Computer Support Forum

Vundo virus coming back?

Question: Vundo virus coming back?

Hi I had my securtiy program AVG pickup a vundo trojan 2 days ago. I used combo fix to try an eliminate the problem and it deleted about 12 files and the computer is back at normal speed for now.When my AVG software ran again today it pickup 2 new threats. One .sys file, and one .dll file:Win32/cryptorGeneric10.allgThey are showing up as _restore enteries. Did I not have the virus completely removed and it is trying to reproduce itself?Thanks,Here is my hijack this log. How do things look?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 03:29, on 2009-01-22Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\Samsung\PanelMgr\SSMMgr.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\WINDOWS\system32\lexpps.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\palmOne\Hotsync.exeC:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.datC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/mywayO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dllO2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dllO2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dllO4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUPO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startupO4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorunO4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startupO4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exeO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exeO4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exeO4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exeO8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: PUFLITE - http://michaelpavone.point2agent.com/Colpa...rol/PUFLITE.CABO16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://abmls.mlxchange.com/Control/FileCruiser.cabO16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://abmls.mlxchange.com/Control/Specfile.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cabO16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cabO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase6662.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120459789584O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cabO16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://abmls.mlxchange.com/Control/LiteGrid.cabO16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/5.0.02.16/Control/IRCSharc.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {9AD9B5EB-F9E0-47D4-B20F-C29D58C6F5E1} (IndeXMap Class) - http://alta.registries.gov.ab.ca/SpinII/cabs/WayToIndex.CABO16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://abmls.mlxchange.com/Control/AspCustomCtrls.cabO23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeO23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeO23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exeO23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXEO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exeO24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/PAVONE~1.PRO/LOCALS~1/Temp/msoclip1/01/clip_image002.jpg--End of file - 10861 bytes

Relevance 100%
Preferred Solution: Vundo virus coming back?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

Answer: Vundo virus coming back?

The problem is that the infection is in your system restore files. Its not trying to get back in, but if you have to use system restore it would be. Here is how to get rid of that,Disable and Enable System Restore. If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.Here are some good tutorials for that. Windows XP System Restore Guide Reboot Re-enable system restore with instructions from tutorial aboveCreate a System Restore PointGo to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.After you do that, do a complete scan with your tools that you have and see what they say. If they show anything other than tracking cookies, post up the logs.

2 more replies
Relevance 86.1%

Hi, new here. I'm posting because my computer started getting hit with random pop-ups, again, mostly whenever I'd run Mozilla Firefox. I ran Malwarebytes and found about 13 infections of the Trojan.Vundo.h virus. I was able to remove most of the files after the scan and some files after rebooting, however, I'm still concerned there might be some trace of the virus left getting through a backdoor of some sort.
DDS (Ver_09-09-29.01) - NTFSx86
Run by Marc Ravelo at 12:36:15.10 on Fri 10/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.218 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! antivirus 4.8.1356 [VPS 091009-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin... Read more

Answer:Trojan.Vundo virus - keeps coming back

Hello JSpayde,I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove one of these. AVG Anti-Virus Free or avast! antivirus. ******************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ****************** Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at ... Read more

2 more replies
Relevance 72.98%

Hello. I first found Vundo on Saturday, April 11. I left my email client (Thunderbird) open for a few hours and came back to loads of popups. I tried calling Microsoft, and they assisted me with removal - or so I thought. Afterwards, I installed every Windows update, bought and installed Trend Micro's Internet Security Pro, and started scanning with Malwarebyte's Anti-Malware twice a day, at least. Every day since then I have found instances of Vundo (depending on which I use first, my Antivirus or MBAM). Each day it has a different name, too. It started out with Vundo.H, then Vundo.HGO, and today, I have Vundo.V. Finally, last night I ran a Kaspersky scan, and it found two files that I had never seen mentioned before - a trojan-downloader.Win32.fraudload.edj and packed.win32.Mondera.c. I can't locate these files, and neither can any of the other programs. Here are the requested files: DDS.txt and my Kaspersky log (041609KOS.txt), and the Attach.txt file. Thank you so much for your help.DDS (Ver_09-03-16.01) - NTFSx86 Run by Jen at 12:33:38.40 on Thu 04/16/2009Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.443 [GMT -4:00]AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated)FW: Trend Micro Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC... Read more

Answer:Vundo Keeps Coming Back

Please download The Comedian.exe to your desktopDouble click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedNEXTPlease download Malwarebytes' Anti-Malware from HERE or HERENote: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"Double Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfec... Read more

21 more replies
Relevance 72.98%

Vundo Keeps coming back

OS:Windows XP, SP3

Hi,
I was forwarded from "http://www.bleepingcomputer.com/forums/t/203107/after-windows-update-multiple-program-errors-pc-restarting-on-its-own/" to post here.... That thread kinda died... anyway...

Over the past month I've found multiple instances of Vundo, and things seem to be getting worse.
Every time I try to clean my system, Vundo keeps coming back - even if I dont do any browsing.
Most recently, i've been experiencing applications freezing (Firefox, McAfee, Warcraft3)
The system has also crashed mid-scan using McAfee several times, but not lately.
I'm unsure if these problems are related to the Virus or other system issues - I figure get rid of the virus first and troubleshoot the rest later.
My system is fairly new (Dec 08), it came with McAfee Enterprise installed. I also installed the free version of Spyware Doctor on my computer.
Neither of which seem to be able to remove the Virus, and at times can not even detect it.

I've started to notice that sometimes McAfee is disabled after restarting the computer; I hadn't changed any settings for that to occur.

I've tried using Malwarebytes Anti-Malware as well as SUPER Anti-Spyware, both of which are doing a better job of finding and clearing traces of the virus (compared to McAfee). Also tried VirtumundoBeGone and in haste, ComboFix.

VirtumundoBeGone found no traces, and Combofix didnt do anything noticable.

Please help!
Let me know if there are any logs or reports you ... Read more

Answer:Vundo Keeps coming back, not sure what to do

Well the best we can do is get an MBAM and perhaps a SUPER Anti-Spyware log to start with.Open MBAM in normal mode and click Update tab, select Check for Updates,when doneclick Scanner tab,select Quick scan and scan.After scan click Remove Selected, Post new scan log and Reboot into normal mode.

3 more replies
Relevance 72.98%

Hello,

I've been trying now for 3 days to remove this (and other) trojans, etc. from my system and although it can be detected and allegedly removed using Spybot or Malwarebytes' Anti-Malware, it reappears each time my computer is rebooted. I'm running XP.

I'm starting to have problems with my passwords...don't know if it's related, but some of my online billing sites are suddenly not accepting my passwords and also Outlook is asking for a pw for my email and when I enter it, it's not accepted. HMMMMMmmmmm....

Any help will be tremedously appreciated. I need to get my taxes done!

Here is my HJT log from today:

~~~~~~~~~~~~~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19:21 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\WINDOWS\system32\W... Read more

Answer:Vundo.H keeps coming back

I see that you're advertising STOPZilla. I've been reading that it's malware. What gives?
 

2 more replies
Relevance 72.98%

Hi,

I keep removing Vundo virus infection with different tools but it keeps coming back.

The computer is so slow at this point it makes it hard to do any troubleshooting.

Any suggestions would be appreciated.

Thanks,
-Lite
 

Answer:Vundo Keeps Coming Back

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide
 

1 more replies
Relevance 72.98%

I have a computer which keeps getting Vundo, and other viruses such as win32/TrojanDropper.Agent.DGO,win32/PoebotTrojanProxy.RankyQhost.AEII have Nod32 installed which detects all these and says its removed.I have ewido/AVG Anti Spyware installed.I have also disabled system restore, made sure nothing in msconfig is running on startup and also cleaned all the ones out of HijackThis.I have other computers on the network which i have scanned for variances of these viruses but none have any.I have also ran VundoFix, ComboFix etc on this computer, Which cleans it, then works ok for a few hours and then they return again - (while doing this) making sure the network connection is unplugged.Router is secure, has all firewalls on no ports unblocked etc.These viruses also disable my Spyware/Anti-Virus so i have to reinstall.Any help would be appreciated.Here is my Current HijackThis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 16:11:59, on 15/01/2008Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC: ... Read more

Answer:Vundo And Many Others Coming Back - Please Help

Hello and welcome to BC.
Apologies for the long delay in response. We have a large number of HijackThis logs to handle and it?s taking us longer to catch up. If you haven?t received help elsewhere already and still require assistance please post a fresh HijackThis log and I?ll be happy to help you.

Thanks for your patience.

2 more replies
Relevance 72.16%

Hi,

I have norton anti-virus installed on my machine and it keeps on saying that I have trojan.vundo, trojan.vundo.b, downloader, and trojan.Metajuan. It says that it is deleted and needs to reboot but after I reboot my machine, those viruses keep coming back again. I already tried Symantec removal tool FixVundo.exe, VundoFix.exe, VirtumundoBeGone.exe. I also followed the instruction on turning off the system restore, boot in safe mode, and all other stuff. This is very annoying and I have been dealing with this for several days already. And I think my machine is getting worse. I keep on getting pop up windows, buffer overrun which closes other application like windows explorer, and now when my machine starts, it stays blank until I hit ctrl+alt+del to go to task manager and run the process explorer to display my desktop. But I'm afraid that it is doing something serious on my computer. I hope someone can help me asap. Please. Please find the texts from main.txt below and I also attach the extra.txt.


Deckard's System Scanner v20071014.68
Run by sherwin.cua on 2008-02-29 10:59:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 4 Restore Point(s) --
4: 2008-02-29 15:59:23 UTC - RP4 - Deckard's System Scanner Restore Point
3: 2008-02-29 01:... Read more

Answer:Trojan.Vundo keeps coming back

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

If you already have HijackThis installed, please skip this step.

Download HJTInstall.exe to your desktop.
Doubleclick HJTInstall.exe to install HijackThis.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Save it to a convenient location.

Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Step 2

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
Click on the Run Cleaner button at the bottom right hand corner.
When the cleaner has completed, click Tools in the Left Pane.
Verify that Uninstall is highlighted in color, or click on it.
In the lower right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt.
Click Save, then exit Ccleaner.

Step 3

Please visit this webpa... Read more

9 more replies
Relevance 72.16%

OS is Win XP Home with SP3 and McAfee identifies and quarantines Vundo!grb but it keeps coming back. McAfee shows original locations as C:\WINDOWS\system32. File names are random with .dll or .tmp extentions. I'm experiencing pop ups that usually advertise some type of virus scan software and have had the computer freeze a couple of times in the last three days. I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it?
Here is the DDS.txt copy:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bob Swanson at 9:14:21.45 on Fri 03/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2884 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmo... Read more

Answer:Vundo!grb trojan keeps coming back

Hello and welcome to TSF

You may wish to subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

-------------------------------------


Quote:




I use Carbonite for backup and to my knowledge do not have any P2P software installed. My son has downloaded music off of a friend's CD -- could that have been it




That can always be a possibility but there are many different ways you can get infected now a days. P2P is just one of many different ways sadly

---------------------------------------

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See this link for instructions on how to do this:
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Please include the C:\ComboFix.txt in your next reply for further review.

19 more replies
Relevance 72.16%

Okay so a few days ago I accidently clicked a link on a website and starting right then, viruses started showing up on my computer (windows xp operating system). I have McAfee security and it has been constantly detecting and quarantining them. Even the time between subsequent scans is enough for more of the viruses to be detected. This problem is really bothering me and I would really like it to be fixed. I ran that hijackthis program that you suggested and here are the results:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:22:16 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Pr... Read more

More replies
Relevance 72.16%

I have tried running malwarebytes, in safemode and normal mode. MB sees it and removes it and request a reboot. However, it keeps coming back. I will post a hj report in the morning
 

More replies
Relevance 72.16%

I have been reading post on here for two days and have saw that everyone needed to run these....HiJackThis, Vundofix, and Combofix. I tried running the Super Antispyware but it says that it cannot be verified and will not let me run it. I ran these and have the logs and would greatly appreciate it if someone could tell me what to delete off the logs. I ran the Vundofix yesterday and had some files that needed to be removed and it did. I didnt have a problem with McAfee security warnings all evening. So I get on the computer this morning and McAfee said I had Vundo again. I believe I understood this correct when it says only one problem per new thread. If not I appologize as I know there is a bunch of Vundo threads going on. Thanks for your help!!!
Logfile of HijackThis v1.99.1
Scan saved at 8:42:14 AM, on 6/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.... Read more

Answer:Solved: Vundo.dll keeps coming back

16 more replies
Relevance 72.16%

My son picked up vundo about 10 days ago. After first using spypot s&d, repeatedly and various vundo removal tools, found the post on this site and followed all procs at http://forums.majorgeeks.com/showthread.php?t=35407.
Within a few days problems had resurfaced so I went through the recommended sequence again and am attaching logs. Hope that I am using correct protocol. Instructions made it slightly unclear if I should create new thread or post to one with comparable name. Programs were run in recommended order. Thanks.
 

Answer:Vundo keeps coming back; tried all MG recs

Welcome to Major Geeks!

First you must disable Spybot's Teatimer. See this: How to disable Spybot's TeaTimer

Now put your PC into Normal Startup mode using MSconfig as requested in step 1 of the READ & RUN ME.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 4


Now we need to use ComboFix

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.

Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
Open Notepad and copy/paste the text in the below quote box into it:




KILLALL::

NetSvc::
ojjpxzer

Driver::
ojjpxzer
jgameenp

FileLook::
C:\WINDOWS\twain_32.dll

File::
c:\windows\Tasks\At1.job
c:\windows\system32\ukrehgh.dll
C:\WINDOWS\agatifigorey.dll
C:\WINDOWS\ibagawopik.dll
C:\WINDOWS\wedlgp.dll
c:\docume~1\TREVOR~1\LOCALS~1\Temp\jgameenp.sys
C:\Documents and Settings\Trevor Jackson\Local Settings\Application Data\33522309-CA17-4AFC-A5BC-E4421AAAFFDF.txt
C:\Documents and Settings\Trevor Jackson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

Folder::
C:\Document... Read more

3 more replies
Relevance 72.16%

Trojan.winfixer AND adware.vundo keeps coming back on my computer. I've deleted so many files its not even funny. I ran safe mode, put all hidden folders to "unhidden" and ran SUPERAntiSpyware Professional, I deleted the vundo files and restarted my computer normally. BUT...SUPERAntiSpyware detected it AGAIN for some reason. I've also tried VundoFix, Symantec FixVundo, Ad-Aware 2007, The new Spybot Search and Destroy...
Everything is up-to-date...
I've been up since 4 am trying to fix this problem and I am really frustrated. Please Help!!!
I posted my HiJackThis Log below

Logfile of HijackThis v1.99.1
Scan saved at 5:35:27 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.e... Read more

More replies
Relevance 72.16%

My computer has encountered some malware problems that just won't go away. It became infected with the vundo trojan, and I have tried using several programs to clean it numerous times. I have used Superspyware, Malwarebyte's Anti-Malware, and Avast antivirus, but the trojan keeps coming back (particularly the MS Juan-can't delete it from the registry). Initially I had popups when I was using firefox and then my computer would open the IE window. Currently I can't connect to the internet except in safe mode with networking so I haven't seen the popups although I am sure they are still there. Any help in getting rid of this pariah would be greatly appreciated! Below is my HiJackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:51 PM, on 12/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\sys... Read more

More replies
Relevance 72.16%

I have tried everything including Spyware doctor, mwam, spybot, sas ...

But there are 4 entries in mwam keep coming back
3 of Trojan.Vundo.H
1 of Disabled.securityCenter

Really appreciate your help... ...

DDS (Ver_09-03-16.01) - NTFSx86
Run by projectx at 15:03:44.95 on Wed 04/01/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2470 [GMT -4:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Cobian Backup 7\cbs.exe
C:\Program Files\Cisco systems\VPN Client\cvpnd.exe
C:\Java\jre1.6.0_11\bin\jqs.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\OpenSSH\bin\cygrunsrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\OpenSSH\usr\sbin\sshd.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Visu... Read more

Answer:Infected with Vundo, tried everything, kept coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

3 more replies
Relevance 72.16%

I have been battling pop ups for two weeks now. Even as I am posting to this forum I geta few ads about Antivirus programs, nice scam.Norton Antivirus generates pop ups telling me a Downloader Trojan was quaranteened.Sometimes it tells me about Vundo being quarantinded, sometimes just a Trojan.The files it quarantines are: valera, lkjh and bixurst.dll.I scanned the disk and it never finds anything. It has the definition updates from 9/19/07.I read your preparation guide and followed it to the letter. Most of the programs found andremoved Vundo and a whole bunch of registry items.However, when I reboot after running one of these scans, the virus comes back.I think I have a virus that keeps retrieving new ones. If I could kill that virus, then I wouldknow how to fix the rest.Please help. I'd like to avoid reformatting and reloading the disk.Thank you!Here is a HighjackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:09:16 AM, on 9/23/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Installed\Lavasoft\aawservice.exeC:\... Read more

Answer:Downloader And Vundo Keep Coming Back

Welcome to the BleepingComputer HijackThis Logs and Analysis forum bower My name is Richie and i'll be helping you to fix your problems.Please move HijackThis.exe to its own permanent folder on the hard drive such as C:\HJT. Create a new folder and place HijackThis.exe inside that folder so that the backups of log changes it creates are saved in the same folder and can be used to reverse any line entry deletion if found to be necessary.How to create a new folder named HJT1. Click Start/My Computer,in the 'My Computer' window,open the window in which you want to create the new folder,click on Local Disk C:2. From the 'File' menu choose 'New'.3. From the 'New' menu choose 'Folder'.4. Type the folder name: HJT5. Then press Enter.If you need help with the above,follow the info in the link below:http://russelltexas.com/malware/createhjtfolder.htm*NOTE*If you have previously downloaded ComboFix,please delete that version and download it again from below. Download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on Combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Do NOT post the ComboFix-quarantined-files.txt unless I ask.Now go to: C:\HJT\HijackThis.exeRight click on Hijack... Read more

16 more replies
Relevance 71.75%

Hi - a few days ago I downloaded a file which I scanned first with AVG before opening. It showed as vius free, after opening all hell let loose. I had Spybot on the PC and it identified Smitfraud and Smitfraud C. I used the information on this forum to clean them. I still had problems which AVG could not fix so I downloaded Norton AV (free with BT broadband) unfortunately it forces you into removing Spybot.Since then the PC has improved but Nortons is still finding and repairing viruses but they keep coming back.I've attached a hijack this log for info. Any help would be much appreciatedThanksLogfile of Trend Micro HijackThis v2.0.2Scan saved at 20:40:42, on 12/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16674)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Prog... Read more

Answer:Vundo, Metajuan, Zlobgen Keep Coming Back

Hello Brian Fantana, and welcome to Bleeping Computer. I will be handling your log to help you get cleaned up.Please take note of the following:1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.5. Please reply to this thread. Do not start a new topic.Please give me some time to look over your log and I will get back to you as soon as possible.Thanks,htv8

15 more replies
Relevance 71.75%

Im newbie here. Found this site after a tiring search.

Here it is:

my desktop icons and taskbar are gone. i tried using the task manager's "ctrl-alt-del" but the desktop and taskbar would just appear for several seconds and then gone again.

SUPER ANTISPYWARE can detect and even remove them in safe mode (did this several times) but my pc will just run normally in only a matter of minutes.

My desktop and taskbar will disappear again immediately after windows defender pops up a notice that it detected changes in the settings.
I have nod32 installed but it cannot detect them. I have hijackthis.

what should i do? please help

Answer:Vundo Variant/resident Keeps Coming Back!

All kinds of unpredictable behavior happens when you are running 2 antivirus programs at the same time, and then an infection.Try going into safe modeand running a scan with nod from there, I would uninstall defender myself or totally disable it in vistapost the logs from nod and SAS pleasehttp://www.bleepingcomputer.com/forums/ind...mp;#entry811062also from this scan

7 more replies
Relevance 71.75%

I'm on a Windows XP computer with SP3. I had a more serious case of Vundo a few months ago, which I thought I was able to get rid of through a combination of MalwareBytes and VundoFix, but apparently vestiges, or just other similar viruses are taking its place. I get periodic IE popups about SpywareRemover2009. Each time, I scan with MalwareBytes to get rid of it-- there is almost always a Trojan.Vundo.H (and sometimes there are Trojan.BHO, Trojan.Agent, and Disabled.SecurityCenter, as in my most recent scan). It will be fine for the rest of the evening or day, and then the next morning the whole cycle starts again with more IE popups.

Lately my computer also bluescreens sometimes (bad_pool_caller) although I haven't done anything in terms of new hardware or software, so I wonder if it has to do with the malware. When that happens, I am unable to boot in regular or safe modes, and Last Known Good Configuration is corrupt, so I have to use the XP CD and Recovery Console to manually do a System Restore, which can usually get me back going... but, again, the viruses are still there.

In my HijackThis logs I definitely see things that shouldn't be there, but I just don't know how to get rid of it. I tried picking them and doing the "Fix Selected," but this usually ends up with my computer bluescreening the next time I start up, so I thought perhaps I should get some guidance on how it's supposed to be done.

Thank you in advance!

My DDS log is here:
DDS (Ver_09... Read more

Answer:Vundo/IE popups about SpywareRemover2009 keeps coming back

Hi My name is Extremeboy (or EB for short), and I will be helping you with your log.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.If you do not make a reply in 5 days, we will need to close your topic.You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.Please take note of some guidelines for this fix:Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Even if things appear to be better, it might not mean we... Read more

3 more replies
Relevance 71.75%

I don't go on questionable sites per se, I go on Facebook, Youtube, meebo, etc. and I'm not sure what triggers Vundo to come back. I've removed it several times with Malwarebytes, and I don't get annoying pop-ups or anything while I'm browsing. However, this has happened probably twice after I removed Vundo, I got a pop-up and had to remove Vundo via Malwarebytes. What are sites that trigger Vundo? Would it be sites with Java or Flash or something? Just not a fan of Vundo at all. Thanks :D

Answer:Vundo keeps coming back when I visit certain sites...

Hackers, malware writers and attackers have a variety of motives for installing malevolent software and use various methods and techniques to spread their malicious programs: Who Writes Malicious Programs and Why?Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware and is often seen with SmitFraud and Vundo infections. SmitFraud is a generic description for a family of rogue applications/trojans such as Win32.Zlob which comes disguised as a fake codec that installs other malware or rogue security products like SpySheriff. Vundo is a Trojan that infects a system with malicious Browser Helper Objects and .dll (Dynamic Link Library) modules attached to system files like Winlogon and Explorer.exe. These infections are responsible for launching unwanted pop ups, advertising for rogue antispyware programs, and downloading more malicious files which hampers system performance. Many variants typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System. The problem with these types of infections is that they can download other malicious files s... Read more

1 more replies
Relevance 71.75%

Who knows how or when, but my computer is infected with Vundo.
I run XP Home w/SP2.
Kasperskey Internet Security 2010 (30 day trial) seems to be woefully unaware of this (beyond blocking some attempted popup windows) , but Malwarebytes finds it and cleans out the "randomletters.dll" files every time.
The thing is, it keeps coming back!! The first time it was Vundo.H but now it just comes up as Vundo in Malwarebytes. I read a few threads others posted here about Vundo issues, but those were very system specific fixes.
So. Help?
I already went through a 6 hour process of backing up all of my data (photos, music and documents), but I would reaaaaally rather not have to run the Recovery console if I can avoid it. (this is an old HP and I don't have recovery disks and can't afford to buy them)
I've also become aware that it looks like a *bunch* of Windows security updates (from 2004 and 2005) were never installed and I don't know how to go back and install them. They were downloaded but then failed to install, so I can't get Windows Updater to show them to me again through the "Restore hidden updates" option. (This was someone else's computer they gave to me, and I had no idea that the updates were never installed)
I'm wondering if Vundo is getting in because of this?
I don't want to install SP3, I'm afraid of it causing problems that I've read about.
 

Answer:Vundo keeps coming back after Malwarebytes removes it

11 more replies
Relevance 71.75%

Logfile of HijackThis v1.99.1Scan saved at 9:40:57 AM, on 4/12/2006Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Java\j2re1.4.2_03\bin\jusched.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\PRISMSVR.EXEC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCS... Read more

Answer:Ssttr.dll, Ddayv.dll, Vundo Keeps Coming Back

Hello Merriwell and Welcome to the Forum Please download vundofix.exe to your desktop. Double-click VundoFix.exe to run it. ? Click the Scan for Vundo button. ? Once it's done scanning, click the Remove Vundo button. ? You will receive a prompt asking if you want to remove the files, click YES ? Once you click yes, your desktop will go blank as it starts removing Vundo. ? When completed, it will prompt that it will shutdown your computer, click OK. ? Turn your computer back on. ? Please post the contents of C:\vundofix.txt and a new HiJackThis log

24 more replies
Relevance 70.93%

adware.vundo keeps coming back + windows keep shuting down
not a clue can someone help please i think removed adware.vundo
but still windows keep shuting down

here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:20:16, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\X3watch\x3watch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\alg.exe
C:\W... Read more

Answer:adware.vundo keeps coming back + windows keep shuting down

Hi Welcome to TSG!!
Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
 

1 more replies
Relevance 70.93%

Hi Jack,

I have Windows XP Professional SP2 and I keep getting popups in IE7 for ADs. They open in full new IE7 windows. Then when I go into safe mode it keeps restarting safe mode every 6 seconds or so.

I installed Kasperksy and it keeps blocking this

detected: Trojan program Trojan.Win32.Agent.bck URL: http://82.98.235.78/netob/valera.exe?uid=C3EF090E71EF11DCAD13F67908FAFFFF&guid=101E

I ran adaware and can't run spybot anymore.

When I run "VundoFix.exe" it usually finds about 3 dll files which names seem to constantly be changing. For example you can see one in this log called "cmulnmik.dll"

I delete these then these files usually come back with different names. I cleaned all my temp items. I did find mdengine.dll in my local files temp and I removed because I think I read that is a bad file, I am not sure if that's related.

Any help would be appreciated. Thanks
Heres is my Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 1:03:16 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe... Read more

Answer:Solved: Can't remove possible Vundo or valera dll's keep coming back

8 more replies
Relevance 70.11%

Greetings folks,

I'm at the end on the line for my attempts to fix my PC, so I logged into here to find some help.

Ive run vundofix - states that its successful in removal after reboot (new scan doesn't show it)

MS Mal Software removal tool to pull the trojan, but they both keep returning after I launch Explorer 7. Running XP Pro - the following is my log, anybody see something that could be an issue?

Thanks in advance for any help!!
 

Answer:Solved: Hijackthis log - Win32/Rbot.gen!A and Vundo keep coming back

6 more replies
Relevance 70.11%

I accidentally posted this in "am I infected, what do I do".. but am new to this.. so I posted this one here.last night I encountered some popup problems, (I use firefox now) on my xp computer..so I ran both mbam and suprerantispyware.. both coming up with vundo files, and trojans, after deleting and rebooting twice, it seemed like everything was alright. until I opend up the computer this morning... and I did a rescan of everything and it seems like it keeps coming back and returning upon restart.although there are no more popus like their were last night.any help?! please! I hear vundo is hard to delete. I'd appreciate any quick responses on how to remove completely.thanks!!!here is the last mbam full scan from last night:Malwarebytes' Anti-Malware 1.31Database version: 1607Windows 5.1.2600 Service Pack 21/4/2009 1:15:34 AMmbam-log-2009-01-04 (01-15-34).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 196740Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.... Read more

Answer:vundo, trojans, adware, rogue installers. keeps coming back.. please help!

Hello.I have replied to your topic in the Am I Infected Forum here. Please continue the discussions in the topic above. If we are unable to resolve your problem there, you will be asked to post in this forum.This topic is now closed.With Regards,The Panda

1 more replies
Relevance 70.11%

last night I encountered some popup problems, (I use firefox now) on my xp computer..so I ran both mbam and suprerantispyware.. both coming up with vundo files, and trojans, after deleting and rebooting twice, it seemed like everything was alright. until I opend up the computer this morning... and I did a rescan of everything and it seems like it keeps coming back and returning upon restart. although there are no more popus like their were last night. any help?! please! I hear vundo is hard to delete. I'd appreciate any quick responses on how to remove completely.thanks!!! here is the last mbam full scan from last night:Malwarebytes' Anti-Malware 1.31Database version: 1607Windows 5.1.2600 Service Pack 21/4/2009 1:15:34 AMmbam-log-2009-01-04 (01-15-34).txtScan type: Full Scan (C:\|D:\|)Objects scanned: 196740Time elapsed: 1 hour(s), 0 minute(s), 12 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 3Registry Values Infected: 1Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4ea9b44-78f3-4bcf-b55d-51cdfc05fed7} (Trojan.Vundo.H) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{b4ea9b44-78f3-4bcf-b55d-51c... Read more

Answer:vundo, trojans, adware, rogue installers. keeps coming back.. please help!

Hello belezaj16.What antimalware programs are installed on this computer, please? Do you have an antivirus, or other program that provides realtime protection?I suspect you are being reinfected because you lack these.With Regards,The Panda

22 more replies
Relevance 66.83%

So I am another victim of the evil Vundo virus. My Avast found it, then I did a number of virus removals, checks, etc. using ad-aware, spybot, avast, and vundofix (which I have run 3 times and it does not detect any files...). However, two things keep happening that bother me. First, every time I start my computer, I get the notifications of 'registry changes' via the spybot. Only when I allow it does it stop happening. Then avast keeps alerting me to new vundo virus alerts, all with differerent dll extensions, which I have 'moved to chest'. I think I've had to do this about 20+ times now...
The computer also seems to be running more sluggishly than normal as well.
I think something is still wrong and from reading other postings on this site, I think there must be something still going on in the registry. So I have run hijack this and am posting this to see if there is something here (or elsewhere) that I need to do to fix this once and for all (grr...). Hijack this also keeps popping up a window that says my 'system is denying access..." Thanks to anyone who can help with this one!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:49 PM, on 5/20/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAno... Read more

Answer:vundo virus keeps on coming around....

Hi Welcome to TSG!!
Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform Quick Scan, then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy the entire report and paste it in your next reply with a new Hijackthis log.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
 

3 more replies
Relevance 64.78%

Here's the Hijack This! Log and Malewarebytes following it:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:57 PM, on 11/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Edit by chaslang: Inline HJT & MBAM logs removed. READ & RUN ME sticky not followed.
 

Answer:Trojan.Vundo.H, Trojan.Vundo, and Trojan.Agent keep coming back

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.
READ & RUN ME FIRST. Malware Removal Guide

If something does not run, write down the info to explain to us later but keep on going.

Do not assume that because one step does not work that they all will not.
Notes:
If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode. You can run steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools on another PC and burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.

 

1 more replies
Relevance 64.78%

I hope that this is in the right section but I am having a problem with my computer. I can constantly hear programs running in the background. I currently have two anti spyware/malware installed on my computer. One is SpyHunter and the other is CyberDefender. They both are picking up on some virus called Vundo and everytime I delete it, it just comes right back. It is so frustrating surfing the internet because it freezes or moves extra slowly. Figured I'd ask you guys before I take a hammer to it lol.

Thanks

Answer:Windows XP SP2 running slow, virus protection catches it but the virus keeps coming back

Hello,i am moving yjis to the Am I Infected forum from XP.Please disable those apps while we do this.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the St... Read more

9 more replies
Relevance 64.37%

Hello I've been battling with this fake AV for a while now and I just discovered that Windows Firewall is putting out this error code when I try to restore it, 0x80070424. I am using AVG 2012 as a anti-virus program and running Windows 7 Home Premium SP1 64-bit. If anyone can help me with this I would be forever grateful.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Cole at 12:53:54 on 2011-12-26
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.6062.2980 [GMT -5:00]
.
AV: Trend Micro Titanium Internet Security *Disabled/Updated* {68F968AC-2AA0-091D-848C-803E83E35902}
SP: Trend Micro Titanium Internet Security *Disabled/Updated* {D3988948-0C9A-0693-BE3C-BB4CF86413BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k Loc... Read more

Answer:Windows Firewall fails to start and this fake anti-virus virus keeps coming back!

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434544 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

9 more replies
Relevance 63.96%

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

Im sure my Hijack Log is fairly clean... -------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:27:53 PM, on 14/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin... Read more

Answer:Virus that keeps coming back and back and back, so on

bump, hopefully someone takes notice

19 more replies
Relevance 63.96%

I have a Toshiba laptop that back in March I had a virus and went to to a local PC store and had the virus removed.  A few months later the virus came back and I had a friend remove that virus and all was well for about a week when the virus came back once again and was removed and seems to be removed right now.  I am afraid this is going to happen again and want to know if you can check the HiJack This log here to tell me if there is something seen that I am not able to identify as a virus.  I did use the self help scan tool but I dont really know what I am looking at.  The scan is here http://www.computerhope.com/cgi-bin/process.pl?o=20192628.I run McAffee AV on this laptop along with MalWareBytes and MS Windows Defender.  I did updates and scans to each one of them 2 nights ago both in normal mode and in safe mode and none of them are returning any bad files, however, I am reluctant as this has happened three times now.  I am wondering if there is a hidden rootkit file that the softwares are not picking.I run the following system:OS Name   Microsoft? Windows Vista? Home PremiumVersion   6.0.6002 Service Pack 2 Build 6002Other OS Description    Not AvailableOS Manufacturer   Microsoft CorporationSystem Name   CHARLENE-PCSystem Manufacturer   TOSHIBASystem Model   Satellite A305System Type   X86-based PCProcessor  &nb... Read more

Answer:Virus Keeps Coming Back

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************SUPERAntiSpywareIf you already have SUPERAntiSpyware be sure to check for updates before scanning!Download SuperAntispywa... Read more

12 more replies
Relevance 63.96%

Hi,Norton found the virus called Back door greybird.k on C:\windows\G_server_hook.dll.I logged on to the safe mode and deleted the G server. exe and dll file.But Norton keeps finding this virus. How can I clean the virus?Thanks very much. (Moderator edit: moved post to more appropriate forum. jgweed)

Answer:Virus coming back again and again

Symantec Security ResponseI'd recommend submitting a hijackthis log here.How to submit a hijackthis logDownload HijackthisTry running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.ziporDrWeb CureITIf your good with the command line also try Sophos Command Line scannerAlso try installing and running A2 Free and EwidoI'd also run Spybot and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"At the C:\ prompt type the following:-cd\C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofixcd\C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

2 more replies
Relevance 63.96%

Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:


"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead So... Read more

Answer:Virus Keeps Coming Back

16 more replies
Relevance 63.96%

hello

I have a virus Worm_RBOT.BCQ found on file C:\windows\system32\micront.exe

I have followed to the letter the removal instruction by Trend

I have deleted the file, deleted all Registry reference to this file, deleted all temp files and Bin , all in safe mode..

The virus seems to have been deleted. but when I connect to the net, after a while , virus is detected and all is back to square one..

Please Help!! how can I get rid of this Virus forever....

Thanx
Jadan
 

Answer:virus keeps coming back

10 more replies
Relevance 63.96%

I'm not sure whether it's a virus, trojan, spyware etc but I have something running on processes which takes up around 180k memory. Everytime I close the process it re-appears but as a different name... For example, as of now the process is called 'xsggsz.exe' but now I've closed it and it's re-appeared as 'vzdfme.exe'

I've used spysweeper, McAfee, Ad-Aware and system mechanic to try and get rid of it but it just won't budge.

I'd appreciate any help regarding this.

Thanks!
 

Answer:Virus That Keeps Coming Back!

go to http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm and click on



scan your pcClick to expand...

Panda has the most upto date scanner I've seen

also if you do not have a firewall - you really need one.
I've used the free version of zonealarm for a number of years, and never had a problem, except a couple of times when I turned it off to access a site (that was real dumb)
 

1 more replies
Relevance 63.96%

Hiwould like some help please, avg removes virus, but next day it is backRegardsDerekLogfile of Trend Micro HijackThis v2.0.2Scan saved at 18:24:19, on 02/11/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16735)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware\aawservice.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\sttray.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Canon\MyPrinter\BJMyPrt.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Program Files\Java\jre1.6.0_07\bin\jusched.exeC:\Program Files\Microsoft IntelliPoint\ipoint.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files&#... Read more

Answer:virus keeps on coming back

Hello ziggyzig Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please perform the following:Please do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXT
Now click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)
Scan Options:Scan Archives
Scan Mail BasesClick OKNow under select a target to scan:Select My Com... Read more

9 more replies
Relevance 63.96%

For the fourth time in the past few months, I have been experiencing strange pop-ups blocking my use of various programs. Twice, my IT dept. attempted removal of the virus, which looks like a virus warning from McAfee but will not allow removal or the use of the programs it is blocking. This time around it was blocking my use of Internet Explorer and Outlook.

A screen popped up and each time I tried to open the programs it would log a warning in the screen. The screen showed options for removing the items logged, however it would not respond to clicking any of the options and would only go away if I closed it out completely. If I did close it, as soon as I attempted to open those programs again, the warning would reappear. This is nearly identical to the last two or three times I have experienced this, with a couple weeks in between occurences.

I rebooted several times and recieved a pop-up message from Windows saying "Windows has recovered from a serious error." The third time I rebooted, it actually allowed me to open these programs without the warning. The first two times it would not go away. This has happened a couple of times prior, where that message seemed to temporarily fix my issue.

Is this a real virus that is hidden in my computer? What can I do to remove it completely?

Answer:Virus that keeps coming back

Hello can you run an MBAm scan and post a log back .. Let's see what it may show.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top... Read more

7 more replies
Relevance 63.96%

Combofix just restarts my computer and won't run and nothing can find the virus but it's there. It started as a fake antivirus, then when I deleted it it created win 7 antivirus 2011. I think I got rid of that one too, but now everytime I click any link it takes me to some random add page instead. I've already did a system restore from days ago and even that didn't work, but it stopped my problem with running .exe's from the win antivirus.

Answer:Virus just keeps coming back!

Hello having run ComboFix we need to see that and a DDS log.As you now see Combofix is not to be run like a commmon tool. It's why we post this above the malware forums.ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the ComboFix log you posted earlier.Let me know if that went well.

3 more replies
Relevance 63.96%

Hopefully I've included enough information and made this topic correctly...
 
Basically I had an issue where my microphone would mute itself, figured it was a virus, and ran malwarebytes. It found stuff, removed it, and everything worked fine... for about a few hours. A few hours later the same thing occurred, ran malwarebytes again and found the same thing: "dnsl64.exe" detected, along with other things that it appears to be downloading. No matter how many times I remove it it seems to come back, and googling dnsl64.exe popped up no results that I could find and then each scan (after a few hours) pops up a bunch of junk, even if I leave the computer idle. It also downloaded something that appeared to change my browser homepage to "search.snapdo.c*m" if that helps diagnose anything.
 
I've attached the MWB and FRST logs, hopefully they help diagnose what the problem is! Thank you in advance for any help, would really appreciate getting rid of this nasty thing.

More replies
Relevance 63.96%

So my computer got a virus from a game that I tried downloading. Avast! did a boot scan and got rid of it, but a day or two later, I got messages from Chrome that said I had a virus again, but of course those are usually scams. I did another scan, just to be safe, and Avast! found two items, got rid of them, and ran another boot scan, just to be safe.

Next day, I figured it had to be from Chrome because of the fact that I attempted to download the game from Chrome and was getting odd popups and such but IE wasn't doing that. So I deleted it. My friend suggested downloading Malwarebytes so I did that as well. It found two more Trojans and so did Avast! after a full system scan. Got rid of those as well and found they were gone afterwards.

I can't tell if my computer is infected again but earlier Malwarebytes apparently blocked a couple malicious websites, and since Avast! usually did that when the virus would come back, I ran another scan and found one thing, a YouTubeAdBlocker, I don't know if I wanted to get rid of that because an AdBlocker sounds like something I would want to keep and I heard that sometimes, Malwarebytes finds things that aren't really dangerous, but idk I am not an expert. I tried not to worry about it after that but I just want to be safe.

I am running two full system scans as we speak with Malwarebytes and Avast! to see if they will find anything that way since quick scans didn't find anything (except the AdBlocker again) and... Read more

Answer:Virus that keeps coming back?

Hi,
In order to help you, we need reports generated on your system. Please follow this topic and attach requested reports: http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/
 

1 more replies
Relevance 63.96%

Running Malwarebyte's Anti-Malware and i get the same results everyday. I also get redirected when using google. My Malwarebytes results are:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

5/11/2009 6:25:05 PM
mbam-log-2009-05-11 (18-25-05).txt

Scan type: Quick Scan
Objects scanned: 134478
Time elapsed: 4 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\roger.spiller\protect.dll (Worm.Autorun) ->... Read more

Answer:Virus Keeps coming back

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Relevance 63.96%

Hello,

I am using a 64 bit version of windows vista. I have a virus on my computer that keeps coming back. Usually I am able to remove viruses on my computer using a combination or rkill, malwarebytes, and super anti spyware, but this specific virus keeps coming back, even after I clear it with malwarebytes. Also the virus wont let me update my malwarebytes software. I have tried to do a sytem restore, but everytime I click on the icon, i am asked to select a program to open system restore with, and I am not sure which program to pick. On my desktop there is a suspicious icon named system restore. Any help would be greatly appreciated.
Thanks

Answer:Virus keeps coming back

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

1 more replies
Relevance 63.96%

http://www.bleepingcomputer.com/forums/topic433509.html/page__p__2516707__fromsearch__1#entry2516707

Answer:Virus keeps coming back

Please follow the guidance in post number 2 in that topic.

1 more replies
Relevance 63.96%

My computer has been acting up and now a virus keeps appearing even though my virus scan deletes it when it appears. Now my desktop icons are changing and folders are missing. Please help. Thanks in advance to all who reply! Logfile of HijackThis v1.99.1Scan saved at 4:39:20 AM, on 8/31/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exeC:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Messenger\msmsgs.exeC:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetMsg.exeC: ... Read more

Answer:Virus keeps coming back

Hi noobie_comp_geek,

Sorry for keeping you waiting.

If you still need help, please answer these questions:

- What's the name of the virus?
- Where (in wich file and/or folder) is the virus found?
Jan

1 more replies
Relevance 63.96%

Hi all,

Looking for a little help here. I have removed a virus now with ESET and malwarebytes and it keeps coming back. See the log below.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Carrie Ann at 19:38:56 on 2012-04-03
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3963.1965 [GMT -4:00]
.
AV: AVG Anti-Virus Free *Enabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82}
SP: AVG Anti-Virus Free *Enabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\agr64svc.exe ... Read more

Answer:Virus Keeps coming Back

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download aswMBR.exe to your desktop. Double-click aswMBR.exe to run it.
Click the Scan button to start scan.
Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)
Click Save log, and save it to your desktop.
Click Exit.
Please post the contents of that log, aswMBR.txt, in your next reply.
There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Download tdsskiller.exe and Save it to your Desktop.

Double-click tdsskiller.exe and click 'Run'

Click 'Change parameters' then under 'Additional options' tick both boxes > OK.

Click 'Start scan'.

If no infection is found, click 'Close' and let me know.

If an infection is found, select 'Skip' from the dropdown menu under 'Cure' then ... Read more

10 more replies
Relevance 63.96%

It all started last week when my computer contracted Trojan.Nebuler. My copy of Norton could'nt get rid of it so I downloaded various so called fixes. In the end I had to manually delete the trojan following the instructions on symantics web site - but that was when the fun really began. All sorts of pop up software has been appearing e.g. SysProtect, Drivecleaner and adult sites. Plus the computer has slowed down to a crawl. I have scanned my machine using Norton and AVG and Trend Housecall. And although they find new viruses, and remove them, they keep on coming back. I also downloaded and installed a Registry cleaner - to see if this would speed the thing up a bit, hope i havent deleted anything important (although it says I can recover the lines I have deleted). Can anyone help - here is the hjt log.


Logfile of HijackThis v1.99.1
Scan saved at 10:05:18, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program F... Read more

Answer:Virus keeps coming back!

16 more replies
Relevance 63.96%

Hello, a few weeks ago I had alerts from ThreatFire saying that "c:\2F2FE1D9C8463A4E6C7466B1CF9E03AD\MPSIGSTUB.EXE"was trying to modify another program, copy itself to multiple locations, I clicked ignore to these after looking it up, and finding out that mpsigstub.exe was related to windows malicious software remover. When I  tried to look inside the folders, they renamed themselves. I started to panic when I found out that its normally in the system32 folder, so my friend came round to help me delete it and remove the registry changes it had made. I know that was a virus, but I'm not sure about these: Not so long ago a very similar directory had been created again, this time with stub.exe in it. I deleted them, and ran an anti virus scan. C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09186521\WER11A7.tmp.hdmp and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report11188777 were infected and quarantined . stub.exe was also trying to modify other programs etc. Just today I found two more directories with similar names, such as 70d953ce1268e4d3b8, with eventlog.txt in them. I haven't got any warnings as far as I know, so I want to know if this is the same virus, or even if its actually a virus at all, and I'm just being paranoid. Thanks in advance  PS. I also had a process called conime.exe, I looked it up, and its to do with using an Asian language. Apparently, if this is running while you aren't using an Asian language... Read more

More replies
Relevance 63.96%

Hello,

I have been using Kaspersky and it has been finding this. Even after deleting it, it still seems to come back. Below are pictures which may help.






I didn't download AVG since I had those pics posted above. Hopefully this is okay. I appreciate very much in advance any help that may be given.

I am interested in knowing what in the world this thing is!

-MDB
 

Answer:Possible virus...keeps coming back!

Welcome to MG's!

Something didn't go right, let's run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

Before running the above, you MUST shut down ALL antivirus and antispy programs you have running.
 

1 more replies
Relevance 63.96%

Logfile of HijackThis v1.99.1Scan saved at 9:56:14 PM, on 3/4/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\SAVScan.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exeC:\WINDOWS\System32\wsys.exeC:\WINDOWS\System32\hkcmd.exeC:\Program Files\Java\j2re1.4.2_06\bin\jusched.exeC:\Program Files\ScanSoft\PaperPort\pptd40nt.exeC:\WINDOWS\system32\wsxsvc\wsxsvc.exeC:\WINDOWS\system32\vmss\vmss.exeC:\WINDOWS\system32\ykyogu.exeC:\WINDOWS\system32\lodbksuj.exeC:\WINDOWS\system32\xmsiaybg.exeC:\WINDOWS\system32&#... Read more

Answer:How do I get rid of my virus, cause it keeps coming back....

Now please Download LSPFix from:LSP-FixDisconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\aklsp.dll and c:\windows\system32\dolsp.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.Then Reboot.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersPrint out these instructions and then close all windows including Internet Explorer.Then I want you to fix some of those entries. Please do the following:Please make sure that you can view all hidden files. Instructions on how to do this can be found here:How to see hidden files in WindowsRun Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagteamgirls.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blankR0 - HKCU\Software\Microsoft\Internet Explo... Read more

1 more replies
Relevance 63.96%

i just wanted to noe if i was clean or not..
 

Answer:virus kept coming back

No you are not clean yet. I need the C:\MGLogs.zip --> from running the C:\MGTools.exe.
 

11 more replies
Relevance 63.96%

Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\W\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program File... Read more

Answer:Virus keeps on coming back

Anyone?

4 more replies
Relevance 63.96%

There's a virus named wlzxha.exe in C:\WINDOWS\system32\ that keeps coming back after I delete it. The virus is "Downloader" according to Norton. It deletes fine (I've done it in safe mode) but it seems to come back after each restart.

I have already run a virus scan and spyware scan multiple times.
 

Answer:Virus keeps coming back

13 more replies
Relevance 63.96%

Hello, ago 2-3 weeks I got some viruses, i tried to delete them but they come back everytime..
The viruses are in 3 drivers (D,E,C) and also i got another virus named Backdoor.Agent
By the way I use Windows XP
Can somebody help me?

Answer:ms-dos virus keeps coming back

Hey?

7 more replies
Relevance 63.96%

I really need help. Whenever I scan with avast, it tells me there's a virus. I can't delete because it's being used by another program. So I got into safe mode and try to remove it. A while later after I deleted it and back into Windows, I scan again and it's back. It's always in the same place too:

C:\.....\Temporary Internet Files\Content.IE5\ZTNTM02A\movie[1]
HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:08 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Internet ... Read more

Answer:Virus keeps coming back

Anyone?
 

1 more replies
Relevance 63.96%

DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Michael at 19:00:59.98 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.765.240 [GMT -7:00]

AV: Protection System *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\vds.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\ag... Read more

Answer:virus keeps coming back help!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 63.55%

EDIT:Moved to appropriate forum,Virus, Trojan, Spyware, and Malware Removal Logs ~~boopmeLogfile of Trend Micro HijackThis v2.0.4Scan saved at 10:25:51 AM, on 10/2/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16981)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\WINDOWS\system32\CSHelper.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exeC:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Winamp... Read more

Answer:Browser redirecting virus///Virus keeps coming back//Thank You

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

2 more replies
Relevance 63.55%

Sure enough, I was disappointed when after running Kaspersky online scanner, Malwarebytes, and ComboFix I noted recurring hicjacked webpages and popups and inability to start Auto Update in Services, etc. but at a reduced rate.

I decided to run Malwarebytes a second time which detected several residual entries not eliminated on the first pass.

I then reexamined System 32 and saw that a number of the infected dlls WERE STILL THERE and were not deleted as promised after rebooting.

I decided to PRINT OUT ALL THE LOG FILES from the initial Kaspersky, Malwarebytes, and ComboFix scans and then tediously went LINE-BY-LINE identifying, deleting, and in cases of the System 32 dlls, using McAfee's more secure recycle bin shredder to remove them (inviting McAFee back for short term use as it is free via my comcast.net subscription--see my last post about this).

It was time-consuming and tedious, but it worked. Much more helpful to refer to a printed page than to squint at the screen swiveling from txt files and the Registry trees...

I also took advantage of a Microsoft "836941 Windows Update guided tool" (self extracting cabinet type) which I downloaded to the desktop. It "automatically" peformed the tasks of placing the update sites in the trusted sites of IE (which I had already done), purging the DNS cache or something like that (which I could not do from other Knowledge Base articles) and probably helped solve the
frustrating 0x80070422, 0x80072ee2, e... Read more

More replies
Relevance 63.14%

my pc was infected several days ago, i have eliminated it but, once in awhile it comes back. i dont know what else to do. please help. maybe im just paranoid but my pc runs slower than usual. specially the explorer. i have pasted a hjt log, just in case you need it.
any advise is very much appreciated.
thanks
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:36:19 AM, on 10/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\RINGZS~1\STORMC~1\Stormser.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\Program Files\VIA\RAID\raid_too... Read more

More replies
Relevance 63.14%

DDS (Ver_09-07-30.01) - NTFSx86
Run by Logan at 1:02:41.45 on Sun 08/09/2009
Internet Explorer: 7.0.5730.13

============== Running Processes ===============
============== Pseudo HJT Report ===============

uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=1061209
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.com
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [braviax]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ms18_word] c:\documents and settings\logan\ms18_word.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
uRun: [SandboxieControl] "c:\program files\sandboxie\SbieCtrl.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRunOnce: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /F... Read more

Answer:need help been using my virus software but they keep coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Relevance 63.14%

i've alreadys started discussing this in a different thread, but due to new and disturbing occurences, i felt the need to start a whole separate thread on the matter, i hope that's ok.

ok, as a background: i did a Panda virus scan yesterday and it found VBS/TheThing in my pc. it was located in the Temporary Internet Files folder. Panda got rid of it. so, fine.

Today, i decided to do another virus scan just to be thorough, so i run the Panda scanner again. and again it found VBS/TheThing !!!
location: Temporary internet files\content.IE5 folder.
don't know how i could've been exposed to it, since the last scan i haven't been to any sites other than here at TSG and Norton, nor have i done any downloading of anything that could be suspect whatsoever. i don't know how i got it again!! and this is what disturbs me further, Panda didn't get rid of it this time; i checked the scan report, and the action taken just said "infected". not deleted or renamed, just 'infected'
(last scan Panda "renamed" it). why could this be??

since it was found in the Temp internet files folder, naturally i deleted everything in it. but what i'm wondering is why it keeps coming back?

and does anyone know exactly about this VBS\TheThing virus?
 

Answer:VBS/TheThing virus keeps coming back!!

9 more replies
Relevance 63.14%

I am looking for some help.  I am running Windows 7 and IE8 and have started to get constant redirects.  Malware found two viruses Rootkit.0Access and Trojan.Dropper.ED.  Malware now shows no problems but the redirects keep comin back.  At least I can still use the the computer for now.  Any help is certainly appreciated.  
 
Bryan  

Answer:Redirect virus keeps coming back

Hello Bryan I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", t... Read more

32 more replies
Relevance 63.14%

Hi,

I have an amazingly annoying problem which keeps coming back (even after windows format), I keep getting errors which wont allow me to start,open,delete,install files. Just messes up the whole system.
The errors are:
When I want to install program - Nothing happens OR Internal Error: Failed to expand shell folder constant "userappdata"
When I want to start program - Nothing happens OR mpr.dll is missing OR netutils.dll is missing
If I want to delete a program - "An error occurred while trying to uninstall program. It may have already been uninstalled"
Startup programs won't start - netutils.dll is missing OR mpr.dll is missing

I did a fresh install on my SSD, everything was working great but after couple of days it came back.
What's going on here?

Answer:Virus/Trojan keeps coming back?

Sounds like a bad installation. Where did you get your Windows 7 installation media from?

7 more replies
Relevance 63.14%

Can anyone help me remove the "not-a-virus"? Zone ALarm finds it and removes it, but it keeps coming back. Computer is SLOOOOW. NOt sure how to proceed. HELP!?
 

More replies
Relevance 63.14%

Somebody please help! I've tried everything I know of...
The other day while my little sister was researching something for a project on our home computer, she clicked on a link and a window popped up saying, "Congratualtions.! Your our winner for today blah blah blah". =( When I saw it, I knew it was a virus attempt because I came across this once before when my brother was caught looking at porn smh
Anyways, I ran three different Virus Scanners, Mcafee, Threatfire and AVG, and all three said there was no infected file on my computer. Yet, every twenty (20) minutes, Threatfire virus alert would pop up with the location and name of the infected file. Each time, I selected 'Kill and Quarentine', and each time, the application disappears only to reappear later in the next twenty (20) minute time frame. Oh, and whenever anyone tries to use a search engine, youtube or any website where you have to enter data into a search field, a separate window pops up like ex: randomtext.jempca.randomtext. And it always redirects to some kind of online 'shop', 'search engine' or another 'Congralations.!' message pops up.
I went online to research what I could about manually removing a virus using the computers CMD. I tried it a few times to get rid of the folder the viruses would constantly pop up in, but the virus would still pop up. The location is always C:/Windows/Temp/ which I found wierd because I thought most viruses would pop up... Read more

Answer:Infected? Virus keeps coming back.!

This time when it Threatfire alerted me, i located the Temp folder and there was five (5) different hki****.exe files!

8 more replies
Relevance 63.14%

Working on a friends computer that had some viruses. I ran malwarebytes and that cleaned out about 15 problems. Gave her back her computer and the next day she had the same problem. Not sure what is going on but when the virus kicks in, it also changes the proxy setting so that she cant use the internet. Any ideas?

Thank you.

Answer:Virus problem keeps coming back---help

Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. Check/reset the Proxy Settings as follows:Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: inetcpl.cplClick OK or press Enter.Click the LAN Settings... button and uncheck Use a proxy server for your LAN
or change the settings to the proxy you normally use if you previously reconfigured it.Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.Click Ok and then click Ok again.Close Internet Explorer and restart the computer.If using Firefox do this:Open Firefox, click Tools > Options > Advanced and click the Network Tab.Under the Connection section click on the Settings... button.Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.Click Ok and then click OK again.Close Firefox and restart the computer.For other browsers, please refer to How to configure browser proxy settings.Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itsel... Read more

7 more replies
Relevance 63.14%

Hello,
I seem to have gotten some viruses-worms,trojans that I can't seem to get rid of. My internet pages started to redirect, mainly to various advertising sites and of course adult sites and fake virus scanners. I scanned with Microsoft security essentials and got rid of everything but it kept on happening so I got Malwarebytes and scanned again. It cames up I had win32.autorun.tmp so I got rid of it restarted and scanned again but it was there again. I tryed again but this time the scan was almost done and I got the BSOD which happens everytime now. I then tried Spybot S&D and it scans fully but can't get rid of all infections because some of the files are in use. My computer wont boot in safe mode. I have no idea how to fix this Please help.

Answer:Virus/ worm keeps coming back

I'm not trying to bump my post I promise but I just realised that I left out some crucial information in my original post. When I start up my computer Spyhunter pops up to say that my Hosts file has been changed and that I should restore it, which is what I do. Should I be doing that? Also whenever I run a virus scan I disable the other anti-virus progams that are installed to stop anything conflicting. I can't update windows, I get an error that says "Windows could not search for new updates an error occurred while checking for new updates for your computer. code 80072EFE" I hope this extra information helps. Merry Christmas everyone.

2 more replies
Relevance 63.14%

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Logfile of HijackThis v1.98.0
Scan saved at 12:34:15 AM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\scagent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Tim\Desktop\HijackThis.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINDOWS\httpfilter.dll

i really appreciate any help!
 

Answer:trojan virus keeps coming back!

7 more replies
Relevance 63.14%

I have installed malware software, even there is a QUICK HEAL ANTI SOFTWARE installed in my computer. System got stuck and applications are running slowly due to virus problem, I want to remove virus and wants to improve system performance. I want to know how to fragment(don't know) the system or reboot.

Answer:How to remove a virus that keeps coming back?

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Spyware 1st Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Relevance 63.14%

Hi, I got a virus that keeps coming back in my Temp folder, "WindowsUpdateKB12695__7428_il31477.exe" , "tmp4191.tmp.exe" , "tmp9E32.tmp.exe" it appears once a day and I can remove it by running malawarebytes, but it keeps coming back after a few hours. It tries to install a program as soon as it appears in my Temp folderI have a feeling I might be infected with a Rootkit... I tried running Malawarebytes anti-malaware, malawarebytes anti-rootkit, tdsskiller and combofix with no luck, it still comes back every few hours or everyday.I think this virus appeared when I got some new drivers for my AMD graphics card, but I am not certain... I cannot do a system restore because I didnt have any restore points before I downloaded the drivers... ... .I would like to know if one of you more experienced user could help me with my issue. Thx in advance!Edit: Moved topic from Windows 7 to the more appropriate forum, due to member having already run ComboFix. ~ Animal

Answer:Virus keeps coming back in Temp

I found an "$RECYCLE.BIN" in my second harddrive, I think Im infected with Zero Access, but its on another internal harddrive which is not the one my operating system is on, I feel like all the scanners are only scanning my main harddrive where my operating system is located, so they cant find the virus!
​ How do you delete a Zero acces rootkit in a second internal hard drive?

20 more replies
Relevance 63.14%

I've ran malwarebytes,SuperAntiSpyware, and Sophos is running now. The Virus won't come off and when I run a scan in safe mode it says it's gone but in regular it says it's there. The virus redirects every link I click on in google go to some other ad. Please help. I'll update if Sophos removes it.

Oh By the way Malwarebytes says
Trojan.dropper.bcminer
Rootkit.0Access
Rootkit.0Access

Edit: Ran Sophos...did nothing...

Answer:Horrible Virus, Keeps coming back.

Please do not run any tools unless instructedDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

15 more replies
Relevance 63.14%

Hey guys I have scanned with Malwarebytes, Superanti Spyware, and Hitman they all have said none except Malwarebytes and I know its right because my computer will randomly shut off some times.

Answer:Virus. keeps coming back.Winsvcs.exe

Hello please post that MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Is it Winsvcs.exe or winsvc.exePlease Download TDSSkiller Launch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan results.>>>>ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>>>ESET ONLINEI'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the
icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings fr... Read more

9 more replies
Relevance 63.14%

Hi,

My pc seem was affected by virus, after i'm reformated it the virus still coming back..
Any help will be appreciated
Thank alot

Here is my logs files
Logfile of HijackThis v1.99.1
Scan saved at 7:53:35 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Temp\system1.exe
C:\WINDOWS\system32\k11833762731.exe
C:\Program Files\Common Files\System\commond.pif
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Grisoft\AVG Free\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\LC\Desktop\HijackThis.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKLM\..\Run: [TIMHost] C:\WINDOWS\TIMHost.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [Microsoft Autorun1] C:\WINDOWS\system32\nwizdh.exe
O4 - HKLM\..\Run: [Microsoft Autorun9] C:\WINDOWS\system32\Ravasktao.exe
O4 - HKLM\..\Run: [ryy]... Read more

More replies
Relevance 63.14%

The computer is running Xp service pack 2.
When I first tried to fix a popup problem with symantec, the user (my daughter) couldn't log on anymore.
Safemode would begin to load and then rebooted.

I fixed several registry entries using knoppix under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit and
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
and copied over a copy of userinit.exe, and ntldr from another Xp installation.

Now the user can logon, but the web pages are redirected to advertisements for removal tools and other things.
A file called str.sys was removed by several malware and antivirus programs and kept coming back.

I still can't boot into safemode. I see a list of drivers loading and then the computer reboots. I would be grateful for any help, thanks.

Here is the report from Rootrepeal

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/27 22:32
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: 00002984
Image Path: 00002984
Address: 0xB2A8F000 Size: 71424 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2BC3000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Lock... Read more

Answer:rootkit virus keeps coming back str.sys

Hi jobarb,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.I see you have Combofix. Please post the log(s) it has produced. If you have run it more than once Please attach all of them.The latest log is located at: c:\Combofix.txtThe earlier logs are located at C:\Qoobox\combofixX.txt where X is a number.

24 more replies
Relevance 63.14%

I use Avast 4.8 to check my system and try first a "move to virus chest" when I was notified I had a virus. When I "move the virus to the chest" it just keeps coming back as a new virus almost immediately wit the virus warning. Then I tried the "repair" option in Avast, but it always said an error has occured... File name was: C:\System Volume Information\ _restore{7F7BE6F8-0D6A-488B-ABD ... Note Malware name: Win32: Trojan-gen(other)... I ran HijackThis and here is the log....



Please walk me through as I'm a novice on this computer stuff,,, thanks in advance...



Geof



Logfile of HijackThis v1.99.1

Scan saved at 8:38:24 PM, on 11/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\Multimedia Card Reader\shwicon2k.exe

C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe

C:\WINDOWS\LTMSG.exe

C:\WINDOWS\System32\hphmon05.exe

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps... Read more

Answer:Trojan virus keeps coming back!

11 more replies
Relevance 63.14%

Unfortunately I keep getting my isp suspended due to trojans, initially it was something different but now they are telling me it's Torpig. I thought I had removed a few trojans, and they seem still gone on repeated scans with programs such as Panda, Malbytes and SuperAntispyware but again on April 9th my account got suspended. Here's my Hijack This log, can someone please talk me through what might be the issues and how to remove them? It would be much appreciated.Hijack This log(updated after removing some things):Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exeC:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exeC:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exeC:\WINDOWS\system32\svchos... Read more

Answer:Torpig virus keeps coming back

I removed Panda since it seemed to cause havoc with my browsers. Also removed a couple other things that popped up as trojans:Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\stsystra.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Option\GlobeTrotter Connect\GlobeTrotter Connect.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exec:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\A... Read more

12 more replies
Relevance 62.32%

Logfile of HijackThis v1.99.1
Scan saved at 12:21:07 PM, on 16/07/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
D:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
D:\Windows\vVX3000.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Windows\System32\CtHelper.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\DynDNS Updater\DynDNS.exe
D:\Users\Brad\Program Files\uTorrent\uTorrent.exe
C:\sigx218b\SigX Beta 2.1.8\SigX.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
D:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Interne... Read more

Answer:w32.licum virus found but keeps coming back

Thanks in advance for your help, this is driving me nuts!

13 more replies
Relevance 62.32%

As said in the title, the Windows Xp Security Center virus keeps on coming back. I've gotten rid of the thing 6 times now, and I'm sure it'll come back again unless I find to cause of it. I also noticed that my automatic updates is off, and I can no longer turn it on. It always says that it's unable to change settings. I have no idea what to do. Anytime I get the virus, I just scan and remove it, but it's becoming a real nuisance, and I want to stop getting it now. Any help would be much appreciated.

Here's my DDS log.
.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Run by Jonathan at 11:19:44 on 2011-05-30
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2185 [GMT -4:00]
.
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\W... Read more

Answer:Windows Xp Security Virus Keeps Coming Back

Hello, Welcome to TSF.
I'm nasdaq and will be helping you.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your logs are clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.

Please do not install or uninstall any programs, or run any other scanners or software, unless I specifically ask you to do so. Also please copy and paste logs into the thread, rather than add them as attachments.
===

Please download Malwarebytes Anti-Malware and save it to your desktop.[list]
alternate download link 2Make sure you are connected to the Internet.
Double-click on Download_mbam-setup.exe to install the application.
When the installation begins, follow the prompts and do not make any changes to default settings.
When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.
MBAM will automatically start and you will be asked ... Read more

11 more replies
Relevance 62.32%

Avira first alerted me to this problem on 11/23. I had been getting loud annoying pop-up ads when I was browsing youtube, and then saw Avira found EXP/JS.Expack.AZ, EXP/Pidief.dme, and TR/Alureon.A.78. I googled it and found your website and followed the instructions and MBR check said nothing was found so I thought I had gotten rid of it. Avira did scans from 11/23 through 12/4 and no viruses/unwanted programs were found even though I was still having some intermittent problems with annoying pop up ads. Then on 12/5, I got a new Avira warning saying it found two unwanted programs, including TR/Alureon.A.74 and TR/Alureon AYQ Trojan. So I don't know if I got rid of it and it came back, or if it never went away, but I am ready to cry Uncle and humbly request for help! I really don't know how I have gotten this because all I do is browse the internet. Thank you so much for your help. It is greatly appreciated.

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 10.10.2
Run by Meredith at 9:44:50 on 2012-12-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.4061.1264 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
... Read more

Answer:Trojan Alureon A Virus Keeps Coming Back :(

Hello merri23, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

20 more replies
Relevance 62.32%

I am having problems with the Patched User32 virus coming back to my system. It has some components that McAfee says it can't remove or repair. I have tried Adaware and MalWare Bytes and still have the problem. My computer also seems to be running slower now. Here is the log from the DDS software:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 18:34:02.48 on Wed 02/11/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1277 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMe... Read more

Answer:Patched User32 Virus Keeps coming back

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

7 more replies
Relevance 62.32%

Hello!

I am encountering this problem this past weeks. It seems that something is creating a virus over and over again on my system. I run a Malwarebytes fullscan and my AntiVirus is Avira premium but to no avail the problem keeps coming back.

My Antivirus blocks this kind of virus(12.exe,96.exe,36.exe,igfxdkp2.exe) over and over again in different intervals.

Malwarebytes also detect 3 infection but after i restart the infection is back again.

I hope someon can help me

Answer:Virus keeps coming back and cannot detect the root of it

Hello, I moved you to the Am I Infected forum as you didn't post a DDS log that is required there. So lets do this next and see what we have here.Is this XP or another and what Antivirus is installed?Please post your MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Next run an Online scan....Please perform a scan with Eset Online Antiivirus Scanner.This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.Click the green button.Read the End User License Agreement and check the box: Check .Click the button.Accept any security warnings from your browser.Check Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)Click the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer.If offered the option to get information or buy software at any point, just close the window.The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and win... Read more

6 more replies
Relevance 62.32%

I have a virus in system32\userinit.exe. If I run a malware or other type scan it deletes the virus, but the virus comes right back on the next computer start up. I then decided if I could replace the system32\userinit.exe w/a non corrupted one that would take care of it. I think System File Checker can do that, but it asked for the windows XP CD. My computer did not come w/a cd. I was hoping maybe I could download a service pack from microsoft but it is impossible to figure out where to go on that site. Does anyone have any ideas on how to get rid of this bad file and get a new one w/out the CD?

Answer:system32\userinit.exe virus keeps coming back

You probably have a Restore Partition. Hit the F11 Key at bootup to take you to the Restore Partition, this will restore your computer to Factory Defaults. Backup any data you want be for proceeding.
Or you can post in our Security section of this forum to remove the virus.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

1 more replies
Relevance 62.32%

I've been working on getting a very nasty virus off my WinXP Home Edition PC.

I initially could not get anything to run. The virus had done the following:
1) Disabled all antivirus software I could run (including Spybot Search & Destroy, MBAM, SuperAntiSpyware, Combofix, Avast to name a few)
2) Windows Update would not run - error message that it could not run in Safe Mode (I was logged in as Administrator in normal boot up)
3) Permissions were changed on many of my files by adding a new group and changing the normal administrator privileges.
4) Changed registry keys to always get safe mode enabled while logged in as Administrator thus not allowing many critical programs to run.

In any case - I was able to get the computer back to running but I still cannot find the virus because it is still lurking and reloads randomly (or seemingly randomly). I've run out of options so I'm posting here to get some help finding where this thing is actually hidden.

Last MBAM log before everything was back to normal (at least for a couple days)

Malwarebytes' Anti-Malware 1.39
Database version: 2516
Windows 5.1.2600 Service Pack 2

8/9/2009 11:33:00 PM
mbam-log-2009-08-09 (23-33-00).txt

Scan type: Quick Scan
Objects scanned: 144868
Time elapsed: 9 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infe... Read more

Answer:Very nasty virus keeps coming back - No Matter What

Please uninstall Mbam and download the newer version 1.40Update it and run a full scan------------------------------Then run ATF and SASATFPlease download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".------------------------------------SAS,may take a long time to scanPlease download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Insta... Read more

8 more replies
Relevance 62.32%

Please help!!! I'm at a loss to keep vicious stuff off my computer after deleting it. Norton found W32.allim after my daughter clicked on Hey check this out! in AOL AIM. I think I got if off the computer because Norton doesn't find it anymore. However, I'm getting a dozen other things that I get off only to come back after restart such as Esyndicate, Aproposmedia, the stupid Hunt Bar constantly comes back, and upon restart, I get the message that C:/windows/system332/gmi4i9ir.exe is causing Runtime to terminate in an unusual way. I've run Microsoft Antispyware, Adaware, Xoftspy, Spybot Search & Destroy. It seems to be affecting my web browser--changing the URL home page and pop-ups are occurring. The following is my Hijackthis log file.

Logfile of HijackThis v1.99.1
Scan saved at 2:44:41 AM, on 5/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\msaccrt.exe
C:\WINDOWS\Sy... Read more

Answer:HELP!! virus/malware/adware keeps coming back!!

16 more replies
Relevance 62.32%

This VBS:Malware [Gen] virus keeps showing up on my pc and I don't know where it's coming from or even if it's getting deleted in the first place. Normally I delete it, but this time I chose to send it to the "chest". How do I keep this from coming back?

Logfile of HijackThis v1.99.1
Scan saved at 9:49:50 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Tray Tools\atitray.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Avast4\aswUpdSv.exe
C:\Program Files\Avast4\ashServ.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Fil... Read more

Answer:VBS:Malware [Gen] virus keeps showing up. How do I keep if from coming back. w/HT log

7 more replies
Relevance 62.32%

Hi.I'm new here, but i hope somebody can help me.I got a trojan virus called "Trojan.Agent.Gen" or "Trojan.Agent.cn" by malwarebytes antimalware.It creates a file called svchost.exe in appdata\local\temp directory and everytime i stop it with malwarebytes antimalware it comes back again after restarting my computer.I provide some screenshots below, but the malwarebytes antimalware is in Norwegian language, but you can clearly see the Trojan name.PS: I'm using windows 7 home premium.

Answer:Trojan virus keeps coming back after removal

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

21 more replies
Relevance 62.32%

Hi All,

I got infected with the Funshopper virus/malware, but I can't seem to get rid of it. I tried following some manual removal tutorials online, but the instructions weren't clear about how to delete hidden files or mess with registry stuff. So it didn't work. I also downloaded Spyhunter, but that didn't work either because the scan keep hanging/freezing, so I just uninstalled it.

I've attached my FRST.txt scan.

Whenever I remove the Funshopper Chrome extension, it automatically adds itself back!

Please help! Thank you everyone!
 

Answer:Can't Remove Funshopper Virus (it keeps coming back by itself)

Hello,

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
I visit forum several times at day, making sure to respond to everyon... Read more

11 more replies
Relevance 62.32%

Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Swee... Read more

Answer:Trojan/Virus W32/IRCBot-xx Keeps Coming Back

6 more replies
Relevance 62.32%

Hi,I am no novice to removing malware, but every once in a while I am completely at a loss, and I have three infected client PCs right now that have me beat. I will post them in seperate threads.This one starts itself in WinLogon, and I can start from a CD to access the hard drive and delete the file in questions (which is set to hidden and read-only and system), but when I restart another file has taken the place of the first one.The WinLogon registry entries change, too. I have come across these so far:Web Check (maybe without space)Controls FolderReliabilityShell ExtensionsShellScrap (no space) - I gave up after this one, and the file name is ppdrv.dll. ShellScap appears to be the name of another virus which doesn't fit the symptoms here, though.Internet on that PC is broken.I used HiJackThis to weed out everything else.On most PCs I can use Process Explorer (Sysinternals) to go into WinLogon and kill the bad process, but on this PC (and some others) I don't get a file name for the process in the Thread tab, but only a memory address, so I have no way of knowing which one to kill.But even if I could kill it and remove the file, something else must still be started with Windows that restores a new WinLogon entry with a new file.I will go back to that person on Monday, but I will only have this one day left to fix it, so I need all the info I can get before I go there.Here is the original HJT log that I made before I made any changes. The PC was started in Safe Mode CMD Prom... Read more

Answer:Virus Keeps Coming Back - Winsync Qoologic

This is number 3 that I encountered today. I have had this one before on a client's PC ages ago, but can't remember how I got rid of it.

The main thing to identify it is that it starts salm.exe, but the file doesn't show up either in Explorer or CMD or even when started from a CD that has NTFS access.

I tried the Symantec tool for 180Search (I think), but had to leave the client right after that (no idea if it worked). I will go back on Monday and would like to be ready for it.

I know how to use HJT, Process Explorer, KillBox etc. and Regedit, and I'd rather get rid of something manually or at least know how it's done in case an automatic removal program doesn't do the trick.

I tried removing the files while starting from a CD, but the files don't seem to exist, even though they show in HJT as being started and NOT as file missing. I am fluent in CMD prompt and know how to search for hidden files, but with no success here.

Where could these guys be hiding so I can't find them?
How can I find the files?
Are there other Registry entries that HJT doesn't detect that allow files to be started?

Sorry I have no HJT log - I had to leave in a hurry...

Thanks!

8 more replies