Computer Support Forum

rootkit virus keeps coming back str.sys

Question: rootkit virus keeps coming back str.sys

The computer is running Xp service pack 2.
When I first tried to fix a popup problem with symantec, the user (my daughter) couldn't log on anymore.
Safemode would begin to load and then rebooted.

I fixed several registry entries using knoppix under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
and copied over a copy of userinit.exe, and ntldr from another Xp installation.

Now the user can logon, but the web pages are redirected to advertisements for removal tools and other things.
A file called str.sys was removed by several malware and antivirus programs and kept coming back.

I still can't boot into safemode. I see a list of drivers loading and then the computer reboots. I would be grateful for any help, thanks.

Here is the report from Rootrepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/27 22:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00002984
Image Path: 00002984
Address: 0xB2A8F000 Size: 71424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2BC3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Common Files\Symantec Shared\VirusDefs\20091127.003\EraserUtilDrvI9.sys
Status: Locked to the Windows API!

SSDT
-------------------
ServiceTable Hooked [0x862172e0]!

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8a61e518

Stealth Objects
-------------------
Object: Hidden Thread [ETHREAD: 0x8628c390, TID: 1768]
Process: svchost.exe (PID: 916) Address: 0x00a51f3c Size: -

Hidden Services
-------------------
Service Name: xiehhlsyjlr
Image Path: C:\WINDOWS\system32\drivers\nunrfrpsbfanhl.sys

==EOF==

------------------------------------
Here is the report from DDS
------------------------------------

DDS (Ver_09-11-24.02) - NTFSx86
Run by daisy at 22:36:31.83 on Fri 11/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1983.1282 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\daisy\Desktop\RootRepeal.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\daisy\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [QuickTime Task] "c:\program files\quicktime alternative\qttask.exe" -atboottime
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\symant~2\VPTray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [VTTimer] VTTimer.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Advanced Virus Remover] c:\program files\advancedvirusremover\AVR.exe
StartupFolder: c:\docume~1\daisy\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.0\program\quickstart.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\diner dash - flo on the go\images\stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157311276508
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\diner dash - flo on the go\images\armhelper.ocx
TCP: {493D8F3D-475B-4084-9726-C5214FBBB60F} = 192.169.1.1
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: SysNet - {342BB978-EEB1-4C81-9D07-1CCB7267987D} - c:\documents and settings\all users\microsoft adata\sysnet.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\daisy\applic~1\mozilla\firefox\profiles\6olyzd17.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin2.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin3.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin4.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin5.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin6.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin7.dll
FF - plugin: c:\program files\quicktime alternative\plugins\npqtplugin8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R3 S3G700;S3G700;c:\windows\system32\drivers\S3G700m.sys [2002-1-1 792576]
S2 xiehhlsyjlr;xiehhlsyjlr;c:\windows\system32\drivers\nunrfrpsbfanhl.sys []
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2001-12-31 20160]
S3 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [2006-8-3 3584]

=============== Created Last 30 ================

2009-11-27 19:13:30 98816 ----a-w- c:\windows\sed.exe
2009-11-27 19:13:30 77312 ----a-w- c:\windows\MBR.exe
2009-11-27 19:13:30 260608 ----a-w- c:\windows\PEV.exe
2009-11-27 19:13:30 161792 ----a-w- c:\windows\SWREG.exe
2009-11-27 19:13:00 0 d-s---w- C:\ComboFix
2009-11-27 16:25:02 0 d-----w- c:\windows\pss
2009-11-27 16:01:57 0 d-----w- c:\docume~1\daisy\applic~1\Malwarebytes
2009-11-27 16:01:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-27 16:01:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-27 16:01:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-27 16:01:50 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-27 15:45:25 0 d--h--w- c:\windows\system32\GroupPolicy
2009-11-26 20:14:27 250032 --sha-r- C:\ntldr
2009-11-26 19:53:15 146650 ----a-w- c:\windows\system32\BuzzingBee.wav
2009-11-26 19:53:13 940794 ----a-w- c:\windows\system32\LoopyMusic.wav
2009-11-26 19:26:11 0 d-----w- c:\windows\system32\Lang
2009-11-26 19:25:42 0 d-----w- C:\c31fa9a8d8261c4821757231
2009-11-26 19:06:46 24576 ----a-w- c:\windows\system32\userinit.exe
2009-11-01 16:07:12 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf
2009-11-01 16:07:12 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf
2009-11-01 16:06:29 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-11-01 15:59:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2009-11-01 15:59:10 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-11-01 15:59:08 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-11-01 15:54:17 62592 -c----w- c:\windows\system32\dllcache\cdrom.sys
2009-11-01 15:54:17 464384 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2009-11-01 15:54:17 464384 ------w- c:\windows\system32\imapi2fs.dll
2009-11-01 15:54:17 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2009-11-01 15:54:17 317952 ------w- c:\windows\system32\imapi2.dll
2009-11-01 15:53:48 764868 -c----w- c:\windows\system32\dllcache\apph_sp.sdb
2009-11-01 15:53:48 217118 -c----w- c:\windows\system32\dllcache\apphelp.sdb
2009-11-01 15:53:48 1197294 -c----w- c:\windows\system32\dllcache\sysmain.sdb

==================== Find3M ====================
============= FINISH: 22:37:13.23 ===============
The attach.txt filed was zipped and is attached
Attach.zip 3.17KB
2 downloads

Relevance 100%
Preferred Solution: rootkit virus keeps coming back str.sys

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: rootkit virus keeps coming back str.sys

Hi jobarb,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.I see you have Combofix. Please post the log(s) it has produced. If you have run it more than once Please attach all of them.The latest log is located at: c:\Combofix.txtThe earlier logs are located at C:\Qoobox\combofixX.txt where X is a number.

24 more replies
Relevance 85.69%

I ran Norton Antivirus and it keeps telling me that it has fixed the problem and to restart the computer. I do that and then I run Norton again and it the same thing. I have tried to read through some of the similar questions, but did not really understand them, I am not sure what a hijack log is and such. With step by step directions, I might be able to do it myself. I am running windows xp. I keep getting a pop up saying that "this link does not exist" but it comes up when I am not trying to click on anything. Any help would be GREATLY appreciated!!
 

More replies
Relevance 71.75%

Yesterday I got a Rootkit warning, Said it was a Win 64: Evo-gen (Susp) I followed instructions, and ran a boot time scan. At around 60% complete it found 3 instances of a Win 32 (not the win 64 like the warning said)
It gave me choices as to what to do. I chose repair all. The scan finished, and I got back on line. I started scanning with all my other protections SAS, MAM etc. AS I was doing this the warning showed up again.I ran another boot time scan. It came out clean. No files corrupted. (or words to that effect) Got the warning again. Scan came up clean again.
I continued using my computer, and after a while I got the message again. Since the boot time scan had come up clean two times in a row I just Xed it out. It came up two or three more times, so I decided to shut my computer down for the night.
Today I got on line, and the warning showed up again. So I ran the boot time scan again. This time it found one instance of the Win32 (again, Not the Win64 that I was warned about) This time instead of choosing repair, I choose fix all instantly. All that did was move it to the chest?? THe scan finished , and I got back on line. After a while I got the Warning again. I ran,a boot time scan, and it came out clean Was on the computer again, and got another warning Xed it out.

What's going on, and how can I fix it?
As it stands now I'm kind of worried about using my computer. So. I am going to write a couple important E-mail and shut my computer down. I will ... Read more

Answer:Rootkit warning keeps coming back

You've been to this forum before so you should know the drill....

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

 

67 more replies
Relevance 71.75%

Hi,

My computer was recently infected with Malware Defense, which I removed using the following guide http://www.bleepingcomputer.com/virus-removal/remove-malware-defense. After following the steps, I was able to remove it, but my computer continued to behave strangely.

Specifically, my computer currently runs much slower than it did before, has sporadic issues connecting to the internet, and fails to startup the first time it reboots after Malwarebytes Anti-Malware removes "rootkit.tdss". I have now managed to remove "rootkit.tdss" at least 5 times now, but it keeps coming back.

Here is my HijackThis log:
"Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:40:47 PM, on 1/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoi... Read more

More replies
Relevance 71.75%

Ok, Im new here and have a big question I discovered I had a rookit called a0zdz1mw.SYS
It will change its name after I delete it and then restart, AVG keeps picking the file up but with a different file name everytime I used a program called Unhack me and it says that the file is an ATAPI IDE Miniport driver and It says it is dangerous I dont know what do to As I had this same type of Rootkit on my old Desktop. I dont want to do a full system reinstallation, so I came here for help, If you need more information I will give it to you but I dont know where to get the detailed report for the file as of right now.
 

Answer:Rootkit that keeps coming back after restarting and changes name

bump
 

1 more replies
Relevance 71.75%

Hi

I am running Windows 7. Few days ago, I started getting blue screen as soon as I started my computer. It was rootkit infection through MBR. TDDSKiller detected it.

After that, I cured using TDDSKiller, but my computer starts showing "OS not found" on startup. I got Win 7 installation disk and ran bootrec /fixmbr.

Since then rootkit keeps coming back in few hours and I have to everytime repair it using bootrec /fixmbr., otherwise blue screen starts coming up.

Is there a way I can permanently solve this. ?

Answer:Rootkit keeps coming back daily

Hello,Yes but we need a deeper look. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

1 more replies
Relevance 71.75%

My computer is infected with a virus hacktool.rootkit (Symantec) that keeps coming back.Symantec is always running and the autoprotect shows the file as "cleaned by deletion" but it pops up again in 5 minutes. There are a number of different versions of the files including ntesik.sys, securentm.sys, sti64si.sys and acpi.sys. I see they have been picked up on the HijackThis scan as UnknownUnknown (near bottom of log).The file petert.exe also shown near end of log as created 2009-03-26 is suspicious. Shut I shutdown a window pops up that petert.exe could not be closed properly. Everytime the virus appears it also drops a file in the temp folder. Sometimes it tries to send an e-mail that is blocked by Symantec.I have tried a few online spyware scans but without success.I have deleted all files in the temp & cookie folders and also the windows/ prefetch because these looked suspicious.This is the log from HijackThis. Can you please help????:DDS (Ver_09-03-16.01) - NTFSx86 Run by petert at 16:18:42.19 on Mon 03/30/2009Internet Explorer: 6.0.2900.5512Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.460 [GMT -7:00]AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files... Read more

Answer:Hacktool.rootkit keeps coming back!

This problem has been resolved - virus from an infected e-mail

2 more replies
Relevance 70.93%

I had Avast warn me 4 times that I had a Rootkit Hidden Process.
c:\\Windows\system32\drivers\ATWPKT2.SYS and another one too.

I did post yesterday morning on Tech Support Forum, but had no response, so I am posting here as well.

I tried to follow the 5 steps, but I ran into a problem.

First, I didn't scan with Panda because yesterday I scanned with Avast and today I had to do it again. It took over 1 1/4 hours, so I didn't do it again with Panda.

Then, on Step 5, after trying to run the DSS, I got the BSOD 2x while it was trying to create a restore point.

Since DSS didnt' work, I downlowded the current HJT program and ran that. My log is posted below.

I am using XP Pro, with a SP2. I had no problems ever with my computer,but this week I tried to upload onto YouTube, and then I had this problem. I won't do that again..

Thanks for understanding about the steps in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:49 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Progr... Read more

More replies
Relevance 70.93%

Well, I need some help. It is my first time coming here, and thank you for any help you can provide. I appear to maybe have a rootkit or something that is generating Trojans. It appears to be coming from the Google Install folder in Program Files (x86). I scanned with Malwarebytes and it found a rootkit, and maybe removed it, but it might be back, as the same Trojans (they were all being blocked by Avira) are being generated. Malwarebytes said it was Rootkit.0access. Should I just delete the folder or would that not help at all?

Answer:Constant trojans and rootkit that might be coming back

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Up... Read more

9 more replies
Relevance 70.93%

so i ran malwarebytes, and this thing keeps coming back

its lagging my vent and internet and god knows what else

please let me know what i need to do
 

Answer:rootkit.tdss.sys cant remove keeps coming back

Hello onegai5465,

Welcome to TSG.

Download OTL to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Under the Standard Registry box change it to All.
Check the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Note: Unless otherwise instructed always post the logs in the forum. If reports don't fit on one post. It might be necessary to break the logs up to get them on the forum. Just use as many posts as you need, that's fine.
 

3 more replies
Relevance 70.93%

I have a Windows 7 64bit laptop I am trying to clean. So far, I've run Malwarebytes, Spybot, CCleaner (temp files & registry) and Avira.

I am left with Avira constantly telling me I have a few infections left. It will delete the files, but they only come back after I reboot.
This is the supposed infected file that always shows up:
C:\Users\*username*\AppData\Local\rrsrlshm\axkevsqd.exe
There are also a few suspicious looking txt files (random filenames) in C:\Users\*username*\AppData\Local\ that get recreated if I delete them, as well as a startup entry for axkevsqd.exe.

Avira tells me this is a TR/Rogue.kdv.683151 infection.

Thinking this was a rootkit problem, I have also tried scanning with TDSSKiller (picks up nothing). RKill fails to complete. Removing suspicious entries with Hijackthis doesn't stick (they come back). ASWMbr says it's Win32.Malware-Gen infection.

My client would like me to try remove the virus rather than reformat if possible so I hope you guys can help me out

// DDS Logs to follow as instructed //
.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Chris at 17:32:20 on 2012-07-30
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.61.1033.18.4061.2901 [GMT 8:00]
.
AV: Avira Desktop *Enabled/Updated* {F67B4DE5-C0B4-6C3F-0EFF-6C83BD5D0C2C}
SP: Avira Desktop *Enabled/Updated* {4D1AAC01-E68E-63B1-344F-57F1C6DA4691}
SP: Windows Defender *Disabled/Update... Read more

Answer:TR/Rogue.kdv.683151 - rootkit - keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463070 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Relevance 70.93%

Recently infected with a trojan, malware bytes will find the file which is c:\Windows\System32\Drivers\wavry.sys as a rootkit.agent. I cannot figure out how to remove it. I tried malware bytes and it says it will remove on reboot, when it does, it comes right back. Please help me out. Here is a hjt log to help start things out. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:56:39 PM, on 10/3/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Dell Network Assistant\hnm_svc.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Novatel Wireless\Novaco... Read more

Answer:rootkit.agent Cannot remove, keeps coming back!

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

3 more replies
Relevance 70.11%

Greetings all I'm hoping someone could help me with this little problem my brother has gotten himself into. A few days ago I'm going to wager the 23rd of this month my brother's laptop somehow got infected with a Rootkit. No clue how he got it my brother is pretty careful about his internet browsing. Then again these things are designed to be very difficult to detect. I've noticed some other folks having similar problems so this must be a new threat possibly.The main symptoms the computer displays are that it's exceedingly slow to do anything, IE start up, browse files and folders, browse the internet. It will commonly hang as if frozen from time to time as well. Trying to restart it or shut it down causes the system to lock up at the "system is shutting down" screen requiring a forced shutdown and on the 23rd a new user called "HelpAssistant" was created. AVG found a bunch of stuff in this user's local settings/temp directory. I'm gonna assume those were what caused the initial infection. Disabling the account in Local users and groups and then restarting the computer just causes the folder to be recreated but rather then just "HelpAssistant" it will use "Helpassistant.*random username*" The folder contains copies of important operating system files from the main account on the computer making it hard to remove and causing it to take up 2-3 gigs of unneeded space. Deleting the folder nets the same result its just recreated at start up.... Read more

Answer:MBR rootkit detected, HelpAssistant user keeps coming back

Please ignore the above message I have solved the problem myself.

2 more replies
Relevance 70.11%

Malwarebytes keeps finding rootkit.tdss and says it removes it, but it keeps coming back. I have tried running malwarebytes, trend micro's housecall as well as CA antivirus. Need help please.

Running Windows XP service pack 3.

Answer:Rootkit.tdss Malwarebytes removes it but it keeps coming back

Hello and welcome. in order to remove this you will need to run HJT/DDS.Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.

1 more replies
Relevance 70.11%

Seems like I am infected with some sort of malware, I've gone as far as I can alone, and I'm no expert with computers. Reformated my system after initial crash now still infected (or more likely reinfected), keeps making my system attempt to connect to 206.161.121.2,3,4,5 etc. , my research so far yields this is not a new problem in the virusphere, though no one seems to be saying anything more about it other than that they have the infection. Start ups and restarts often very buggy and crash a significant number of times, though when running mbam it just restarts to remove it and it comes right back after restart. mbam has gotten it down to one trojan and its memory process each time, though they come right back. Anyway I can be helped would be wonderful, thanks. Windows 7 OS. If I see any more crash logs, I'll try to catch the errors and add them in.

Answer:malware problem, rootkit? Trojan keeps coming back.

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) DownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results here

9 more replies
Relevance 70.11%

Hi

My topic is similar to "Hacktool.rootkit keeps coming back!, Do not know how to fix" posted here on 30 March by Peterbtw921.

Yesterday Symantec started removing various files from \Windows\System32\drivers folder, but they kept reappearing under different names every hour (such as systemntmi.sys, acpi32.sys, systemntmi.sys, etc). Overnight my computer crashed with a Blue Screen, memory overfill I reckon. This morning Symantec started combating same files every 5 minutes. About 30 minutes ago - after I found you and read about Hacktool.rootkit, my computer came under attack: someone is trying to send out various messages (not sure with which application, notifications came out of the bottom right corner). Some of these are stopped by ZoneAlarm firewall (outbound activity - too many messages), others are stopped by Symantec. With all these notifications it became impossible to work on the computer.

I am aware of your policy requiring me not to seek advice elsewhere and not applying changes to my computer.

Many thanks in advance

Vitaly

DDS.txt log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
DDS (Ver_09-03-16.01) - NTFSx86
Run by stream at 10:03:06.42 on 08/04/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1251.7.1033.18.2046.902 [GMT 1:00]

AV: ZoneAlarm Anti-virus Antivirus *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Anti-virus Firewall *enabled*

============== Running Processes ==... Read more

Answer:Hacktool.rootkit keeps coming back; computer under attack

Hi vitaly7,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please give me a little time to go through your log and I will also let you know that I am a trainee so each stage of the fix will need to be checked by an expert coach before I post so there may be a slight delay. Don't worry I won't abandon you. Please subscribe to this topic, if you haven't already, and wait for me to get back to you.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 2 days I will bump the topic and if you do not reply by the following day then I will close the topic.Thanks

12 more replies
Relevance 69.7%

Hello,A few days ago, I suddely got spammed by some fake antivirus called "Antimalware".I suspected it was fake so proceeded to boot up my pc in safe mode and Google the sollution.From there I've read in similar situation that I should download "Malwarebyte's Anti-malware".I updated it to version 1.42 and let it scan without any programs on safe mode. It found 35 or so infected virusesand deleted em. After this I rebooted my pc and everything was working fine again, except that I couldnt run checkdisk or defragmentation. When i rebooted my PC again, my pc kept crashing when trying to open simple things like 'My computer' or internet, but at least the spamming of AntiMalware was gone. I rebooted it again in safe mode, scanned again and it found 3 files. Each time I delete these (called: 2x trojan.FakeAlert and Rootkit.TDSS) they keep coming back when I reboot. i'm now typing this in safe mode as I cant open internet on normal mode.Here's the log of my last scan: (It's in dutch so I hope you can read it - if not I can do it in englishMalwarebytes' Anti-Malware 1.42Database versie: 3392Windows 5.1.2600 Service Pack 2 (Safe Mode)Internet Explorer 7.0.5730.1119-12-2009 12:42:44mbam-log-2009-12-19 (12-42-44).txtScan type: Volledige Scan (A:\|C:\|D:\|E:\|F:\|G:\|)Objecten gescand: 261760Verstreken tijd: 33 minute(s), 26 second(s)Geheugenprocessen ge?nfecteerd: 0Geheugenmodulen ge?nfecteerd: 1Registersl... Read more

Answer:Trojan.FakeAlert/Rootkit.TDSS viruses keep coming back

Rootkit.TDSS\\?\globalroot\systemroot\system32\H8SRThxvgjklylq.dll (Trojan.FakeAlert)You are heavily infected with a very persistent rootkitPlease read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log. You will also be instructed to create a Root Repeal LogWhen you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.The HJT team is very busy and it will take awhile to get to your postPlease be patient and good luck

2 more replies
Relevance 69.7%

I have run several scanners (MalwareBytes, SAS, rkill, Sophos A/V and A/R, Rootkit Repeal, GMER, TDSS Killer, etc). Originally I found and removed some problems, mainly via MBAM. All scans come back clean now but I know something is on here because of some weird behavior. I can't install direct X, it fails with an error stating that the cabinet files are corrupt. Everytime I start IE it says that it is not the default browser. One of the scanners (I think CatchMe) came back saying that the C: drive was not present.

Other than that it is running well. I don't see any browser or search redirects. It doesn't seem to be bogged down. I ran system file checker and it just goes away eventually, I don't get a message that it did or did not repair any files.

There are some weird things in the GMER log, but I don't know what they mean. I included that below as ark.txt

Hopefully you guys can help.
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Garrett at 15:49:09 on 2012-04-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.509 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple ... Read more

Answer:unknown rootkit/malware, scans keep coming back clean

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Everytime I start IE it says that it is not the default browser.Go to Menu Tools > Internet Options > Programs tab.Change the settings under "Default Browser" ===Please download ComboFix from one of these locations:Link 1Link 2* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not b... Read more

16 more replies
Relevance 68.88%

Referred from here: http://www.bleepingcomputer.com/forums/t/273580/please-help-vista-virus-cannot-seem-to-get-rid-of-it/ ~ OBI have gotten rid of most of my annoying problems but this (trojan.win32.tdss.aalc (v)) keeps sporadically showing up in my Vipre scans. Also Vipre consistently stops (tdlclk.dss) from opening. Here are my DDS and RootRepal logsThank you very much in advance.

Answer:tdlclk.dll, trojan.win32.tdss.aalc, rootkit keeps coming back

I just ran a full system scan and this came up as well.

Trojan.Win32.generic!BT

23 more replies
Relevance 64.78%

I hope that this is in the right section but I am having a problem with my computer. I can constantly hear programs running in the background. I currently have two anti spyware/malware installed on my computer. One is SpyHunter and the other is CyberDefender. They both are picking up on some virus called Vundo and everytime I delete it, it just comes right back. It is so frustrating surfing the internet because it freezes or moves extra slowly. Figured I'd ask you guys before I take a hammer to it lol.

Thanks

Answer:Windows XP SP2 running slow, virus protection catches it but the virus keeps coming back

Hello,i am moving yjis to the Am I Infected forum from XP.Please disable those apps while we do this.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the St... Read more

9 more replies
Relevance 64.37%

Hello I've been battling with this fake AV for a while now and I just discovered that Windows Firewall is putting out this error code when I try to restore it, 0x80070424. I am using AVG 2012 as a anti-virus program and running Windows 7 Home Premium SP1 64-bit. If anyone can help me with this I would be forever grateful.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Cole at 12:53:54 on 2011-12-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6062.2980 [GMT -5:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k Loc... Read more

Answer:Windows Firewall fails to start and this fake anti-virus virus keeps coming back!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434544 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

9 more replies
Relevance 63.96%

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

Im sure my Hijack Log is fairly clean... -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:53 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin... Read more

Answer:Virus that keeps coming back and back and back, so on

bump, hopefully someone takes notice

19 more replies
Relevance 63.96%

Hello, a few weeks ago I had alerts from ThreatFire saying that "c:\2F2FE1D9C8463A4E6C7466B1CF9E03AD\MPSIGSTUB.EXE"was trying to modify another program, copy itself to multiple locations, I clicked ignore to these after looking it up, and finding out that mpsigstub.exe was related to windows malicious software remover. When I  tried to look inside the folders, they renamed themselves. I started to panic when I found out that its normally in the system32 folder, so my friend came round to help me delete it and remove the registry changes it had made. I know that was a virus, but I'm not sure about these: Not so long ago a very similar directory had been created again, this time with stub.exe in it. I deleted them, and ran an anti virus scan. C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09186521\WER11A7.tmp.hdmp and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report11188777 were infected and quarantined . stub.exe was also trying to modify other programs etc. Just today I found two more directories with similar names, such as 70d953ce1268e4d3b8, with eventlog.txt in them. I haven't got any warnings as far as I know, so I want to know if this is the same virus, or even if its actually a virus at all, and I'm just being paranoid. Thanks in advance  PS. I also had a process called conime.exe, I looked it up, and its to do with using an Asian language. Apparently, if this is running while you aren't using an Asian language... Read more

More replies
Relevance 63.96%

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Michael at 19:00:59.98 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.765.240 [GMT -7:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\ag... Read more

Answer:virus keeps coming back help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 63.96%

I really need help. Whenever I scan with avast, it tells me there's a virus. I can't delete because it's being used by another program. So I got into safe mode and try to remove it. A while later after I deleted it and back into Windows, I scan again and it's back. It's always in the same place too:

C:\.....\Temporary Internet Files\Content.IE5\ZTNTM02A\movie[1]
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:08 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet ... Read more

Answer:Virus keeps coming back

Anyone?
 

1 more replies
Relevance 63.96%

Hi all,

Looking for a little help here. I have removed a virus now with ESET and malwarebytes and it keeps coming back. See the log below.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Carrie Ann at 19:38:56 on 2012-04-03
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3963.1965 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agr64svc.exe ... Read more

Answer:Virus Keeps coming Back

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download aswMBR.exe to your desktop. Double-click aswMBR.exe to run it.
Click the Scan button to start scan.
Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
Click Save log, and save it to your desktop.
Click Exit.
Please post the contents of that log, aswMBR.txt, in your next reply.
There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download tdsskiller.exe and Save it to your Desktop.

Double-click tdsskiller.exe and click 'Run'

Click 'Change parameters' then under 'Additional options' tick both boxes > OK.

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then ... Read more

10 more replies
Relevance 63.96%

Logfile of HijackThis v1.99.1Scan saved at 9:56:14 PM, on 3/4/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\System32\wsys.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\WINDOWS\system32\wsxsvc\wsxsvc.exeC:\WINDOWS\system32\vmss\vmss.exeC:\WINDOWS\system32\ykyogu.exeC:\WINDOWS\system32\lodbksuj.exeC:\WINDOWS\system32\xmsiaybg.exeC:\WINDOWS\system32&#... Read more

Answer:How do I get rid of my virus, cause it keeps coming back....

Now please Download LSPFix from:LSP-FixDisconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\aklsp.dll and c:\windows\system32\dolsp.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.Then Reboot.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersPrint out these instructions and then close all windows including Internet Explorer.Then I want you to fix some of those entries. Please do the following:Please make sure that you can view all hidden files. Instructions on how to do this can be found here:How to see hidden files in WindowsRun Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagteamgirls.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blankR0 - HKCU\Software\Microsoft\Internet Explo... Read more

1 more replies
Relevance 63.96%

hello

I have a virus Worm_RBOT.BCQ found on file C:\windows\system32\micront.exe

I have followed to the letter the removal instruction by Trend

I have deleted the file, deleted all Registry reference to this file, deleted all temp files and Bin , all in safe mode..

The virus seems to have been deleted. but when I connect to the net, after a while , virus is detected and all is back to square one..

Please Help!! how can I get rid of this Virus forever....

Thanx
Jadan
 

Answer:virus keeps coming back

10 more replies
Relevance 63.96%

I have a Toshiba laptop that back in March I had a virus and went to to a local PC store and had the virus removed.  A few months later the virus came back and I had a friend remove that virus and all was well for about a week when the virus came back once again and was removed and seems to be removed right now.  I am afraid this is going to happen again and want to know if you can check the HiJack This log here to tell me if there is something seen that I am not able to identify as a virus.  I did use the self help scan tool but I dont really know what I am looking at.  The scan is here http://www.computerhope.com/cgi-bin/process.pl?o=20192628.I run McAffee AV on this laptop along with MalWareBytes and MS Windows Defender.  I did updates and scans to each one of them 2 nights ago both in normal mode and in safe mode and none of them are returning any bad files, however, I am reluctant as this has happened three times now.  I am wondering if there is a hidden rootkit file that the softwares are not picking.I run the following system:OS Name   Microsoft? Windows Vista? Home PremiumVersion   6.0.6002 Service Pack 2 Build 6002Other OS Description    Not AvailableOS Manufacturer   Microsoft CorporationSystem Name   CHARLENE-PCSystem Manufacturer   TOSHIBASystem Model   Satellite A305System Type   X86-based PCProcessor  &nb... Read more

Answer:Virus Keeps Coming Back

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************SUPERAntiSpywareIf you already have SUPERAntiSpyware be sure to check for updates before scanning!Download SuperAntispywa... Read more

12 more replies
Relevance 63.96%

i just wanted to noe if i was clean or not..
 

Answer:virus kept coming back

No you are not clean yet. I need the C:\MGLogs.zip --> from running the C:\MGTools.exe.
 

11 more replies
Relevance 63.96%

http://www.bleepingcomputer.com/forums/topic433509.html/page__p__2516707__fromsearch__1#entry2516707

Answer:Virus keeps coming back

Please follow the guidance in post number 2 in that topic.

1 more replies
Relevance 63.96%

Running Malwarebyte's Anti-Malware and i get the same results everyday. I also get redirected when using google. My Malwarebytes results are:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/11/2009 6:25:05 PM
mbam-log-2009-05-11 (18-25-05).txt

Scan type: Quick Scan
Objects scanned: 134478
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\roger.spiller\protect.dll (Worm.Autorun) ->... Read more

Answer:Virus Keeps coming back

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 63.96%

Hello,

I am using a 64 bit version of windows vista. I have a virus on my computer that keeps coming back. Usually I am able to remove viruses on my computer using a combination or rkill, malwarebytes, and super anti spyware, but this specific virus keeps coming back, even after I clear it with malwarebytes. Also the virus wont let me update my malwarebytes software. I have tried to do a sytem restore, but everytime I click on the icon, i am asked to select a program to open system restore with, and I am not sure which program to pick. On my desktop there is a suspicious icon named system restore. Any help would be greatly appreciated.
Thanks

Answer:Virus keeps coming back

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 63.96%

Hello, ago 2-3 weeks I got some viruses, i tried to delete them but they come back everytime..
The viruses are in 3 drivers (D,E,C) and also i got another virus named Backdoor.Agent
By the way I use Windows XP
Can somebody help me?

Answer:ms-dos virus keeps coming back

Hey?

7 more replies
Relevance 63.96%

There's a virus named wlzxha.exe in C:\WINDOWS\system32\ that keeps coming back after I delete it. The virus is "Downloader" according to Norton. It deletes fine (I've done it in safe mode) but it seems to come back after each restart.

I have already run a virus scan and spyware scan multiple times.
 

Answer:Virus keeps coming back

13 more replies
Relevance 63.96%

Hi,Norton found the virus called Back door greybird.k on C:\windows\G_server_hook.dll.I logged on to the safe mode and deleted the G server. exe and dll file.But Norton keeps finding this virus. How can I clean the virus?Thanks very much. (Moderator edit: moved post to more appropriate forum. jgweed)

Answer:Virus coming back again and again

Symantec Security ResponseI'd recommend submitting a hijackthis log here.How to submit a hijackthis logDownload HijackthisTry running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.ziporDrWeb CureITIf your good with the command line also try Sophos Command Line scannerAlso try installing and running A2 Free and EwidoI'd also run Spybot and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"At the C:\ prompt type the following:-cd\C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofixcd\C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

2 more replies
Relevance 63.96%

So my computer got a virus from a game that I tried downloading. Avast! did a boot scan and got rid of it, but a day or two later, I got messages from Chrome that said I had a virus again, but of course those are usually scams. I did another scan, just to be safe, and Avast! found two items, got rid of them, and ran another boot scan, just to be safe.

Next day, I figured it had to be from Chrome because of the fact that I attempted to download the game from Chrome and was getting odd popups and such but IE wasn't doing that. So I deleted it. My friend suggested downloading Malwarebytes so I did that as well. It found two more Trojans and so did Avast! after a full system scan. Got rid of those as well and found they were gone afterwards.

I can't tell if my computer is infected again but earlier Malwarebytes apparently blocked a couple malicious websites, and since Avast! usually did that when the virus would come back, I ran another scan and found one thing, a YouTubeAdBlocker, I don't know if I wanted to get rid of that because an AdBlocker sounds like something I would want to keep and I heard that sometimes, Malwarebytes finds things that aren't really dangerous, but idk I am not an expert. I tried not to worry about it after that but I just want to be safe.

I am running two full system scans as we speak with Malwarebytes and Avast! to see if they will find anything that way since quick scans didn't find anything (except the AdBlocker again) and... Read more

Answer:Virus that keeps coming back?

Hi,
In order to help you, we need reports generated on your system. Please follow this topic and attach requested reports: http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/
 

1 more replies
Relevance 63.96%

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program File... Read more

Answer:Virus keeps on coming back

Anyone?

4 more replies
Relevance 63.96%

Hiwould like some help please, avg removes virus, but next day it is backRegardsDerekLogfile of Trend Micro HijackThis v2.0.2Scan saved at 18:24:19, on 02/11/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\sttray.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files&#... Read more

Answer:virus keeps on coming back

Hello ziggyzig Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please perform the following:Please do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXT
Now click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail BasesClick OKNow under select a target to scan:Select My Com... Read more

9 more replies
Relevance 63.96%

For the fourth time in the past few months, I have been experiencing strange pop-ups blocking my use of various programs. Twice, my IT dept. attempted removal of the virus, which looks like a virus warning from McAfee but will not allow removal or the use of the programs it is blocking. This time around it was blocking my use of Internet Explorer and Outlook.

A screen popped up and each time I tried to open the programs it would log a warning in the screen. The screen showed options for removing the items logged, however it would not respond to clicking any of the options and would only go away if I closed it out completely. If I did close it, as soon as I attempted to open those programs again, the warning would reappear. This is nearly identical to the last two or three times I have experienced this, with a couple weeks in between occurences.

I rebooted several times and recieved a pop-up message from Windows saying "Windows has recovered from a serious error." The third time I rebooted, it actually allowed me to open these programs without the warning. The first two times it would not go away. This has happened a couple of times prior, where that message seemed to temporarily fix my issue.

Is this a real virus that is hidden in my computer? What can I do to remove it completely?

Answer:Virus that keeps coming back

Hello can you run an MBAm scan and post a log back .. Let's see what it may show.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top... Read more

7 more replies
Relevance 63.96%

I'm not sure whether it's a virus, trojan, spyware etc but I have something running on processes which takes up around 180k memory. Everytime I close the process it re-appears but as a different name... For example, as of now the process is called 'xsggsz.exe' but now I've closed it and it's re-appeared as 'vzdfme.exe'

I've used spysweeper, McAfee, Ad-Aware and system mechanic to try and get rid of it but it just won't budge.

I'd appreciate any help regarding this.

Thanks!
 

Answer:Virus That Keeps Coming Back!

go to http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm and click on



scan your pcClick to expand...

Panda has the most upto date scanner I've seen

also if you do not have a firewall - you really need one.
I've used the free version of zonealarm for a number of years, and never had a problem, except a couple of times when I turned it off to access a site (that was real dumb)
 

1 more replies
Relevance 63.96%

Combofix just restarts my computer and won't run and nothing can find the virus but it's there. It started as a fake antivirus, then when I deleted it it created win 7 antivirus 2011. I think I got rid of that one too, but now everytime I click any link it takes me to some random add page instead. I've already did a system restore from days ago and even that didn't work, but it stopped my problem with running .exe's from the win antivirus.

Answer:Virus just keeps coming back!

Hello having run ComboFix we need to see that and a DDS log.As you now see Combofix is not to be run like a commmon tool. It's why we post this above the malware forums.ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the ComboFix log you posted earlier.Let me know if that went well.

3 more replies
Relevance 63.96%

It all started last week when my computer contracted Trojan.Nebuler. My copy of Norton could'nt get rid of it so I downloaded various so called fixes. In the end I had to manually delete the trojan following the instructions on symantics web site - but that was when the fun really began. All sorts of pop up software has been appearing e.g. SysProtect, Drivecleaner and adult sites. Plus the computer has slowed down to a crawl. I have scanned my machine using Norton and AVG and Trend Housecall. And although they find new viruses, and remove them, they keep on coming back. I also downloaded and installed a Registry cleaner - to see if this would speed the thing up a bit, hope i havent deleted anything important (although it says I can recover the lines I have deleted). Can anyone help - here is the hjt log.


Logfile of HijackThis v1.99.1
Scan saved at 10:05:18, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program F... Read more

Answer:Virus keeps coming back!

16 more replies
Relevance 63.96%

My computer has been acting up and now a virus keeps appearing even though my virus scan deletes it when it appears. Now my desktop icons are changing and folders are missing. Please help. Thanks in advance to all who reply! Logfile of HijackThis v1.99.1Scan saved at 4:39:20 AM, on 8/31/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exeC:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exeC: ... Read more

Answer:Virus keeps coming back

Hi noobie_comp_geek,

Sorry for keeping you waiting.

If you still need help, please answer these questions:

- What's the name of the virus?
- Where (in wich file and/or folder) is the virus found?
Jan

1 more replies
Relevance 63.96%

Hopefully I've included enough information and made this topic correctly...
 
Basically I had an issue where my microphone would mute itself, figured it was a virus, and ran malwarebytes. It found stuff, removed it, and everything worked fine... for about a few hours. A few hours later the same thing occurred, ran malwarebytes again and found the same thing: "dnsl64.exe" detected, along with other things that it appears to be downloading. No matter how many times I remove it it seems to come back, and googling dnsl64.exe popped up no results that I could find and then each scan (after a few hours) pops up a bunch of junk, even if I leave the computer idle. It also downloaded something that appeared to change my browser homepage to "search.snapdo.c*m" if that helps diagnose anything.
 
I've attached the MWB and FRST logs, hopefully they help diagnose what the problem is! Thank you in advance for any help, would really appreciate getting rid of this nasty thing.

More replies
Relevance 63.96%

Hello,

I have been using Kaspersky and it has been finding this. Even after deleting it, it still seems to come back. Below are pictures which may help.






I didn't download AVG since I had those pics posted above. Hopefully this is okay. I appreciate very much in advance any help that may be given.

I am interested in knowing what in the world this thing is!

-MDB
 

Answer:Possible virus...keeps coming back!

Welcome to MG's!

Something didn't go right, let's run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Before running the above, you MUST shut down ALL antivirus and antispy programs you have running.
 

1 more replies
Relevance 63.96%

Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead So... Read more

Answer:Virus Keeps Coming Back

16 more replies
Relevance 63.55%

EDIT:Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~boopmeLogfile of Trend Micro HijackThis v2.0.4Scan saved at 10:25:51 AM, on 10/2/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\WINDOWS\system32\CSHelper.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Winamp... Read more

Answer:Browser redirecting virus///Virus keeps coming back//Thank You

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

2 more replies
Relevance 63.14%

It keeps detecting this 4 rootkits:

Win32:Alureon-DJ[Trj]
Win32:Alureon-BR[Rkt]
Win32:Alureon-DJ[Trj]
Win32:Alureon-BR[Rkt]

What shhttp://forums.majorgeeks.com/newthread.php?do=postthread&f=35ould I do?
 

Answer:Avast! Detects and removes "Alureon" Rootkit but it keeps coming back.

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide
and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.
After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
If you cannot seem to login to an infected user account, try using a different user account (if you have on... Read more

1 more replies
Relevance 63.14%

Somebody please help! I've tried everything I know of...
The other day while my little sister was researching something for a project on our home computer, she clicked on a link and a window popped up saying, "Congratualtions.! Your our winner for today blah blah blah". =( When I saw it, I knew it was a virus attempt because I came across this once before when my brother was caught looking at porn smh
Anyways, I ran three different Virus Scanners, Mcafee, Threatfire and AVG, and all three said there was no infected file on my computer. Yet, every twenty (20) minutes, Threatfire virus alert would pop up with the location and name of the infected file. Each time, I selected 'Kill and Quarentine', and each time, the application disappears only to reappear later in the next twenty (20) minute time frame. Oh, and whenever anyone tries to use a search engine, youtube or any website where you have to enter data into a search field, a separate window pops up like ex: randomtext.jempca.randomtext. And it always redirects to some kind of online 'shop', 'search engine' or another 'Congralations.!' message pops up.
I went online to research what I could about manually removing a virus using the computers CMD. I tried it a few times to get rid of the folder the viruses would constantly pop up in, but the virus would still pop up. The location is always C:/Windows/Temp/ which I found wierd because I thought most viruses would pop up... Read more

Answer:Infected? Virus keeps coming back.!

This time when it Threatfire alerted me, i located the Temp folder and there was five (5) different hki****.exe files!

8 more replies
Relevance 63.14%

Working on a friends computer that had some viruses. I ran malwarebytes and that cleaned out about 15 problems. Gave her back her computer and the next day she had the same problem. Not sure what is going on but when the virus kicks in, it also changes the proxy setting so that she cant use the internet. Any ideas?

Thank you.

Answer:Virus problem keeps coming back---help

Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. Check/reset the Proxy Settings as follows:Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: inetcpl.cplClick OK or press Enter.Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.Click Ok and then click Ok again.Close Internet Explorer and restart the computer.If using Firefox do this:Open Firefox, click Tools > Options > Advanced and click the Network Tab.Under the Connection section click on the Settings... button.Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.Click Ok and then click OK again.Close Firefox and restart the computer.For other browsers, please refer to How to configure browser proxy settings.Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itsel... Read more

7 more replies
Relevance 63.14%

DDS (Ver_09-07-30.01) - NTFSx86
Run by Logan at 1:02:41.45 on Sun 08/09/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============
============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [braviax]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ms18_word] c:\documents and settings\logan\ms18_word.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /F... Read more

Answer:need help been using my virus software but they keep coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 63.14%

Hi,

I have an amazingly annoying problem which keeps coming back (even after windows format), I keep getting errors which wont allow me to start,open,delete,install files. Just messes up the whole system.
The errors are:
When I want to install program - Nothing happens OR Internal Error: Failed to expand shell folder constant "userappdata"
When I want to start program - Nothing happens OR mpr.dll is missing OR netutils.dll is missing
If I want to delete a program - "An error occurred while trying to uninstall program. It may have already been uninstalled"
Startup programs won't start - netutils.dll is missing OR mpr.dll is missing

I did a fresh install on my SSD, everything was working great but after couple of days it came back.
What's going on here?

Answer:Virus/Trojan keeps coming back?

Sounds like a bad installation. Where did you get your Windows 7 installation media from?

7 more replies
Relevance 63.14%

Hi, I got a virus that keeps coming back in my Temp folder, "WindowsUpdateKB12695__7428_il31477.exe" , "tmp4191.tmp.exe" , "tmp9E32.tmp.exe" it appears once a day and I can remove it by running malawarebytes, but it keeps coming back after a few hours. It tries to install a program as soon as it appears in my Temp folderI have a feeling I might be infected with a Rootkit... I tried running Malawarebytes anti-malaware, malawarebytes anti-rootkit, tdsskiller and combofix with no luck, it still comes back every few hours or everyday.I think this virus appeared when I got some new drivers for my AMD graphics card, but I am not certain... I cannot do a system restore because I didnt have any restore points before I downloaded the drivers... ... .I would like to know if one of you more experienced user could help me with my issue. Thx in advance!Edit: Moved topic from Windows 7 to the more appropriate forum, due to member having already run ComboFix. ~ Animal

Answer:Virus keeps coming back in Temp

I found an "$RECYCLE.BIN" in my second harddrive, I think Im infected with Zero Access, but its on another internal harddrive which is not the one my operating system is on, I feel like all the scanners are only scanning my main harddrive where my operating system is located, so they cant find the virus!
​ How do you delete a Zero acces rootkit in a second internal hard drive?

20 more replies
Relevance 63.14%

i've alreadys started discussing this in a different thread, but due to new and disturbing occurences, i felt the need to start a whole separate thread on the matter, i hope that's ok.

ok, as a background: i did a Panda virus scan yesterday and it found VBS/TheThing in my pc. it was located in the Temporary Internet Files folder. Panda got rid of it. so, fine.

Today, i decided to do another virus scan just to be thorough, so i run the Panda scanner again. and again it found VBS/TheThing !!!
location: Temporary internet files\content.IE5 folder.
don't know how i could've been exposed to it, since the last scan i haven't been to any sites other than here at TSG and Norton, nor have i done any downloading of anything that could be suspect whatsoever. i don't know how i got it again!! and this is what disturbs me further, Panda didn't get rid of it this time; i checked the scan report, and the action taken just said "infected". not deleted or renamed, just 'infected'
(last scan Panda "renamed" it). why could this be??

since it was found in the Temp internet files folder, naturally i deleted everything in it. but what i'm wondering is why it keeps coming back?

and does anyone know exactly about this VBS\TheThing virus?
 

Answer:VBS/TheThing virus keeps coming back!!

9 more replies
Relevance 63.14%

I've ran malwarebytes,SuperAntiSpyware, and Sophos is running now. The Virus won't come off and when I run a scan in safe mode it says it's gone but in regular it says it's there. The virus redirects every link I click on in google go to some other ad. Please help. I'll update if Sophos removes it.

Oh By the way Malwarebytes says
Trojan.dropper.bcminer
Rootkit.0Access
Rootkit.0Access

Edit: Ran Sophos...did nothing...

Answer:Horrible Virus, Keeps coming back.

Please do not run any tools unless instructedDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 63.14%

I use Avast 4.8 to check my system and try first a "move to virus chest" when I was notified I had a virus. When I "move the virus to the chest" it just keeps coming back as a new virus almost immediately wit the virus warning. Then I tried the "repair" option in Avast, but it always said an error has occured... File name was: C:\System Volume Information\ _restore{7F7BE6F8-0D6A-488B-ABD ... Note Malware name: Win32: Trojan-gen(other)... I ran HijackThis and here is the log....



Please walk me through as I'm a novice on this computer stuff,,, thanks in advance...



Geof



Logfile of HijackThis v1.99.1

Scan saved at 8:38:24 PM, on 11/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps... Read more

Answer:Trojan virus keeps coming back!

11 more replies
Relevance 63.14%

I am looking for some help.  I am running Windows 7 and IE8 and have started to get constant redirects.  Malware found two viruses Rootkit.0Access and Trojan.Dropper.ED.  Malware now shows no problems but the redirects keep comin back.  At least I can still use the the computer for now.  Any help is certainly appreciated.  
 
Bryan  

Answer:Redirect virus keeps coming back

Hello Bryan I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", t... Read more

32 more replies
Relevance 63.14%

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 12:34:15 AM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

i really appreciate any help!
 

Answer:trojan virus keeps coming back!

7 more replies
Relevance 63.14%

my pc was infected several days ago, i have eliminated it but, once in awhile it comes back. i dont know what else to do. please help. maybe im just paranoid but my pc runs slower than usual. specially the explorer. i have pasted a hjt log, just in case you need it.
any advise is very much appreciated.
thanks
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:36:19 AM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIA\RAID\raid_too... Read more

More replies
Relevance 63.14%

Hi,

My pc seem was affected by virus, after i'm reformated it the virus still coming back..
Any help will be appreciated
Thank alot

Here is my logs files
Logfile of HijackThis v1.99.1
Scan saved at 7:53:35 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Temp\system1.exe
C:\WINDOWS\system32\k11833762731.exe
C:\Program Files\Common Files\System\commond.pif
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\LC\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe
O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe
O4 - HKLM\..\Run: [ryy]... Read more

More replies
Relevance 63.14%

Hello,
I seem to have gotten some viruses-worms,trojans that I can't seem to get rid of. My internet pages started to redirect, mainly to various advertising sites and of course adult sites and fake virus scanners. I scanned with Microsoft security essentials and got rid of everything but it kept on happening so I got Malwarebytes and scanned again. It cames up I had win32.autorun.tmp so I got rid of it restarted and scanned again but it was there again. I tryed again but this time the scan was almost done and I got the BSOD which happens everytime now. I then tried Spybot S&D and it scans fully but can't get rid of all infections because some of the files are in use. My computer wont boot in safe mode. I have no idea how to fix this Please help.

Answer:Virus/ worm keeps coming back

I'm not trying to bump my post I promise but I just realised that I left out some crucial information in my original post. When I start up my computer Spyhunter pops up to say that my Hosts file has been changed and that I should restore it, which is what I do. Should I be doing that? Also whenever I run a virus scan I disable the other anti-virus progams that are installed to stop anything conflicting. I can't update windows, I get an error that says "Windows could not search for new updates an error occurred while checking for new updates for your computer. code 80072EFE" I hope this extra information helps. Merry Christmas everyone.

2 more replies
Relevance 63.14%

Hi I had my securtiy program AVG pickup a vundo trojan 2 days ago. I used combo fix to try an eliminate the problem and it deleted about 12 files and the computer is back at normal speed for now.When my AVG software ran again today it pickup 2 new threats. One .sys file, and one .dll file:Win32/cryptorGeneric10.allgThey are showing up as _restore enteries. Did I not have the virus completely removed and it is trying to reproduce itself?Thanks,Here is my hijack this log. How do things look?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 03:29, on 2009-01-22Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\... Read more

Answer:Vundo virus coming back?

The problem is that the infection is in your system restore files. Its not trying to get back in, but if you have to use system restore it would be. Here is how to get rid of that,Disable and Enable System Restore. If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.Here are some good tutorials for that. Windows XP System Restore Guide Reboot Re-enable system restore with instructions from tutorial aboveCreate a System Restore PointGo to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.After you do that, do a complete scan with your tools that you have and see what they say. If they show anything other than tracking cookies, post up the logs.

2 more replies
Relevance 63.14%

I have installed malware software, even there is a QUICK HEAL ANTI SOFTWARE installed in my computer. System got stuck and applications are running slowly due to virus problem, I want to remove virus and wants to improve system performance. I want to know how to fragment(don't know) the system or reboot.

Answer:How to remove a virus that keeps coming back?

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Spyware 1st Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 63.14%

Hey guys I have scanned with Malwarebytes, Superanti Spyware, and Hitman they all have said none except Malwarebytes and I know its right because my computer will randomly shut off some times.

Answer:Virus. keeps coming back.Winsvcs.exe

Hello please post that MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Is it Winsvcs.exe or winsvc.exePlease Download TDSSkiller Launch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan results.>>>>ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>>>ESET ONLINEI'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the
icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings fr... Read more

9 more replies
Relevance 63.14%

Can anyone help me remove the "not-a-virus"? Zone ALarm finds it and removes it, but it keeps coming back. Computer is SLOOOOW. NOt sure how to proceed. HELP!?
 

More replies
Relevance 63.14%

Unfortunately I keep getting my isp suspended due to trojans, initially it was something different but now they are telling me it's Torpig. I thought I had removed a few trojans, and they seem still gone on repeated scans with programs such as Panda, Malbytes and SuperAntispyware but again on April 9th my account got suspended. Here's my Hijack This log, can someone please talk me through what might be the issues and how to remove them? It would be much appreciated.Hijack This log(updated after removing some things):Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exeC:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exeC:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exeC:\WINDOWS\system32\svchos... Read more

Answer:Torpig virus keeps coming back

I removed Panda since it seemed to cause havoc with my browsers. Also removed a couple other things that popped up as trojans:Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\stsystra.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exec:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\A... Read more

12 more replies
Relevance 62.32%

Hi.I'm new here, but i hope somebody can help me.I got a trojan virus called "Trojan.Agent.Gen" or "Trojan.Agent.cn" by malwarebytes antimalware.It creates a file called svchost.exe in appdata\local\temp directory and everytime i stop it with malwarebytes antimalware it comes back again after restarting my computer.I provide some screenshots below, but the malwarebytes antimalware is in Norwegian language, but you can clearly see the Trojan name.PS: I'm using windows 7 home premium.

Answer:Trojan virus keeps coming back after removal

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

21 more replies
Relevance 62.32%

Hello guys I don't know why but my friends computer keeps getting infected, I've tried everything I hope someone here can help me out! I did a Hijack scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35, on 2009-04-26
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.ex... Read more

More replies
Relevance 62.32%

Referred from here: http://www.bleepingcomputer.com/forums/topic378271.html ~ OBHello!I am encountering a problem this past weeks. It seems that something is creating a virus over and over again on my system. I run a Malwarebytes fullscan and my AntiVirus is Avira premium but to no avail the problem keeps coming back.My Antivirus blocks this kind of virus(12.exe,96.exe,36.exe,igfxdkp2.exe) over and over again in different intervals.Malwarebytes also detect 3 infection but after i restart the infection is back again.I hope someone can help me And for some times there is a "Generic Host32" error something then my audio stops working (but after I restart its back to normal again).Here is my DDS logDDS (Ver_10-12-12.02) - NTFSx86 Run by Marc at 10:03:32.59 on Wed 02/09/2011Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_23Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1210 [GMT 8:00]AV: AntiVir Desktop *Enabled/Updated* {C19476D9-52BC-4E93-8AF3-CCF59F7AE8FE}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exesvchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\... Read more

Answer:Virus keeps coming back and cannot detect the root of it

Hi,* Please download the Suspicious File Packer from here:http://www.safer-networking.org/files/sfp.zipUnzip it to the desktop and run it.Paste the following bold part into the Suspicious File Packer window:c:\windows\system32\igfxman32.exec:\windows\system32\[email protected]:\windows\system32\06.exec:\windows\system32\71.exeAllow SFP to pack the file. This will generate a CAB archive on your desktop.Go to << link removed, to prevent others sending me the same files all the time >>Enter the url of this thread in the first field.Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.The cab file will be called requested-files[*].cab (the * stands for the date and hour).Then click the Send File button below.Then, AFTER you have done the above, since I really need those samples, please Update Malwarebytes (using the Update button) and rescan again.Post the latest Malwarebytes log in your next reply together with a new DDS log

12 more replies
Relevance 62.32%

Logfile of HijackThis v1.99.1
Scan saved at 12:21:07 PM, on 16/07/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
D:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
D:\Windows\vVX3000.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Windows\System32\CtHelper.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\DynDNS Updater\DynDNS.exe
D:\Users\Brad\Program Files\uTorrent\uTorrent.exe
C:\sigx218b\SigX Beta 2.1.8\SigX.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Interne... Read more

Answer:w32.licum virus found but keeps coming back

Thanks in advance for your help, this is driving me nuts!

13 more replies
Relevance 62.32%

Basically I follow the method where i restore my PC and then scan my computer with both Malwarebytes and HitmanPro. They both always detect a ton of objects that i delete immediately but a day or two later the virus always comes back.

What i THINK is happening, is i've used a restore point that was set by the virus (I had no others) and so the file remains on my PC maybe in my registry? I've tried everything i know and this is really fustrating me any help would be appreciated.

Another thing i observed (and maybe it means nothing) is that when the virus was about to come into affect my avira detected it in my recycle bin. My recycle bin was empty so does that mean it's being restored from deletion or something?
 

Answer:Ukash Virus Scam keeps coming back

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine!
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
If you don't know, stop and ask! Don't keep going on.
Please reply to this thread. Do not start a new topic.
Refrain from running self fixes as this will hinder the malware removal process.
It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to nece... Read more

1 more replies
Relevance 62.32%

I got this consumer input virus about a week ago.. I've done a malware scan with malwarebytes and it quarantined it about 3 times.. and each time it keeps coming back.. The virus itself just has a bunch of annoying popups and just keeps changing my chrome settings. Operating System is Windows 8.1 64 bit.. Can someone help?

Answer:Consumer Input virus keeps coming back

Welcome to BC !
The programs below have a good track record of finding and removing most adware and a lot of malware.
Malwarebytes' log of what it removed can be found under the history tab. Please post the results of the scan that you refer to. Also check MBAM's 
settings and be sure that scans for PUPS and Rootkits are enabled. If they weren't, run a new scan with those enabled.
 
Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the
Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.
After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.
CCleaner - PC Optimization and Cleaning - Free Download
download AdwCleaner by Xplode and save to your Desktop.
Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
After reviewing the log, click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Cop... Read more

3 more replies
Relevance 62.32%

I've been working on getting a very nasty virus off my WinXP Home Edition PC.

I initially could not get anything to run. The virus had done the following:
1) Disabled all antivirus software I could run (including Spybot Search & Destroy, MBAM, SuperAntiSpyware, Combofix, Avast to name a few)
2) Windows Update would not run - error message that it could not run in Safe Mode (I was logged in as Administrator in normal boot up)
3) Permissions were changed on many of my files by adding a new group and changing the normal administrator privileges.
4) Changed registry keys to always get safe mode enabled while logged in as Administrator thus not allowing many critical programs to run.

In any case - I was able to get the computer back to running but I still cannot find the virus because it is still lurking and reloads randomly (or seemingly randomly). I've run out of options so I'm posting here to get some help finding where this thing is actually hidden.

Last MBAM log before everything was back to normal (at least for a couple days)

Malwarebytes' Anti-Malware 1.39
Database version: 2516
Windows 5.1.2600 Service Pack 2

8/9/2009 11:33:00 PM
mbam-log-2009-08-09 (23-33-00).txt

Scan type: Quick Scan
Objects scanned: 144868
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infe... Read more

Answer:Very nasty virus keeps coming back - No Matter What

Please uninstall Mbam and download the newer version 1.40Update it and run a full scan------------------------------Then run ATF and SASATFPlease download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".------------------------------------SAS,may take a long time to scanPlease download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Insta... Read more

8 more replies
Relevance 62.32%

Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Swee... Read more

Answer:Trojan/Virus W32/IRCBot-xx Keeps Coming Back

6 more replies
Relevance 62.32%

Hi everyone,A few days ago I got infected with the Win 7 2012 virus and followed the instructions on this pageto remove it. Everything seemed fine for a day or so but after that an AVG window pops up saying that it found a problem with consrv.dll. When I try to quarantine consrv.dll the Win 7 2012 virus immediately returns and starts closing my windows and sending pop-ups. I have since followed the instructions on the above page twice and the Win 7 2012 virus seems like it's gone each time -- AVG, Malwarebytes, and Spybot Search and Destroy all come up clean -- but like clockwork, AVG will alert me to consrv.dll and then the virus re-appears. I also ran TDSSkiller which removed 1 thing from my computer.I'm not sure how these issues are related exactly and google was not too helpful so I'm requesting some help here. Thanks in advance!

Answer:Win 7 2012 virus keeps coming back/consrv.dll

Hello, lets get a bit of info and do an online scan.Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump FilesClick Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.I'd like us to scan your machine with ESET OnlineScanHold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScanClick the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check Click the button.Accept any security warnings from your browser.Under scan settings, check and check Remove found threats Click Advanced settings and select the following:Scan potentially unwanted applicationsScan for potentially unsafe applicationsEnable Anti-Stealth technologyESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.When the scan completes, push Push ,... Read more

5 more replies
Relevance 62.32%

Hi, new here. I'm posting because my computer started getting hit with random pop-ups, again, mostly whenever I'd run Mozilla Firefox. I ran Malwarebytes and found about 13 infections of the Trojan.Vundo.h virus. I was able to remove most of the files after the scan and some files after rebooting, however, I'm still concerned there might be some trace of the virus left getting through a backdoor of some sort.
DDS (Ver_09-09-29.01) - NTFSx86
Run by Marc Ravelo at 12:36:15.10 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.218 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1356 [VPS 091009-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin... Read more

Answer:Trojan.Vundo virus - keeps coming back

Hello JSpayde,I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove one of these. AVG Anti-Virus Free or avast! antivirus. ******************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ****************** Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at ... Read more

2 more replies
Relevance 62.32%

Hi All,

I got infected with the Funshopper virus/malware, but I can't seem to get rid of it. I tried following some manual removal tutorials online, but the instructions weren't clear about how to delete hidden files or mess with registry stuff. So it didn't work. I also downloaded Spyhunter, but that didn't work either because the scan keep hanging/freezing, so I just uninstalled it.

I've attached my FRST.txt scan.

Whenever I remove the Funshopper Chrome extension, it automatically adds itself back!

Please help! Thank you everyone!
 

Answer:Can't Remove Funshopper Virus (it keeps coming back by itself)

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

11 more replies
Relevance 62.32%

Here is the HijackThis Log first of all.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:51:50 PM, on 3/3/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\wscntfy.exeC:\WINDOWS\explorer.exeC:\Program Files\Logitech\GamePanel Software\LgDevAgt.exeC:\Program Files\Logitech\GamePanel Software\LCD Manager... Read more

Answer:Can't close "omg.exe" (Virus) Keeps coming back! (Have HijackThis Log)

FIXED THIS SH*T!!!B*TCHES!!!!!

3 more replies
Relevance 62.32%

I have read many posts and have tried many of the suggestions that you guys have giving. I have run ewido security, spyware removal, and anti-virus. They all take things off my computer. I can run of the programs remove stuff and re-run the program 2 minutes later and have the same and new things to remove. My internet is slow because of pop ups opening and trying to open. I have pop up blocker but that stops none of thing. The pop that seems to come up every two seconds has the title THE BEST OFFERS. I ran HIJACK THIS and here is the file.
Logfile of HijackThis v1.99.1
Scan saved at 2:57:48 PM, on 10/11/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.d... Read more

Answer:Slow Computer, virus keep coming back

http://www.noidea.us/easyfile/index.php?folder=2

download Nailfix.zip
Unzip it to the desktop but do NOT run it yet.

Restart in safe mode

Now in Safe Mode:
Double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.
==================

Boot

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
Install ewido.
During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido
It will prompt you to update click the OK button and it will go to the main screen
On the left side of the main screen click update
Click on Start and let it update.
DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:

Run Ewido:
Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When the scan is finished, look at the bottom of the screen and click the Save report button.
Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log If the Ewido log is too large attach it.
 

2 more replies
Relevance 62.32%

I have a virus embedded in a file: system32\userinit.exe. I have cleaned and cleaned and it keeps coming back every time I log back on the computer. I want to delete that file and get a new userinit.exe. I tried to do a System File Check to fix it, but I don't have the windows CD that needs to be put in to do that. Is there anything I can download from anywhere to get a new file? Anyone have any ideas?
 

Answer:system32\userinit.exe virus keeps coming back

You can follow this procedure and then I can review your logs and do my best to solve your issues:

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****
Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.


After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
Helpful Notes:


If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable ... Read more

1 more replies
Relevance 62.32%

The problem being as of now is that the viruses wont go away. Every time when a virus would pop up i would always Google it and try to fix it myself. Everything seems fine after finishing all the steps to the guide on how to get rid of said virus but it kept coming back after a day! At first it was the AV Protection 2011 virus and now it's the Win 7 Antivirus 2012. It's exhausting to have to do a scan everyday. Much help would be appreciated.



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_26
Run by Admin at 12:46:11 on 2011-11-27
Microsoft Windows 7 Ultimate 6.1.7600.0.1258.84.1033.18.1016.307 [GMT -8:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Wi... Read more

Answer:The virus keep coming back!: Win 7 Antivirus 2012

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

15 more replies
Relevance 62.32%

Hi I was wondering if anyone can help me.  I have a Lenovo x120E thinkpad running windows 7.  A week back, MSE picked up a trojan threat and I quarantined it in response.  Subsequently, about a day or so later, I noticed my desktop had changed and the start menu was the older XP style logo.  I thought it was some update from windows and was so focused on my work that I ignored it.  
 
As my computer slowed, I decided to restore to a setting prior to the desktop change, and sure enough, the desktop went back to normal.  as I started looking for things that did not belong on my PC, I found the file C:\programdata\pcDR.  when i tried deleting it, it immediately pretended to delete but made the changes that caused the desktop to change.  I then knew I was infected, redid my system restore.  this time rather than delete the file in window, i went to the command prompt to delete the directory.  it said could not because I did not have admin rights (it is my PC and I am the only user and administrator).  so i had to "takeown", which I did and deleted the file.  Upon googling all the details, I found several threads on here of others who have had the same problem and have used just about everyone of the malware programs that have been listed...combofix, antiroot kit, JRT, etc.  the problem is the folder keeps coming back each day around 3PM...whether I am using the machine or not.  I have gone through the regi... Read more

Answer:PCDR folder with virus keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/533167 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

14 more replies
Relevance 62.32%

I have a virus in system32\userinit.exe. If I run a malware or other type scan it deletes the virus, but the virus comes right back on the next computer start up. I then decided if I could replace the system32\userinit.exe w/a non corrupted one that would take care of it. I think System File Checker can do that, but it asked for the windows XP CD. My computer did not come w/a cd. I was hoping maybe I could download a service pack from microsoft but it is impossible to figure out where to go on that site. Does anyone have any ideas on how to get rid of this bad file and get a new one w/out the CD?

Answer:system32\userinit.exe virus keeps coming back

You probably have a Restore Partition. Hit the F11 Key at bootup to take you to the Restore Partition, this will restore your computer to Factory Defaults. Backup any data you want be for proceeding.
Or you can post in our Security section of this forum to remove the virus.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

1 more replies
Relevance 62.32%

Hello! My computer got infected with XP Security 2010. Ran Malwarebytes and it seemed to fix it for a few days. Got the XP Security 2010 virus again. Ran Malwarebytes again and it seemed to clear up. Now AVG Resident Shield shows "Virus identified Win32/Patched.CG C:\Windows\system32\drivers\atapi.sys. Object is white-listed (critical/system file that should not be removed). Can anyone help me with this? Also, my computer won't let me access the Microsoft Windows Update site. Any help would be greatly appreciated!

Answer:XP Security 2010 virus keeps coming back!

I tried using Malwarebytes to remove the Vista Security virus to no avail. I used Hitman Pro 3.5 (free 30 day trial) and that cleared the problem. Run the update after installing, and be sure to uncheck the option to run a check on your computer when you start up otherwise you'll get stuck in a full ChkDsk run every time you boot up. The file it will find will be something like av.exe or ave.exe. Delete that file.
You may need to install Hitman Pro from a thumb drive if you can't get online due to the virus.

6 more replies
Relevance 62.32%

I've removed this virus sooo many times now, and it seems to keep coming back. Also, now i have the "generic host processes for win32 services has encountered an error" type thing going on, and I'm not sure if it's a virus, a bad driver, or some other error. I've run the Malwarebytes and Avira scan to remove the virus again, but it'll probably return quite soon. Here are my Malwarebytes logs:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6476

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/29/2011 11:29:53 PM
mbam-log-2011-04-29 (23-29-53).txt

Scan type: Quick scan
Objects scanned: 153582
Time elapsed: 17 minute(s), 17 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\documents and settings\Jonathan\local settings\application data\umy.exe (Trojan.FakeMS) -> 3188 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInterne... Read more

Answer:Windows XP Security Virus Keeps Coming Back

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwarePlease Update Malwarebytes Anti-Malware and run a FULL SCAN, then post the new log here along with the others.SUPERAntiSpyware:Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminat... Read more

1 more replies
Relevance 62.32%

As said in the title, the Windows Xp Security Center virus keeps on coming back. I've gotten rid of the thing 6 times now, and I'm sure it'll come back again unless I find to cause of it. I also noticed that my automatic updates is off, and I can no longer turn it on. It always says that it's unable to change settings. I have no idea what to do. Anytime I get the virus, I just scan and remove it, but it's becoming a real nuisance, and I want to stop getting it now. Any help would be much appreciated.

Answer:Windows Xp Security Virus Keeps Coming Back

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined below. Use a USB flash drive to download and transfer the tools to the affected machine, if necessary. You might like to run the Flash_Disinfector.exe on the clean machine and the flash drive first to protect against any possible transfer of infection via USB.


NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 62.32%

Avira first alerted me to this problem on 11/23. I had been getting loud annoying pop-up ads when I was browsing youtube, and then saw Avira found EXP/JS.Expack.AZ, EXP/Pidief.dme, and TR/Alureon.A.78. I googled it and found your website and followed the instructions and MBR check said nothing was found so I thought I had gotten rid of it. Avira did scans from 11/23 through 12/4 and no viruses/unwanted programs were found even though I was still having some intermittent problems with annoying pop up ads. Then on 12/5, I got a new Avira warning saying it found two unwanted programs, including TR/Alureon.A.74 and TR/Alureon AYQ Trojan. So I don't know if I got rid of it and it came back, or if it never went away, but I am ready to cry Uncle and humbly request for help! I really don't know how I have gotten this because all I do is browse the internet. Thank you so much for your help. It is greatly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.10.2
Run by Meredith at 9:44:50 on 2012-12-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.1264 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
... Read more

Answer:Trojan Alureon A Virus Keeps Coming Back :(

Hello merri23, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

20 more replies
Relevance 62.32%

please help,i have dell d620 running on windows xp, i noticed around 2 weeks ago it was acting a bit strange, running slow etc and sending dodgy emails, i had avast installed and it never oicked up anythin, i could nt system restore , so i reinstalled windows to see if that would clear it,but it never, i new it was a virus so i downloaded emsisoft anti malware and it found virus.win32nimnul!ik i have done several scans and each time i have put it in quarantine but it gets removed from quaranteen,ive also deleted it several times but it keeps coming back, im by no means an expert with computers so any help would be greatly appriecated ,many thanks

More replies
Relevance 62.32%

Hello!

I am encountering this problem this past weeks. It seems that something is creating a virus over and over again on my system. I run a Malwarebytes fullscan and my AntiVirus is Avira premium but to no avail the problem keeps coming back.

My Antivirus blocks this kind of virus(12.exe,96.exe,36.exe,igfxdkp2.exe) over and over again in different intervals.

Malwarebytes also detect 3 infection but after i restart the infection is back again.

I hope someon can help me

Answer:Virus keeps coming back and cannot detect the root of it

Hello, I moved you to the Am I Infected forum as you didn't post a DDS log that is required there. So lets do this next and see what we have here.Is this XP or another and what Antivirus is installed?Please post your MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Next run an Online scan....Please perform a scan with Eset Online Antiivirus Scanner.This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.Click the green button.Read the End User License Agreement and check the box: Check .Click the button.Accept any security warnings from your browser.Check Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)Click the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer.If offered the option to get information or buy software at any point, just close the window.The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and win... Read more

6 more replies
Relevance 62.32%

Hi,I am no novice to removing malware, but every once in a while I am completely at a loss, and I have three infected client PCs right now that have me beat. I will post them in seperate threads.This one starts itself in WinLogon, and I can start from a CD to access the hard drive and delete the file in questions (which is set to hidden and read-only and system), but when I restart another file has taken the place of the first one.The WinLogon registry entries change, too. I have come across these so far:Web Check (maybe without space)Controls FolderReliabilityShell ExtensionsShellScrap (no space) - I gave up after this one, and the file name is ppdrv.dll. ShellScap appears to be the name of another virus which doesn't fit the symptoms here, though.Internet on that PC is broken.I used HiJackThis to weed out everything else.On most PCs I can use Process Explorer (Sysinternals) to go into WinLogon and kill the bad process, but on this PC (and some others) I don't get a file name for the process in the Thread tab, but only a memory address, so I have no way of knowing which one to kill.But even if I could kill it and remove the file, something else must still be started with Windows that restores a new WinLogon entry with a new file.I will go back to that person on Monday, but I will only have this one day left to fix it, so I need all the info I can get before I go there.Here is the original HJT log that I made before I made any changes. The PC was started in Safe Mode CMD Prom... Read more

Answer:Virus Keeps Coming Back - Winsync Qoologic

This is number 3 that I encountered today. I have had this one before on a client's PC ages ago, but can't remember how I got rid of it.

The main thing to identify it is that it starts salm.exe, but the file doesn't show up either in Explorer or CMD or even when started from a CD that has NTFS access.

I tried the Symantec tool for 180Search (I think), but had to leave the client right after that (no idea if it worked). I will go back on Monday and would like to be ready for it.

I know how to use HJT, Process Explorer, KillBox etc. and Regedit, and I'd rather get rid of something manually or at least know how it's done in case an automatic removal program doesn't do the trick.

I tried removing the files while starting from a CD, but the files don't seem to exist, even though they show in HJT as being started and NOT as file missing. I am fluent in CMD prompt and know how to search for hidden files, but with no success here.

Where could these guys be hiding so I can't find them?
How can I find the files?
Are there other Registry entries that HJT doesn't detect that allow files to be started?

Sorry I have no HJT log - I had to leave in a hurry...

Thanks!

8 more replies