks folder======C:\WINDOWS\tasks\MP Scheduled Scan.job=========Mozilla firefox=========ProfilePath - C:\Documents and Settings\Customer\Application Data\Mozilla\Firefox\Profiles\wci1cj79.defaultprefs.js - "browser.search.useDBForOrder" - trueprefs.js - "browser.startup.homepage" - "www.google.ca"prefs.js - "extensions.enabledItems" - "{AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198, {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}:6.0.16, {635abd67-4fe9-1b23-4f01-e679fa7484c1}:2.1.2.20100119... Read more

Answer:Rootkit.win32.ZAccess.c/Hidden file. Unable to run MBAM, AV and gmer.exe

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

42 more replies
Relevance 75.03%

Hello!
My name is Shauran, got this problem deleting what GMER detected. Tried deleting it in the cmd promp provided by GMER but got an access denied error. Search the registry and found a lot of 001f8100011c. I've already search the net and seemed like there is no common fix for this. I look forward for your help guys..
TIA
 
GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-26 12:17:15
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ExcelStor_Technology_J340 rev.V22OA63A 38.35GB
Running: Axo0n0skq.exe; Driver: C:\DOCUME~1\Siyak\LOCALS~1\Temp\kwldqkog.sys
 
 
---- Kernel code sections - GMER 2.1 ----
 
?    C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS                                                      The system cannot find the file specified. !
 
---- Registry - GMER 2.1 ----
 
Reg  HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f8100011c                      
Reg  HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\[email protected]         0x5F 0xB9 0x1A 0x98 ...
Reg  HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001f8100011c (not active ControlSet)  
 
---- EOF - GMER 2.1 ----

Answer:Cannot delete registry keys found by GMER

Welcome aboard
 
It's not a good to idea to start messing with registry id you're not sure what you're doing.
There is absolutely no reason to remove anything since there is nothing malicious in GMER log.
 
Are you having any computer issues?

1 more replies
Relevance 75.03%

My computer keeps re-directing and AVG finds numerous viruses and tracking cookies. I an a novice and need help. I have attached the logs below and the GMER program said it found rootkit activity.
 gmerlog.log   12.31KB
  2 downloads
 dds.txt   13.45KB
  1 downloads
 attach.txt   19.77KB
  0 downloads

Answer:GMER found rookkit, computer re-directing

Hello takin advantage ,Download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
If Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)Thanks,tea

19 more replies
Relevance 75.03%

I ran the GMER program and it very quickly found the [email protected] maware. It asked if I wanted to do a full scan. I thought the better answer was yes, but now I'm no sure. Maybe if I'd said no, it would have proceeded to more quickly fix what it had already found, instead of now having to do a full scan first. I'd expect the full scan to take at least 12 hours, maybe as much as 36 or even more, based on other comprehensive scans done with other software.

So, should I stop GMER's full scan, restart it, and answer No instead of Yes?

Answer:Gmer found [email protected], should I let it do a full scan?

Stop the full scan .. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Include the GMER log you already have.Let me know if that went well.

3 more replies
Relevance 75.03%

Hi. I followed the steps in the preparation guide for use....and when I ran GMER it only allowed me to scan "Services" "Registry" "Files" and my "C" drive and when the scan was complete nothing was found so I did not attach the Ark. txt file because nothing was on it.

My main problem is that for about a week I keep getting redirected every time I search in google and I click on a link. I mostly use Firefox and rarely use Internet explorer and Chrome. Any help will greatly be appreciated!

Here are my logs.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_29
Run by Alicia at 13:33:26 on 2012-05-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3835.2446 [GMT -4:00]
.
AV: Trend Micro AntiVirus *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro AntiVirus *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricte... Read more

Answer:Keep Getting Redirected using Google (Nothing found using GMER scan)

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At t... Read more

13 more replies
Relevance 74.21%

Greetings all, I appreciate any help on this one:

Last night a laptop user was browsing the web and got big by some virus, he came in this morning I tried booting to safemode and running Malwarebytes, it died seconds into the scan and the exe went "File not found"... I decided this was probably out of my league without assistance, downloaded DDS, Defogger, and GMER. The user did have VirtalCloneCD installed, i uninstalled it and ran Defogger.

Attached are the dds logs, and a couple of screenshots from GMER... It won't complete a run without mysteriously dying. I figured this information was better than nothing.

Please advise,
-- Eran

Answer:Infected With Something Killing Malwarebytes/GMER, FILE NOT FOUND

I ran the microsoft stand-alone sweeper on the machine, It cleaned some nasty bugs. I'll be checking to see if I can GMER to run from safemode, and I'll finally get around to creating a new WinPE stick.

3 more replies
Relevance 74.21%

Computer is very slow, especially on the web. Most websites return only "web page cannot be displayed". All connection check ok with other devices. Gmer program found evidence of rootkits.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by cheryl at 13:15:56 on 2012-01-22
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3326.844 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 962\dlbxmon.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0314.0\mswinext.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\MINDDA~2\bar\1.bin\4pbrmon.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C: ... Read more

Answer:gmer found root kits, websites redirecting

Hi, Welcome to Bleeping Computer.My name is Shannon and I will be working with you to remove the malware that is on your machine.I apologize for the delay in replying to your post, but this forum is extremely busy.Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.Do Not make any changes on your own to the infected computer.Please set your system to show all files.Click Start, open My Computer, select the Tools menu and click Folder Options.Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.Uncheck: Hide file extensions for known file typesUncheck the Hide protected operating system files (recommended) option.Click Yes to confirm.Now, let's look more thoroughly at the infected computer -We need to see some information about what is happening in your machine. Please perform the following scan:We need to create an OTL Report
Please download OTL from here:Main MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Change the "Extra Registry" option to "Use SafeList"Push the button.Two reports will open, copy and paste them into your reply:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedPlease note: You may have to disable any script protection running if the scan fails to run. After down... Read more

7 more replies
Relevance 74.21%

First hello all this is my first post and I would like to thank everyone already for the great info I have found on the site in the past. I am a U.S. citizen and I live in Paraguay South America.Someone in my home....... downloaded a piece of "free" software and instantly we began having fake av warnings. I pulled the the cable for the internet to break connection with the net as a precaution and have been tracking its trail since. I found a number of .exe files in the temp file. One would not delete "Chy.exe" I searched it and found it harmful so I began downloading and trying av and trojan scanners until I found one that identified it and deleted it. I have a few other items as well and disinfected them also. I am very "gun shy" so to speak to go back online without knowing we are back in order. I read the "preparation guide and was preparing the files when the gmer app began to hang and crash. I have tried it a few times, deleted it and tried it again. Every time it crashes with \Device\HardiskVolumeShadowCopy1 in the window at the bottom left as if it were scanning it at the moment. I read up on this and restarted in safe mode and scanned with AVG 9 and I have that log attached as well as a hijackthis log. Thanks for the help.BTW I am posting from a laptop I have. I am only going online long enough to download the tools I need. dds fileDDS (Ver_10-03-17.01) - NTFSx86 Run by kids at 10:40:40.33 on Sun 08/15/2010Internet Explore... Read more

Answer:found Mal/fakeav(sophos) gmer crashes at hardiskshadowcopy1

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

22 more replies
Relevance 73.8%

Upon every reboot of my system, PWS:Win32/Daurso.A pops up in Windows Defender. It doesn't matter how many times I remove it using WD, it's always there after the reboot.

Some other problems that may or may not be related to malware/ viruses:
Periodic slowdowns lasting 5-15 minutes where the CPU will rise to 100% usage despite not doing anything. Admittedly, this may or may not be related to my anti-virus software updating/ scanning, not sure.

Any help would be appreciated. Thank you.

The requisite log, DDS.txt:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Roy at 18:52:12.93 on 2009-08-13
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.92 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponde... Read more

Answer:PWS:Win32/Daurso.A keeps popping up

Hi tommyknocker212,

Sorry for the delay in looking into your log, as we are extremely busy in this section of the forums. If you still require assistance and are not seeking help elsewhere, then please carry out my instructions.

Please subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Add Subscription.

** Note: Please stick with me until I declare that your system is free from malware. Even though your system may not have any symptoms of malware, it may still be infected. **

--------------------------------------------------------------

Please re-run DDS and post the resulting logs

8 more replies
Relevance 73.8%

Hello -Having increasing worrisome issue with PWS:Win32/Daurso.A virus. Windows Defender catches it early on, I hit "Remove All", but then when I reboot, it returns. Have tried MalwareBytes, SuperAntiSpyware and Norman, but none have eliminated it. Also completely emptied Temp folders, which I originally thought had worked, but unfortunately did not. So I am stuck waiting for Windows Defender to catch it each time I boot up. Unfortunately, I can't attach a GMER log file, as when I ran GMER, after about 10-15 minutes, a blue screen would show up very briefly saying "Page Fault" and then the computer would shut down and restart. Tried GMER twice, both times this occurred. DDS log below, please help - thanks:DDS (Ver_10-03-17.01) - NTFSx86 Run by Islander09 at 10:19:49.94 on Sun 05/16/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_20Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.1013.120 [GMT -4:00]SP: Spybot - Search and Destroy *enabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\Sy... Read more

Answer:Infected by PWS:Win32/Daurso.A

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

26 more replies
Relevance 73.8%

Hey there, new to this online assistance as well. I will check back over the next 2 days to determine whether my topic is being answered and what info I need to send you from my computer...

Anyways Windows Defender says win32/daurso.a is apparently on my computer. I have already tried to remove it by using combofix first, then malware bytes, but Daurso remains. I looked for another way to get it off and was directed to Hijack this by Trend Micro. I can scan a log file and post it in here if that is necessary. If there are some standard instructions that I can follow in order to remove this I am capable of figuring them out.

Thanks for taking the time.

Ryan

Answer:infected with win32/daurso.a

Hello,That request about NOT posting CF logs is primarily to keep people from running the program unsupervised.Please read this topic: http://www.bleepingcomputer.com/forums/t/273628/combofix-usage-questions-help-look-here/ which explains that reasoning further.Please follow the instructions in ==>This Guide<== starting at step 6.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic.If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.Orange Blossom

2 more replies
Relevance 73.39%

http://www.bleepingcomputer.com/forums/topic459450.html/page__pid__2753106#entry2753106

Hi there,

My computer is acting strange not allowing me to use some settings. I believe that there is something loaded on it that should not be there. Any help is appreciated.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Jeff Menard at 7:53:51 on 2012-07-14
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1791.682 [GMT -7:00]
.
AV: BitDefender Antivirus *Disabled/Updated* {982ADE23-275B-0766-37C5-DE01A484098E}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: BitDefender Antispyware *Disabled/Updated* {234B3FC7-0161-08E8-0D75-E573DF034333}
FW: BitDefender Firewall *Disabled* {A0115F06-6D34-063E-1C9A-77345A574EF5}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\s... Read more

Answer:infection found in earlier thread. DDS & GMER logs attached.

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

33 more replies
Relevance 73.39%

I have been watching the posts- I downloaded GMER & ran it- A few minutes later a blue screen came up & said it had to stop because it didn't want to totally ruin my 'puter. (something like that) It said if this was the first time I ran it to reboot & run again- I didn't run it again (yet?) my network connection is corrupted. I cannot stop RPC from running in services which I NEVER started & in "services" it will NOT let me do ANYTHING to change ANYTHING on RPC... So? When the BLUE MEAN SCREEN popped up I DID get my hubby's puter out & typed out the "technical number info" The NAME of the MEANIE is awryypow.sys & I cannot find anything anywhere on this name. I found the file in "My Computer" C: drive- I dared NOT just delete it I have GOT to get CD/DVD pic orders made from a 30 year class reunion & do NOT want to infect anyone else!!! HELP!!!There are TOO many weird things going on with 'puter- too numerous to even keep up with!Here is the tech info! (Not sure if this matters or not but the first line had some "underscores" on it but I was in a hurry to type out what it said in fear of my puter signing off itself!! (Sorry!) Tech Info & #'s should be CORRECT!!awryypow.sys base atpage default in nonpaged areatech infostop: oxoooooo50 (ox90DA500B, 0x00000000, oxB851AF60, oxoooooooo)awryypow.sys - address B851AF60 base... Read more

Answer:A new virus? Found by GMER? Have "tech info" from BLUE SCREEN

...sorry... I just HAD to play with the emoticons! Won't do it anymore THIS much! It WAS fun tho! I needed a break!
Bonnie

1 more replies
Relevance 73.39%

I wasn't originally looking for any specific infections, but kisk advised me to run the scans from the Preparation Guide. The Gmer gave me a warning that it had found something, but it didn't specify what it had come across. kisk instructed me to post them all here, for help.

Answer:Gmer found a threat (cont. from Something turning off Automatic Updates )

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

36 more replies
Relevance 72.57%

I've run MSSE full scan and Malwarbytes Threat scan and both don't find anything. However, last night on a routine on-line scan with ESET (I do about monthly just to be sure), it found a threat (see attachments).

No visible toolbar on FF, IE or Chrome. Nothing in add/remove programs.

Until the BSD on gmer, nothing unusual (except a few weeks ago updating windows crashed my computer without the BSD - just went black and later came back on).

I have a windows disk; however, this is a custom build by Puget Systems and getting into bios and other things are very unusual and not sure how to boot to disk to run if need fix the OS.

Also, I don't have access to another computer, so if something may make the computer unable to access the internet or not boot up - I can't get back to you until I can get to a library. So please let me know ahead of time and what I can do to fix it.

I started to run the required things to post and every time I run gmer I get a BSD.

Seems like I'm having problems with the attachments, too.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17126
Run by 93 at 9:15:56 on 2014-06-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.7104.5355 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-... Read more

Answer:[SOLVED] routine eset online found problem and BSD on running GMER

Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

That ESET find is simply the installer for CCleaner. It gets flagged due to Google toolbar bundling.

It is not malicious. As long as you didn't opt in to install the toolbar, there's nothing to worry about.

You can safely delete the installer file. Navigate to, right-click and delete this file:

C:\Users\93\Downloads\ccsetup414.exe

------------------------------------------------------

It appears you didn't attach the second dds log, Attach.txt, to your initial post. Instead, you attached the actual dds.scr program.

Press the Windows "logo" key and "R" key then copy/paste the following into the Run box and click OK:

%temp%\attach.txt

A text file should open. Save it to your desktop then attach that file to your next reply.

------------------------------------------------------

It isn't uncommon for some machines to BSOD on running gmer. Some machines just don't like gmer. Did you disable MSE before running gmer?

We'll try another rootkit scan... Read more

19 more replies
Relevance 72.57%

I have avg full v8. has found various trojans lately.the truth is i had a cracked mkdev copy of acrobat 9 pro. it was infected and i have uninstalled. various trojans still found afterwards.here is a record of avg sfinds. i have hijackthis microtrend v2.2. here is the log. i got a automatic analysis online and removed some r3 03 3 and 16 entries marked as remove now in red. here is the latest log. i downloaded your gmer tool but it made my laptop give a blue screen and shutdown to prevent damage. sorry for the long story. the log from hijackthis and avg history follows. gmer cannot complete scan before shutdwon.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:38 PM, on 11/14/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxpers.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\CyberScrub Privacy Suite\CSPSeraser.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Users\kevin\AppData\Local\Temp\Temp2_gmer.zip\gmer.exe
C:\Windows\system32\wuauclt.exe
C:\Program Fi... Read more

Answer:HELP infected . avg 8 found various trojans.gmer tool gives blue screen of death.

Quote:




Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.





Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work: Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly

Please ensure that any USB/Flash/External drives are connected whilst we are cleaning your machine.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
Download and Run RSITPlease download Random's System Information Tool by random/random from here and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:log.txt will be opened maximized.
info.txt will be opened minimized.

Please... Read more

7 more replies
Relevance 72.57%

64 bit, Windows 7I was having issues with youtube. Streaming was very slow and would often times stop altogether. At first, I thought I had an issue with flash player and so I uninstalled it, installed it again, and checked on updates. I still had the same issues.I ran Spyware Doctor and Malwarebytes to see if the issue was malware. Previously, when I ran either program, it would show a lot of infections, but now there were none. I then thought that it could be a browser issue so I downloaded Google Chrome. Though it downloaded, Google Chrome would not open any sites. I got an error code. This is what it says:"This webpage is not available. The webpage at http://google.com/ might be temporarily down or it may have been moved permanently to a new web address. Error 102 (net::ERR_CONNECTION_REFUSED): Unknown error."It said a couple of times that I wasn't connected to the server, but to me that didn't make sense because I was online and surf the web with Firefox.I downloaded other types of anti virus and malware programs to see if it would help. This is a list: spybots, ad aware, bitdefender, avg, kaspersky.None downloaded. I received messages saying that the files were corrupted. There would be a bunch of programs opening while doing this. They were moving so fast so I couldn't catch any of them.I tried to do online scans. Those didn't work either. Same message.I tried to download these programs in safe mode with networks. They did not download. I trie... Read more

More replies
Relevance 71.75%

Hello computer saviors,

I need help. I have a Motion Computing LE1600 tablet PC running XP service pack 3. I was surfing the web and Avast said a threat was detected, and I thought it was stopped. Sadly, it wasn't and when I turned my computer back on the desktop was without a start bar or desktop icons. Through cont/alt/del I was able to access task manager, and run some things through there. I tried to run a system restor, but the only point I could access didn't change the situation. I restarted the computer in safe mode, and scanned with Malwarebytes, which found nothing, and Avast, which found 4 infected files. The flies are C:\Windows\Explorer.EXE (Threat Win32:Patched-UE [Tr]), c:\windows\system32\winlogon.exe (threat win32:winpatch), c:\windows\explorer.exe (threat win32:winpatch), c:\windows\system32\winlogon.exe (threat win32:winpatch) When I try to "move to chest" the error says the files are read only. Interestingly, when I went in the windows folder, there are 3 files explorer.exe, explorer(2).exe and explorer(3).exe I don't know why that is. I tried changing the file access to allow changes, but that didn't help.

I am currently running the system in safe mode, because I can see and use the desktop that way and I am logging this on another PC. I am attaching the dds logs, and I am waiting on gmer to stop scanning. I made the logs in safe mode. If I need to reboot and go ... Read more

Answer:Win32:Patched-UE, win32:winpatch found by Avast. No desktop, in safe mode

gmer log

10 more replies
Relevance 71.34%

MY PROBLEM
==================================================
i was using win xp sp1 since may 2005. my system was very clean.. yesterday due to a crash i have to re-install the windows so i switched to sp2.. than i used a flash stick of a friend. that has viruses and my kasper AV was not updated that time to detect them.. now i have updated my kasper AV it has detected some viruses and removed them.. they were

1. svchost.exe in windows directory
2. RavMon.exe in every partitaion of my disk
3. trojan.win32.agent.abt
4. email-worm.win32.brontok.q
5. win32.hidrage.a (kasper AV) also known as win32/jeefo
6. MDM.exe in c:/windows

where it says open & explore there are some strange symbols...
those symbols still there and when i double click any of the partitaion to open it... it opens a dialog box saying " open with" choose the program to open the file c:/ or D:/ .......

here is screenshot


yea and another problem. i can't see hidden files.. when i enable show hidden files. and click ok
but again don't show hidden files option is selected..
other than this i haven't noticed anything else.

im hopeful that i will get good response
thanks in advance..
========================================================
LOGS
========================================================
Emulating logfile of HijackThis v1.99.1
Scan saved at 2007-07-10 19:44:16
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)

Run... Read more

Answer:many probs. AV found. trojan.win32.agent.abt, win32.hidrage.a etc

hi guys.. im still waiting for the reply... so i can avoide formating...
or shall i go with formating??

10 more replies
Relevance 70.52%

I got hit with one of those pretend-antivirus malware attacks. I suddenly got a pop-up screen warning me about all sorts of porn-y virus infections on my computer and prompting me to purchase the full version of their "antivirus" software. It did all the usual things everyone seems to report: disabling antivirus/antimalware software & initially most other programs, as well.
I managed to locate defender.exe & remove it. That stopped the pretend-antivirus pop-ups, but I was still unable to run antivirus/antimalware programs, etc. I followed a number of the instructions I found online:
Rkill never seemed to find anything, although it appeared to run when I tried it at various times.
TDSS killer identified & removed rootkit.win32.ZAccess.e and suspicious hidden windows file 3203397148:380922017.exe. The most recent scan showed nothing.
If I first run TDSS killer, I can then reboot & run Malwarebytes once (an improvement over MBAM only running for 2-15 seconds before stopping if I don't use TDSS killer first). Unless I re-install each time I use it, I can't run Malwarebytes more than once. It will let me do one scan and then tell me I don't have permissions if I try to open it again.
Malwarebytes identified that 3203397148:380922017.exe file as Backdoor.0Access. It found/removed multiple instances of Backdoor.OAccess, as well as spyware.passwords.xgen. It also identified & removed a problematic registry key at HKEY&... Read more

Answer:defender.exe, rootkit.win32, backdoor0access, spyware.passwords.gen

Hello KCNY, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.1.Please download DummyCreator.zip and unzip it.Run the tool.Copy and paste the following into the edit box:

C:\WINDOWS\3203397148
Press Create button and post the content of the Result.txt.

Important: Restart the computer.2.Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!Be sure to download TD... Read more

36 more replies
Relevance 70.52%

Hi,

As topic mentions, this computer had a whole bunch of infections which seemed to have been removed by MSSE and MBAM... Running both those tools now report nothing but I would like to know whether the computer is really clean or some infections still linger on?

Thanks a lot!

Answer:Win32/Karagany.I, Win32/Winwebsec, Java/CVE-2012-1723*, Trojan.Vundo, PUP.MyWebSearch found and cleaned by MSSE & MBAM - Is...

Hi Skale I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

12 more replies
Relevance 70.11%

Defender identified BANTExt.sys found in WINDOWS\System32\Drivers...created on 3/6/06. I installed Belarc Advisor on 3/6/06. I think they're related, so no worries. Who's with me?
 

Answer:PUP found by Windows Defender

Very likely.
 

1 more replies
Relevance 70.11%

Hello,First of all thanks for reading this during the holidays! (why does this kind of thing always happens at the worse possible moments?)Now for the problem:Windows defender keeps giving pop ups about a Alureon.BT trojan horse, which i keep deleting, but it keeps coming back. Also i had (?) a FakeAlert virus, which pretended it was windows defender giving pop ups about buying some kind of antivirus. Now I am worried that maybe the Alureon.BT is also a fake notice...I dont know.Also my anti virus (AVG Free) doesn't appear to be scanning on the background/start up. Note that i also use Malwarebytes for scanning.And when I tried to perform the RootRepeal scan, my computer crashes. Giving a blue screen with some kind of. not smaller or equal error (wtf?)Note that before this I got attacked by the following (which I though I was rid of, but now I am not sure)AVG:I-Worm/Nuwar.UWin32/HeurSHeur2.BORG Koobface.KMalwarebytes:Trojan.FakeAlertMalware.Trace (File)Trojan.AgentMalware.Trace (Registry Value)And also my laptop used to run smooth as a baby but now programs very frequently do not respond etc... Also my pictograms do not show anymore.Now for the DDS log:DDS (Ver_09-12-01.01) - NTFSx86 Run by Ronald at 2:52:53,05 on vr 25-12-2009Internet Explorer: 7.0.6001.18000Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.31.1043.18.3070.1747 [GMT 1:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}SP: AVG Anti-Virus Free... Read more

Answer:Alureon.BT found by Win Defender and many more (?)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 70.11%

I ran AVG, activescan, spybot and adaware and they didn't find any viruses. I ran bit defender which took forever and it found two viruses. I am unclear if the viruses have been removed. What does "update failed" mean?

Can someone help? The reason I started searching for a problem is because my internet explorer was acting strange. When I ran spell check on an online form that we use all the time for work it was checking a form I had done a long time ago instead of the one I was actually doing. It was changing data in the form as well to match the old form. I deleted cookies and files in the Internet Options and also selected to have the page refreshed every time it is loaded instead of "automatically". The problem is fixed now, but I don't know why. I also don't know if I still have a problem that needs fixing.

Thanks, Katherine

E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0040
Infected with: Dropped:Application.Adware.NewDotNet.A
E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0040
Disinfection failed
E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0040
Deleted
E:\WarezP2P_DLC.exe=>(NSIS o)
Update failed

E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0041
Infected with: Trojan.Downloader.Swizzor.DO
E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0041
Disinfection failed
E:\WarezP2P_DLC.exe=>(NSIS o)=>lzma_solid_nsis0041
Deleted
E:\WarezP2P_DLC.exe=>(NSIS o)
Update failed
 

Answer:Bit Defender found virus

8 more replies
Relevance 69.29%

Sadly, Windows Defender has found trojans, and said that they were "severe" and "removed" but also said "successful".
Does that mean the trojans screwed up my computer "successfully" or they were removed "successfully"?

Answer:Trojans found by Windows Defender.

Removed Successfully.. they will be deleted or moved to a quarantine or virus vault where they can no longer be any harm.

1 more replies
Relevance 69.29%

Sirefef trojen found and cleaned by Windows Defender. It comes back after reboot, I get popups "Windows Firewall has blocked......."
Can you help me remove it?
Thanks,
LWells

DDS Log>
.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 9.0.8112.16421
Run by Tomco_HP at 14:26:14 on 2012-08-12
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.964 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
c:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\B... Read more

Answer:Sirefef found by Windows Defender

please run the following:download Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) ... Read more

32 more replies
Relevance 69.29%

Is there a way to stop the alerts from Windows Defender that uselessly tell me it found nothing? If there's no problem, I don't need or want to hear about it.

Just tell me if/when it finds something suspicious, then I'll deal with it. Otherwise STHU!

More replies
Relevance 69.29%

Hello!
On boot up McAfee says Trojan Found Defender-EV and cannot clean, delete, or quarantine it. The file name is !Update-3595[1].0000 and the path is C:\Documents and Settings\Owner\Local Setttings\Temporary Internet Files\Content.IE5\HV3JT9OE. I have scanned the box with Ad-Aware, Spybot, and used Windows Defender. I am running XP Home SP with pop up blocker enabled. I have cleared cache, deleted history, emptied recycle bin, etc I turned off system restore which deleted the restore point, then rebooted and turned restore back on. What is bizarre is when I manualy try to browse to the content.IE5 folder it is not under Temporary Internet Files. However there is a Content.IE5 folder under Temp. Thanks for any help you may be able to provide!!!

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:41 AM, on 4/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
c:\progra~1\mcafe... Read more

Answer:Solved: Defender-EV found by McAfee

8 more replies
Relevance 69.29%

I am unable to to turn on windows defender. When I hit start I get this message: the specified service does not exist as an installed service error code 0x80070424. I believe windows defender is the reason I am getting the error message:Cannot install the driver plugin error: failed to start service: The dependency service does not exist or has been marked for deletion (1075) when I am trying to install HitBliss. Windows Defender will not let me open tools. I have Avast for anti-virus and have turned it off and still get same error. I can not find windows defender in my registry. I have tried just about everything except reinstalling windows 7 and starting all over. The only place I can find windows defender as a program is under the control panel. Any ideas?? Also how can I reinstall windows 7 without a disk?? If I do a reboot what should I need to save other than pictures and music. I have Windows 7 Home Premium 64 bit.

Update: Just tried to download windows defender from Microsoft and it says Windows Defender is not compatable with my operating system?? It says I can download it for other OS?

Answer:Windows Defender nowhere to be found and will not start

Just install and run Microsoft Security Essentials, it should fix your problem.

Microsoft Security Essentials - Microsoft Windows

Uninstall Avast.

Have you run a system file check ?

SFC /SCANNOW Command - System File Checker

You can`t install windows 7 without the dvd or by using a usb flash drive.

Also install and run Malwarebytes Antimalware.

http://www.malwarebytes.org/

9 more replies
Relevance 69.29%

hi chas and gang i am running dit defender at the mo its found 5 boot sector virus help
 

Answer:bit defender has found loads of stuff

Did you start running this for a reason? Complete the scans (in safe mode if possible) and let us know what you find and any problems you are having. Run all of the READ ME FIRST if you have malware issues. Consider running the Alternative Scans in the READ ME too.
 

3 more replies
Relevance 69.29%

This problem just started like a day or two ago. I can't turn on Windows Defender and when I try to open defender it says "Windows cannot access the specified device, file or path. You may not have the appropriate permissions to access the item".

I've searched on forums and they all say to download certain programs but every time I go to download anything it says that the file had a virus and was deleted! So downloading files or programs is out of the question!

Tried to do a system restore twice but each time it did not work. Can anyone help?
 

More replies
Relevance 69.29%

Hi.
My laptop has been working fine until today.
I'm on Windows 7 Home Premium.
I used 'Ultimate Windows Tweaker v 2.1' to change the setting and stop windows from automatically restarting after an update.
When i re-started after making the change i had a message that there was a problem with 'Windows Defender'. When i tried to start it manually i had the message 'Application Not Found'.
I downloaded the 'latest' version of Defender to try and re-install it but it kept telling me that Defender was already installed.
I also tried using a command line as follows:
msiexec /uninstall windowsdefenderx64.msi
and
msiexec /uninstall windowsdefender.msi
for the x64 and the standard versions of Windows Defender, BUT, i just got a message back that it could not be uninstalled because it's not installed.
I'm at a loss, so i'll disable Defender and hope that my AVG prtects me.
If anyone can help ........

Answer:Windows Defender: Application Not Found!

Well thats embrassing , as you said you can not reinstall windows defender as you got message windows defender is already installed , I suggest you to revert the changes made by you using 'Ultimate Windows Tweaker v 2.1' then restart pc . If it wont work then google & download uninstaller softwares there are lots more available then install it & using it uninsall windows defender first & then try to install "latest' version of Defender you downloaded.
Best of Luck
JustNC

9 more replies
Relevance 69.29%

Hi,

I need an advice and a little help.

Yesterday Defender alerted me with three malware named: "optiads-1.6.2[1].swf".

They were in the Explorer cache, "AppData\Local\Microsoft\Windows\INetCache\Low\IE".

Since I don't use a not sandboxed browser the only source of them should be utorrent:

uTorrent downloading virus (Exploit:SWF/Meadgive) - Troubleshooting - ÁTorrent Community Forums

It should be an ad inside utorrent that rotate during the day. But a malicious ad.

Defender deleted them, and I clean the cache and the computer seem to be totally OK.

But, I need an advice... I have a restore point of the day before, that I would not use because Yesterday I made some changes in my OS.

IT's better that I use the restore point and uninstall forever utorrent or i can stay calm, since Defender found them and I can continue to use my pc without restore anything?

Answer:optiads-1.6.2[1].swf found by Defender from uTorrent

No, you do not need to use system restore, but you should get rid of utorrent, it is not what it used to be.

6 more replies
Relevance 69.29%

Since I upgraded to Windows Defender it has found and removed the following :Antivirus Gold (twice in three weeks)Yazzle Sudoku and Search CentrixFrom the forum search I see that other members have been infected with these but they have additional problems with the system being hi-jacked. I guess I?ve been lucky but is there any way I can trace back to the site that they originated from so as to avoid a repeat infection?More worrying, W D has also found but chose to ignore the following,Description:This program has potentially unwanted behavior.Advice:Allow this detected item only if you trust the program or the software publisher.Resources:iemain:[email protected]\SOFTWARE\Microsoft\Internet Explorer\Main\\Start PageCategory:Not Yet ClassifiedAnybody have any advice on this one?On X P, I have and use A2, Ad aware, Ewido, C Cleaner and Spy bot, non of which have picked up any problems other than Ewido which found eight tracking cookies Sorry its so long winded but many thanks for any help

Answer:Windows Defender Infections found !

As your title suggests you may have an infection or two.My advice would be to download HijackThis from here click hereThis is a zip file so you need to unzip this into a folder of its e.g C:\Program Files\hijackthisOpen hijackthis and click the button 'Do a system scan and save a logfile' this will then save a notepad logfile for you , next copy and paste the logfile into the 'Malware removal' forum at this site click hereThis site specialises in reading these logfiles and they will be able to help you with any infections that you may have.

2 more replies
Relevance 69.29%

Hi Everyone,
I am new to the board, trying to help my son fix his computor, (spyware,malware) blind leading the blind. I think I have killed or at least hurt spyfalcon because it does not load up or see any evidence of it, used spydoctor, spybot s&d and windows defender to do this remove hundreds of items. however widows defender in safe mode found: RealVnc, Keenvalue, altnet pnt,claria.gain.trickler and perfect Nav. but it will not remove them. Are they malware if so how do I get rid of them?
Thanks
 

Answer:Windows Defender found realVnc

Welcome to MajorGeeks riprock!

Please start with the below to get the computer into a known state. Once you have completed the required scans and attached the logs a fix will be posted for you. If you have any difficulties please don't hesitate to reply to this thread and ask for further help. Good luck!

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

When you return to make your next post make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
Bitdefender
Panda Scan
HijackThis
 

7 more replies
Relevance 69.29%
Answer:It says Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

Hello my name is Sempai and welcome to Bleeping Computer.*We apologize for the delay. Forum have been busy.*I want you to understand that I'm still a trainee here. I will be working with my Coach who will approve all my instructions before posting them to you, so there's a possibility to have some delays in my responses. But the good part is, there are two people reviewing your problem instead of one.*It is important not to make any further changes or run any other tools unless instructed to. This may hinder the cleaning process of your machine.*You must reply within 5 days otherwise this topic will be closed.1. We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE2. We Need to check for Rootkits with RootRepealDownload RootRepeal from the following ... Read more

21 more replies
Relevance 68.47%

This morning i entered a gamesite and went away from my computer for about 5 minutes. When i came back. Security defender, which i had never seen or heard of before, had installed itself on my pc and said that i had about 20 trojan horses. I started to google security defender and discovered that it was a scam. I then used a program called "Malwarebytes┤ Anti-Malware" to get rid of it.

Security defender was deleted from my computer. Or so i thought. even though the program is no longer to be found on my hardware, like it was before, it still opens pop-ups every 5th minute, blocks me acces to a bunch of webpages and slows down my computer.

Can anyone help me figure out how to get rid of this?
 

Answer:Security defender. Can┬┤t be found on the pc but still runs

You didn't mention if you're using XP or Vista or 7, 32-bit or 64-bit.

-------------------------------------------------------

Go here and click the green "Download latest version" link to download and save HiJackThis 2.0.4.

After it's been downloaded and saved, close all open windows first, then double-click the saved file to install it.

Allow it to install in its default location - C:\Program Files.

After it's been installed, start it and then click "Do a system scan and save a log file".

When the scan is finished in less than 30 seconds, a log file will appear.

Save that log file.

Return here to your thread, then copy-and-paste the entire log file here.

--------------------------------------------------------

Start HiJackThis, but don't run a scan.

Click on the "Open The Misc Tools Section" button.

Click on the "Open Uninstall Manager" button.

Click on the "Save List" button.

Save the "uninstall_list.txt" file somewhere.

It'll then open in Notepad.

Return here to your thread, then copy-and-paste the entire file here.

--------------------------------------------------------
 

1 more replies
Relevance 68.47%

Hi, While using Bit Defender's Online scan it picked up the following Viruus (JS [email protected]) and was unable to delete it from 35 files in F:\Documents and Settings\Arnold\Local\Settings\Application\Data\Microsoft\Outlook\Personal Folders(1) Pst... Bit Defender responds that it is unable to disinfect or delete.

I've tried going into Outlook and deleting the individual message folders that contained the RTF docs that it referred to but still am unable to delete the virus. So that is why I've tried to get some support on ridding it. These are the steps I've done on my own as well- I'm pasting my MGlogs.zip file that contains the batch files that were run to determine the status of my drives and hopefully you can use them as well.

I've done his self help for Windows XP by doing the followoing:
1- Used ATF Cleaner- first in Safe mode so that I could get each seperate account cleaned out. Then mine again in normal startup.
2- Used the most up to date Spybot V 1.5.2, installed the updates and scanned (with no problems found)
3- Checked through the "self-help"(both pages) on Spy/malware removal - none of them addressed the virus that was found.
4-Made sure that I have only one anti-virus program used- Current AVG Anti-Spyware 7.5, most current definitions.
5-Uninstalled previous versions Microsoft's Java and installed Sun Java.
6-Went into MSConfig and setup for Normal startup mode
7-Emptied Recycle Bin-(no quarantined items ... Read more

Answer:Bit Defender has found Outlook PST file with virus: [email protected]

Welcome to Major Geeks!

You forgot to attach the logs from ComboFix and AVG Antispyware and it appears that you did not accept the license agreement from TrendMicro HijackThis that popped up while running MGtools. As a result, your MGlogs.zip file is missing the HijackThis log.

However see if the below helps with your Outlook issue.

Compact the .pst files by clicking Properties > Advanced > Compact File. If you don't do that, they are not really gone, and the scans will still pick them up.
 

5 more replies
Relevance 68.47%

yeah so every night i run windows defender and it finds NewdotNet every time, but i cant delete it. can anyone help me with this? heres my HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 10:51:02 PM, on 9/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\S... Read more

Answer:NewdotNet found by windows defender and cant be deleted?

9 more replies
Relevance 68.47%

Was doing my taxes the other night and before I could finish something infected my computer. great.

Something on my computer called XPDefender keeps popping up telling me I have a trojan but I don't remember installing this program so I don't know if it is legit or not.

I have run McAfee (can't tell you the version as I cannot get it to open) and Housecall from Trendmicro and neither have removed whatever is infecting my computer. I have also restored my computer to 7 days prior on an off chance that would help but it did not.

I started another McAfee scan this morning before I went to work, when I came home for lunch my computer was in safe mode and I cannot get it out of safe mode... never had this happen before.

I am running Windows XP - SP3. To my knowledge there has not been anything installed on my computer in the last month.

I do have a hijackthis log if anyone is interested.

Any help or suggestions is appreciated. I tried to cover everything, but if you need more info let me know.

Thanks for your time...

More replies