Tech Problem Aggregator

Protection System Rootkit needs to be removed

Q: Protection System Rootkit needs to be removed

Hello and thank you for your time. It seems like there is a rootkit out there reeking havoc and I have become an unwitting statistic. This pest will not let me run a malwarebytes scan nor will it let me run a rootrepeal, it simply reboots the whole system when I try rootrepeal,even in safe mode. I get bogus "Security Center Alerts" and bogus messages urging me to buy Protection System antivirus software. Please help! Additionally, I receive various messages telling me about bugs that have been detected with a scan that I never initiated.

A: Protection System Rootkit needs to be removed

Hi elbarracho,Download and run Win32kDiag: Download Win32kDiag from any of the following locations and save it to your Desktop. Download Win32kDiag (Win32kDiag.exe) - #1 Download Win32kDiag (Win32kDiag.exe) - #2 Download Win32kDiag (Win32kDiag.exe) - #3 Double-click Win32kDiag.exe to run Win32kDiag and let it finish. When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

7 more replies
Answer Match 67.62%

Had System progressive protection malware
ran Rkill, malwarebytes, and PSIS. Now I am getting a message that says

The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?

I said yes at first and when it said there were over 700 files I stopped it. Rebooted and got it again, this time I said no and tried to open the Recycle bin to view the files and it wouldnt let me.

Any suggestions????

Thanks,

A:malwarebytes removed system progressive protection

Hello,I will be helping you with your problems. Please be patient while I assist you.Some points for you to keep in mind while I am helping you to make things go easier and faster for both of us Please do NOT run, install or uninstall any programs, unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post. Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process. Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Butt... Read more

1 more replies
Answer Match 65.52%

Found out my system had a Rootkit installed and I finally (I think) got rid of it after hours of work. Afterwards, I was getting browser re-directs to adlinksearch.com and others - I've used a lot of different programs to find and kill other trojans, etc... I THINK they were all legit, as I did research before trying them. Norton 360 found some, Spybot found others... but I know my system is still compromised. I ran Combofix and it found ws2_32.dll was infected... it deleted it and restored from c:\i386... The log didn't say what it was infected with. Suspicious files / registry entries / services: I found a service I'd never seen before without a reference line - Sisrru that opened c:\windows\system32\fastopen.exe I disabled the service and deleted the file but it still showing up on the Combofix log. After deleting the fastopen.exe file it almost immediately reappears. I know that's not a good sign... HiJackThis log pasted below... PLEASE HELP... Thanks!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 9:18:04 PM, on 7/12/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\... Read more

A:Need Help! - Removed UAC Rootkit but system still...

Hello and welcome to Bleeping Computer.My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I wouldbe grateful if you would note the following: Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
Copy and paste all logs requested in you reply, Do not attach them unless asked too.
If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.
If I do not hear back from you within 5 days of my last post, then this topic will be closed.ComboFix should not be run unless requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.Post the contents of C:\ComboFix.txt in your next reply.Please download Malwarebytes' Anti-Malware from HereNote: If you already have Malwarebytes' Anti-Malware, just update then run it.Double Click mbam-setup.exe to install the application.Make sur... Read more

2 more replies
Answer Match 65.1%

Thanks in advance for your assistance! I sincerely hope YOU can help....

My son?s laptop (Win XP) acquired a virus?actually a rootkit called Protection Systems. I have been attempting to get rid of it for 4 days now with no success HOWEVER I suspect now I am in a position that you can assist me. Here is what I have done using my PC and a flash memory that I transferred between machines:
1. My first step was to attempt to use Malwarebytes Anti-Malware on it but that did not work. The rootkit shut it down.
2. Then I tried HijackThis, unsuccessfully. Shut it down.
3. Then I heard about a beta product called RootRepeal and tried that. Unsuccessful again! It shut it down and produced a blank log file.
4. So, I contacted the author of RootRepeal (initials AD) and asked for his advice. He said I may have a particularly lethal rootkit. So?
5. He sent me a link to another program he?s written called Win32kDiag, I was successful today running that (!) and produced a log file. I can supply it when you're ready. He suggested I contact you with the log file and get your wisdom as to what steps I might now take to rid the laptop of the rootkit.

So, here I am, hoping you can help!

A:Rootkit Protection System -- help needed

Hi,I'm going to redirect you to the HijackThissection of this forum. This, because it's a deeper infection.Read this page and follow it's steps: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Please give them a link to this topic.Good luck.

1 more replies
Answer Match 64.68%

Vista SP1 x86Never worked on a rootkit like this before.Infected my MBR which I was able to restore but now I can't get into Windows, Stop [0x8e, 0xc5] (safe mode works) Have ruled out memory with MEMTest86+ 4.10For some reason, I can no longer get Windows (normal mode) to produce a dump since last night.Here is the winDBG code from the last dump:Debugging InfoCODELoading Dump File [X:\Mini092410-02.dmp]Mini Kernel Dump File: Only registers and stack trace are availableSymbol search path is: SRV*C:\Windows\symbols*http://msdl.microsoft.com/download/symbolsExecutable search path is: Windows Server 2008/Windows Vista Kernel Version 6001 (Service Pack 1) MP (2 procs) Free x86 compatibleProduct: WinNt, suite: TerminalServer SingleUserTS PersonalBuilt by: 6001.18488.x86fre.vistasp1_gdr.100608-0458Machine Name:Kernel base = 0x82035000 PsLoadedModuleList = 0x8214cc70Debug session time: Fri Sep 24 21:43:16.235 2010 (UTC - 5:00)System Uptime: 0 days 0:00:48.032Loading Kernel Symbols................................................................................................................................Loading User SymbolsLoading unloaded module list..Unable to load image \SystemRoot\System32\Drivers\aswSP.SYS, Win32 error 0n2*** WARNING: Unable to verify timestamp for aswSP.SYS*** ERROR: Module load completed but symbols could not be loaded for aswSP.SYS**************... Read more

A:Rootkit removed, but system is still screwed...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

5 more replies
Answer Match 64.26%

HelloI have a Sonay Vaio running Vista 32bitI had the System Progressive Protection on my laptop and ran rkill and MBAM and cleaned it.After that i lost use of my laptops keyboard and mouse but the USB keyboard/mouse work.I tried many thing with no success and have now restored all the files found by MBAM and now back to square one and realize i'm in over my head and need some help.Windows Update will not run as well as other servicesMS Security Essentials was on it but was getting errors so i uninstalled itMy Recylc Bin says it's corrupted as well.Here is the log from my most recent Rkill being ran in safemode and MBAMPlease Help!Rkill 2.4.3 by Lawrence Abrams (Grinler)http://www.bleepingcomputer.com/Copyright 2008-2012 BleepingComputer.comMore Information about Rkill can be found at this link: http://www.bleepingcomputer.com/forums/topic308364.htmlProgram started at: 10/01/2012 08:46:02 PM in x86 mode.Windows Version: Windows Vista ™ Home Premium Service Pack 2Checking for Windows services to stop: * No malware services found to stop.Checking for processes to terminate: * No malware processes found to kill.Checking Registry for malware related settings: * No issues found in the Registry.Resetting .EXE, .COM, & .BAT associations in the Windows Registry.Performing miscellaneous checks: * ALERT: ZEROACCESS rootkit symptoms found! * HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack] * HKE... Read more

A:Zeroaccess Rootkit and System Progressive Protection

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

22 more replies
Answer Match 64.26%

My system became infected with Protection System malware which I was unable to remove. I am also unable to run Super Anti Spyware which has been on my system, and used regularly. I tried to install Malwarebytes and although it appears to install, it will not run. I installed Spyware Doctor and it found a Trojan - Virtuemonde as well as Antivirus Pro (WSCSVC32.exe)

I use Bitdefender antivirus software, and ran a deep scan overnight. Came back to a blank desktop. Spyware Doctor keeps blocking outbound trojan attempts, and the system will only run for about 5-minute before it freezes up. Any attempts to google related info are redirected to other sites.

I was able generate a HJT log, but only while in safe mode.

help....
 

More replies
Answer Match 64.26%

XP Home SP3 laptop was infected with PC Antispyware 2010 and Protection System. I found manual removal instructions and removed what I could find from the registry and file system but missed something somewhere. Found braviax running and deleted that and then tried to install anti-spyware software but nothing will run. IE8 loads and crashes. Installed Mozilla but can't get anywhere. Can not get a DHCP address from my router (wireless) but a hardcoded IP works. Can ping external websites but can not open them in a browser. Firewall is not running and will not load. Tried to roll back to before the infection but it says it has been disabled by group policy.

Tried to run DDS but window opens and closes quickly. Watched the processes and DDS.scr loads and find.exe and then DDS stops but find stays running.

Ran RootRepeal and it crashes if I include files in the report option so the report sans files is attached. Thanks in advance!

A:PC Antispyware 2010+Rootkit+Protection System

you can close this. i rebuilt using rescue disk.

2 more replies
Answer Match 63.84%

30 Jan 12 I had the Fake HDD windows "windows delayed write failed" etc with files hidden. I should have said I have been following the page http://www.bleepingcomputer.com/virus-removal/remove-system-check . I booted in safe mode and ran RKill restoring the file view and TDSSKiller to which found Rootkit.Boot.sst.a. At the end it aksed for a normal reboot, but the Fake HDD started again. Second time I rebooted in safe mode again, repeated RKill, TDSSKiller the rootkit was OK a few files found and removed. Now I ran Malwarebytes. 4 Feb 12, I booted in safe mode. Realising I needed to be safe this time I have backed up recent data (not on my external Omega HD) onto USB and am copying to a safe place. Not enough space for the whole computer. In order to do that I unhid some files to back them up. This may have been a mistake, as RKill did not unhide everything as it should I ran RKill, TDSKiller (nothing) and Malwarebytes again, still going after an hour, nothing found yet. Q1. If I back up onto my external drive will I risk corrupting the backups I have? (Iomega Quikprotect)Q2. I have a file appearing on the usb stick I don't recognise "nmndsdcid". What does that indicate? I ran defogger dds.scr and gmer this time around, results below.What to do next?I have the ark.txt if needed.Edward---------------------------------------
 dds.txt   14.86KB
  2 downloads---------------------------------------
 ark.txt   416.... Read more

A:System check rootkit.boot.sst.a not removed

I rebooted into safe mode, and ran superantispyware Quickscan
Registry item Trojan.Agent/Gen-FakeAV was removed.
I'm running again after updating, using full scan

15 more replies
Answer Match 63.84%

I've been trying to fix this one myself for about a week now, I give up!

I am running Windows XP, SP3 on a Dell Latitude 610 laptop.
I connect to a local network at the office, and use the laptop when I travel or work remote.

So far, I followed the System Check Uninstall Guide on your site.
It took me a while to get Malwarebytes to run, but once I did, it found files and quarantined them.
I thought I had the virus removed, but I can't get my USB drivers to work again.
I've tried to re-install them from device manager, but that doesn't work.

I ran Combofix, and that showed a ZeroAccess rootkit infection, but I can't seem to get rid of it.

After digging, I've noticed that there are files in the windows/system32 folder that keep replacing themselves, even after I copy a known good version of them into the folder. For example, shell32.dll is one.
I know my registry is a mess, but I don't know how to get it fixed and/or cleaned up.

Please help!
DDS log follows...
GMER log attached

Thanks,
Bill
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.2.1
Run by BBAUER at 9:06:45 on 2012-02-07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.198 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===========... Read more

A:System Check removed - still have rootkit infection

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Please DownloadTDSSKiller.zip>>> Double-click on TDSSKiller.exe to run the application.Click on the Start Scan button and wait for the scan and disinfection process to be over.If an infected file is detected, the default action will be Cure, click on Continue
If a suspicious file is detected, the default action will be Skip, click on Continue
If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it Click the "Scan" button to start scan. Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANTPlease post the contents of that log in your next reply.There shall also be a file on your desktop named MBR.d... Read more

18 more replies
Answer Match 63.84%

History: Had some viruses, scanned with Mbam, Mcaffee (uninstalled) and now Kaspersky. Kas found some and deleted last week. I still had a freaking browser redirect problem though. I come home tonight and Kasp says it needs to reboot to disinfect some virus.....I think it was something like file atapi w32.tdss.y rootkit or something close.
I said ok to reboot, now I get perpetual reboots like there is no operating system.
I used Hirems to access through mini windows xp and my stuff is there.
Installed the XP recovery console, and when I try to run, it goes to blue screen of death BSOD.
Typing on my laptop to access here.
Im stuck.

A:Kaspersky removed rootkit, after reboot no op system

If you still need help. please post back

22 more replies
Answer Match 63.42%

Good morning-

I have a friends laptop that wasn't working well at all. Dell Inspiron E1505 running Windows XP Media Center sp3. After running Avast Antivirus, Super AntiSpyware, Malwarebytes and Spybot the following items were removed:

Vundo
Password.stealer
Trojan.dropper
Malware.trace
Rootkit.Agent/Gen-softV
Vundo
Trojan.agent/Gen-Fake Alert
win32: small-ncz
wild tangent

The system works significantly better but still seems slow or to hesitate. I'm also concerned that I didn't catch or remove everything.

Thanks in Advance!

Here's the DDS:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Sanbroaz at 10:01:54 on 2012-08-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.684 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceS... Read more

A:Rootkit.agent, Vundo and others removed- system still slow

Hello Jeff How have you been?I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click... Read more

16 more replies
Answer Match 52.92%

hi
i have a word file that was protected with a password. today i opened it and suprisingly i didnt have to type in a password, and even worse-all the contents of the file were deleted!
do you have any idea what has happened?
thank you
 

A:password protection removed

6 more replies
Answer Match 52.92%

Hey,

when i first discovered i was infected with virusburst this was the site i came to to get help
i did manage to delete virus burst i believe but i still have an interenet explorer "protection Bar" that i am positive came with it

any ideas as to how to get rid of it?

also virus burst came through a faulty link to a normal video that asked for a codec for windows media player, i am unable to uninstall this codec

anyhelp would be greatly appreciated

thanks

Andy

A:Had Virusburst, Believe I Have Removed It, Still Have Protection Bar

If your using Win XP or 2000, do this.First, print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.Please download, install and update AVG Anti-Spyware 7.5. DO NOT perform a scan yet.Print out the AVG Anti-Spyware Install-Scan Instructions.Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Go here and follow the instructions for using SmitfraudFix. You will have to extract the zip file to you Desktop.(Click here for information on how to do this if not sure. Win 9x/2000 users click here. If you need an unzipping utility, download 7zip (its free). After using the tool as instructed, reboot again in "SAFE MODE" and double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Then scan with AVG Anti-Spyware 7.5 per the instructions you printed out and reboot normally.

1 more replies
Answer Match 52.5%

27/Sep/2011 8:49 Trying to fix computer for a friend. Created my own tracking log of my troubleshooting steps.

connected Dell inspiron computer and booted into safe mode
checking instructions for removal of security protection spyware/virus

checking for rootkits, none found. but still not getting browser to work correctly
after running tdsskiller with no results, now able to browse to malwarebytes.org without
getting a redirect. suspect ?
27/Sep/2011 8:59


27/Sep/2011 9:51
got malwarebytes spyware scanner loaded onto computer - updated and running scan
- during scan got an attempt by ie to load signalsearchsystem.com which was redirected to 63.209.69.107 ...

27/Sep/2011 9:55 malwarebytes found 17 threats, saved log .
ran tdsskiller again, no threats found
copying rkill on computer, running rkill - only file killed was renamed tdsskiller.exe
oops, same steps with rkill downloaded as iexplore.exe instead (just in case)
found C:\windows\SysWOW64\notepad.exe (but that may be because I closed the prior log
as rkill was running a second time).

27/Sep/2011 10:10 running malwarebytes full scan
- leaving for work, will check on results later.

27/Sep/2011 22:16 back home - scan completed with 18 results
multiple launches by ie of signalsearchsystem.com.
closing ie, saving log and removing selected software in malwarebytes
restarting computer
no sign of system protection on reboot. running malwarebytes quick s... Read more

A:Removed Security Protection, still getting redirects

Hi cquinn, and welcome to Bleeping Computer.Firstly,Please launch Malwarebytes' Anti-Malware, click the Update tab, and then Check for Updates. Then choose the Scanner tab and select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Secondly,Download OTL.exe by OldTimer to your Desktop.Close all windows and double click OTL.exe.In the "Custom Scans/Fixes" window (under the light green bar) paste the following in bold:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

Click Run Scan and let the program run uninterrupted.When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL. Post both logs in this thread.You may need to use two posts to get it all.

3 more replies
Answer Match 52.08%

Symantec Endpoint Protection found DWH116.tmp (Trojan.Gen.3) in
 
C:\Documents and Settings\JZ\Local Settings\Temp\
 
but was unable to clean it. When I search i can't find the file. The same thing happened a few weeks ago but the infected file was not found again.
 
Symantec Endpoint Protection logs the file but can't fix it. When I scanned again 3 days later Symantec Endpoint Protection didn't find it (? because it was logged?).
 
Comodo doesn't find it.
 
I'm running XP SP3 on a Dell PC.
 
Any help or advice would be appreciated.

A:Trojan which can't be removed by Symantec Endpoint Protection

Hello JohnEmpty your temp folders using TFC (Temporary File Cleaner)Please download TFC by Old Timer and save it to your desktop.alternate download linkSave any unsaved work. (TFC will close ALL open programs including your browser!)Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)Click the Start button to begin the cleaning process and let it run uninterrupted to completion.Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.Run Symantec again.

3 more replies
Answer Match 52.08%

First time poster here! I hope I'm in the right spot. Here is my dilemma...
So on my computer it looks like I have the Windows Protection Suite/Gala Search virus. The virus initially installed fake anti-virus programs which I was able to stop and remove. It also changed my search toolbar in Mozilla to redirect me to gala.com, which I was also able to remove. It still makes annoying pop-ups appear when I used the internet and doesn't let me click ong google search links. I used my anti-virus programs to try and remove it but it seems it did not work. After running the program the first time, I rebooted and got a blue screen. I went into safe mode but it seems the virus tampered with multiple virus removal programs (I tried MBAM, McAffe and SUPERSpyanti-spyware) but it seems that the virus removed parts of these programs so I couldn't use them. I had to use system restore to reboot from a previous date and reinstall MBAM. After using that and following an online tutorial to remove it, I thought I was in the clear. I was able to search the internet for about 20 minutes without the pop-ups and redirecting links via google. I tried running MBAM and it does not find any of the virus, but I know its still there. The programs that it installed when the virus first infected are gone, and I can't find any traces of it. I have Windows Vista operating system.

Thanks for any help you can give!

A:Windows Protection Suite -- Can't removed with MBAM

Hello,it appears we need to look deeper.You will need to run HJT/DDS.Please follow this guide. Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.

2 more replies
Answer Match 52.08%

Hi Y'all,

I just removed the Data Protection rogue antivirus malware from one of my computers and it took forever. I am pretty sure it was "Data Protection". Now the computer is clean but IE and Google Chrome can't get to the internet. I am able to download software updates and other software is able to access the interent (I see email notifications popping up. Anyone know how to get them back to normal without reinstalling anything?

Thanks,
Jeff

A:Data Protection Removed but IE and Chrome not working

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may take some time to comp... Read more

1 more replies
Answer Match 52.08%

Hey!

First of all -- Thanks in advance for the assistance! This site, and those you who help those of us, are truly a community resource

So, I've recently removed Privacy Protection and another (forget the name) piece of malware that had the same strategy as Privacy Protection (to pop up fake scans etc.). Those are gone but I'm still getting browser redirects.
Thanks again for the help!

Travis

A:Removed Privacy Protection - Still getting browser redirects

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

28 more replies
Answer Match 51.24%

Hi all and thanks in advance.
 
I was infected with Smart Guard, I removed it per the instruction here (rkill then malwarebytes).  Smart guard appears to be removed but now my browsers randomly crash. 
 
I ran a second scan with Malwarebytes and it does not find any infections.  I tried to rerun rkill and it seam to hang once it reaches the "miscellaneous checks" 
 
What's the next step?
 
Doug

A:Smart Guard Protection removed now browse crash

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
 
 
STEP 1
 
 
Please download AdwCleaner by Xplode and save to your Desktop.
Double click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the remo... Read more

15 more replies
Answer Match 50.4%

Yesterday I came across the Windows Protection Suite and I removed this using MalwareBytes. The popups are now gone but my computer is very slow and I cannot access gmail - IE and Mozilla both redirect to a search provider. All other sites seem fine.

Below is the DDS.txt log along with the attached attach.txt file. When trying to run the gmer app the scan runs fro approx 45 mins and eventually I get a blue screen to say there is a problem with the aujasnkj.sys file and the computer needs to be shut down. Due to this I cannot save down the relevant ark.txt file. Please let me know if there is something else I can try


DDS (Ver_09-07-30.01) - NTFSx86
Run by Sarah at 16:10:22.05 on 28/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.92 [GMT 1:00]

AV: Windows Protection Suite *On-access scanning enabled* (Updated) {B7380FC0-8E74-4AA2-BE54-61322A56B894}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Windows Protection Suite *enabled* {C2E28628-95E4-4414-8BA8-5AAA2ABB62A0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common... Read more

A:Removed Windows Protection Suite but computer now crawling and cannot access gmail

Got the ark.txt file using root repeal. Hope this is of some use

2 more replies
Answer Match 49.98%

Hello,
AVG detected a virus on my computer, which was quarantined and deleted. Just to be safe, I ran Malwarebytes, which found two Rootkit.0 Access files. It gave me the option to remove them, so I did.

An hour or so later, the computer randomly shut down (which may or may not be related to the viruses, our computer doesn't have a lot of memory). Is there anything else I need to do to make sure that the virus, rootkits, or anything else are no longer infecting the computer?

Thanks.

A:Removed Rootkit - What next?

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

22 more replies
Answer Match 49.56%

Today I began to suspect I had some serious viruses/spyware on my computer. Whatever it was, it wasn't allowing me to run any virus scans. So I restarted my computer in safe mode and was able to run a complete scan with SuperAntiSpyware. After removing about 50 things, it asked me to reboot my computer.

Upon rebooting the computer, I received a message that Data Execution Prevention had prevented the Userinit Logon Application, and after I closed that message, I was faced with just a black screen. I wasn't able to find any way to load Windows Explorer or anything else.

I have tried rebooting in both Safe Mode and in Directory Services Restore mode but in both cases, I'm told that windows failed to start.

With my other computer I downloaded PC Regedit and burnt it to a CD, and booted my computer from that disc. I was able to check the registry entry for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\C:\WINDOWS\system32\userinit.exe, and it appeared to be present and valid.

I don't know what else to do... I've reached the limit of my own knowledge. Please, can someone suggest a fix for this other than reformatting my computer?

A:Removed viruses and now Data Execution Protection blocks Userinit Logon Application!

If you cannot bootup normally, cannot transfer required tools to the infected machine and cannot download anything while in safe mode, then your options are limited to what security tools you have on your computer. If those tools do not work, then your options become even more limited.Have you tried using System Restore from a command prompt in Safe Mode to return to a previous state before your problems began?If that doesn't work. these are links to Anti-virus vendors that offer free LiveCD or Rescue CD utilities that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.Avira AntiVir Rescue System - Tutorial for Avira Rescue CD.
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Support Forum.Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.F-Secure Rescue CD - Current version download & Rescue CD User?s Guide.
Video: How to Remove Malware with F-Secure Rescue CD
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.BitDefender LiveCD - Index of /rescue_cd
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.Kaspersky RescueDisk - Index of /de... Read more

1 more replies
Answer Match 49.56%

Hello Everyone!!!

I am an avid reader of this professionally run and highly regarded site. I aspire to its level of excellence. I am enjoying the speed and security that it has provided...And I want to keep it that way.....

As a novice, a little info just may be dangerous. RootKit awareness is now on the table and I am not exactly sure what it is. Malware that installs upon booting and thus avoids detection by many scans...?

I do all scans, if possible, in "Safe" mode which I have come to understand, helps in this fashion. But I believe there are specifically designed "scans" that address this specific issue.

RootKit Revealer v1.71 (231KB) by Microsoft??? appears to do this. Is this a good program for such. It does NOT seem to be "bloated" and I'm not so sure if it "installs" anything which is preferable.

This program apparently "detects" malware but does it also eliminate it? I prefer ones that do both because I do not know what to do with the results if there is no solution

Is there a "protection" of this genre of malware...or does it just fall into general active protection. It seems the thrust here is "where" the malware decides to "hide".

I am looking for "just another brick" in the wall" for the protection of the computer. Let's face it...WHERE you go is the determining factor here

Thank all of you and have a happy and healthy holiday... Read more

A:"rootkit"--protection And/or Detection

Interpreting the scan results of this tool would require a knowledge well above that of the average user. For more info read the article in this link:http://www.microsoft.com/technet/sysintern...itRevealer.mspx--------------------------------------------------------------------------------http://www.techweb.com/showArticle.jhtml;j...cleID=196603916 Rustock Trojan A Model For Future ThreatsBy Gregg Keizer, The tactics used by a sophisticated threat of 2006 will become staples in exploits during the year to come, a security researcher said Wednesday. That threat, dubbed "Rustock" by Symantec, is a family of backdoor Trojan horses that first appeared nearly a year ago, says Patrick Martin, a senior product manager with the Cupertino, Calif., company's security response team. "The techniques that [Rustock] is using will be the baseline for threats in the future," Martin says. "Attackers are looking around to see what techniques are working, then incorporating them. [Things] like this are the threats of the future." Among Rustock's distinguishing characteristics are its heavy reliance on advanced rootkit technologies to hide from security software and its changeling-like ability to morph itself each time it infects a file.

3 more replies
Answer Match 49.56%

I noticed that the family computer was running slow. Starting to clean it up. I am stuck with "Hacktool.Rootkit" that Norton Internet Security can not remove. I have followed what Symantic suggests. I have did Full Scans in Normal and Safe mode without success.

OS: Windows XP Pro SP2

Files reported in the Hacktool.Rootkit

c:\windows\system32\drivers\phqghume.sys
c:\windows\system32\drivers\cpbhwyky.sys

Thanks for the help.
 

More replies
Answer Match 49.56%

Got a laptop that had various infections including an alleged rootkit. Using ASWmbr I was able to capture and remove but am still having an issue with slow startup and a single block in defraggler that reports a different number everytime even after defragging the HDD. Used several standard tools but still not quite sure it's fully cleaned yet.

DDS.txt report:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.5.1
Run by Adm at 22:52:46 on 2012-08-02
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.1982.707 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32 ... Read more

A:Rootkit reported and removed?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/463643 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

18 more replies
Answer Match 49.56%

Avast keeps finding rootkit mbr:\\.\physicaldrive0\partiton3 (rootkit name MBR:SST [Rtk]) but it returns even after being deleted.  I'm not sure how to remove it completely.  Any help would be greatly appreciated!

A:Rootkit found but can't be removed

Greetings and to BleepingComputer,
My name is xXToffeeXx, but feel free to call me Toffee if it is easier for you. I will be helping you with your malware problems.
 
A few points to cover before we start:
Do not run any tools without being instructed to as this makes my job much harder in trying to figure out what you have done.
Make sure to read my instructions fully before attempting a step.
If you have problems or questions with any of the steps, feel free to ask me. I will be happy to answer any questions you have.
Please follow the topic by clicking on the "Follow this topic" button, and make sure a tick is in the "receive notifications" and is set to "Instantly". Any replies should be made in this topic by clicking the "Reply to this topic" button.
Important information in my posts will often be in bold, make sure to take note of these.
I will attempt to reply as soon as possible, and normally within 24 hours of your reply. If this is not possible or I have a delay then I will let you know.
I will bump a topic after 3 days of no activity, and then will give you another 2 days to reply before a topic is closed. If you need more time than this please let me know.
Lets get going now
==========================
 
Hi rjrossi88,
Please download TDSSKiller from here and save it to your Desktop
Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters
 
 
Check Loaded Modules, Verify Driver Digital Signature, and Detect TDLFS fi... Read more

38 more replies
Answer Match 49.56%

Malwarebytes detected 2 rootkit.agent files and they seem to be removed although Firefox4 still seems to be sluggish. Does anybody see anything out of the ordinary, and is there any applications/programs that I should/can delate from this. Diagnosis would be kindly appreciated and rewarded....you guys are good!

Logfile of HijackThis v1.99.1
Scan saved at 7:12:06 PM, on 3/31/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Soluto\SolutoService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec Ant... Read more

More replies
Answer Match 49.56%

Hi,

I have XP Pro SP3 running on a raid 0 in a self made desktop.

I would like to remove as much malware as possible from my drives, then use the
drives offline to preserve them for use of the software they contain. I then plan
to use ubuntu on a separate HD for all future internet activity and simply do a
clean install from time to time when necessary.

HISTORY

I was running Malwarebytes Anti-Malware when the PC rebooted itself. After
entering the password for the bios boot I got a black screen with a blinking cursor.

I found a free HP XP SP2 boot CD iso online. With it I recreated my previous
logon with the same password and gave myself, as before, administrator privilege.
I loaded my former files now under (user). I copied them over to my new account
and deleted the originals.

Next I found a free Kapersky rescue CD iso. It removed a root kit after which I
was able to reboot from the hard drives again.

I ran AVG, Malwarebytes Anti-Malware, CCleaner, ATF-Cleaner, Spybot, and finally
Spyware Doctor (for the report). I removed the infections found by Spyware Doctor
manually with regedit.

CURRENT PROBLEM

I still have a redirect problem with Google. It seems to be worse on Firefox
than with IE but happens with other search engines as well. A search brings up a
normal list of sites but clicking on a site brings up a redirect to a sales site
that is related to the topic of the search. A work around is to click the cached
option which doesn't redirect.

I... Read more

A:removed a rootkit and need help cleaning up

Since last post:

I removed yontoo layers client from program files. I will put it back.
AVG found over a thousand registry errors. But I left them for now.
secunia had me update the following: Adobe reader,install_flash_player(_ax), QuickTime
I removed AVG and installed microsoft security essentials.
I am running a 3 day trial of EmisoftAntiMalware
I ran Trend Housecall
I ran McAffee Stinger standalone

These found some files and removed them but redirect behavior remains.

I found the following site* (I had to use the cahed entry, it is long) and followed these directions:

Please click on Start, Run.
Type devmgmt.msc and Click on OK.
This will run Device Manager.
In Device Manager, click on View, Show Hidden Devices.
Please expand all the devices by click on the Plus sign.
Now try to find TDSSserv.sys and right click Disable.
Please make sure that you do not select the Un-Install option otherwise infection will be back once you reboot your computer.
After disabling the TDSSserv.sys, please download a Spyware Remover and remove Google redirect Virus completely from your system.

So under DEVICE MANAGER the only applicable entry was Non-Plug and Play Drivers

Here is the list (TDSSserv.sys is not there, but perhaps the culprit will be obvious to someone on this forum).

1394 ARP Client Protocol
Ad-Watch Connect Kernal Filter
AEGIS Protocol(IEEE 802.1x)v3.2.0.3
AFD
AFGSp50 NDIS Protocol Driver
a-squared Malware-IDS utility driver
AWINDIS5 Protocol Driver... Read more

3 more replies
Answer Match 49.56%

First post, need help with possible malicious rootkit removal.

Win XP Pro SP2

Infected with Antimalware Doctor Friday afternoon.
Ran Malwarebyte's Anti-Malware - got rid of most everything except:

Repeated scans report:
"C:\Windows\system32\drivers\znyrb.sys (Trojan.Rootkit) -> Delete on reboot"
Reboot system and re-run scan, returns same result

Ran Sophos ARK
Reports:
Unknown hidden file - "C:\Windows\system32\drivers\znyrb.sys"
Removable - Yes (but clean up not recommended for this file)

How to proceed?

A:rootkit reported, but not removed

Try this:http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

1 more replies
Answer Match 49.56%

Hey guys, I removed a ZA Rootkit from my friends machine, and I wanted to make sure it was COMPLETELY removed. Please let me know if you need anything else besides the logs I have posted.
DDS
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 11.0.9600.16518 BrowserJavaVersion: 10.51.2
Run by Administrator at 13:55:28 on 2014-03-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.2013.1005 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ================
.
C:\PROGRA~1\AVG\AVG2014\avgrsx.exe
C:\Program Files\AVG\AVG2014\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\AVG\AVG2014\avgfws.exe
C:\Program Files\AVG\AVG2014\avgidsagent.exe
C:\Program Files\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe
C:\Windows\system32\HPSIsvc.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\Intel Matrix Storage Manage... Read more

A:Makins sure ZA Rootkit was 100% removed

16 more replies
Answer Match 49.56%

Well this is my first time posting in these forums and it is because I have a problem that I just can't seem to fix. Maybe you guys will know what the deal is. So I noticed I was probably infected with a rootkit when my google searches were leading me to random advertisements so I ran a scan with avg free edition and turns out there was a rootkit. So I cured it and it was removed. But then (and still now) I cannot open up google, bing, or do any google related searches or services such as gmail, etc. More troubling than this is the fact that I can't even run google chrome at all. So I've run a bunch of other rootkit scans with multiple programs and it says there are non detected. So how can it be that I'm still having symptoms without there being a rootkit? I am in need of assistance asap so please if you have any idea of what is going on I would be very thankful for the help.sorry I forgot to post the dds log.DDS (Ver_2011-06-23.01) - NTFSAMD64 Internet Explorer: 8.0.7600.16385Run by Joaquin at 16:00:57 on 2011-07-29Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.7991.5668 [GMT -7:00].AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}SP: McAfe... Read more

A:Removed Rootkit problem

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

3 more replies
Answer Match 49.56%

I am running Windows XP SP3 and Norton AntiVirus. I am also using Windows Firewall.

While I was in the internet recently, Norton AntiVirus told me that it had found Hacktool.Rootkit which it claimed to have fixed. I restarted the computer as instructed and ran a full virus scan which found the same virus and told me the problem was resolved with no further action necessary. The infected file was:-

C:\Documents and Settings\myprofile\Local Settings\temp\oflpydin.sys

The same infected file was also found in my husband’s profile.

I have run the full Norton scan several times since (making sure that all the Norton defaults were in force and disabling System Restore) and it has found nothing.

There are no obvious problems with the PC (eg running speed is OK, there are no popups and I seem to be able to access all my files including hidden files.)

I hope that I am being paranoid, but is there anything else I should do to make sure that this virus has been completely removed and that nothing else entered at the same time?

If I run an online Rootkit detector such as Blacklight, do I need to disable Norton first, as I am not happy about being online without protection?

And are there any steps I should be taking to make sure that Rootkits cannot get back into my system? I've read the General Security section of the Forum and I think that I'm following the advice there.

This is the first virus I have encountered and I want to make sure that I am not leaving my PC... Read more

More replies
Answer Match 49.56%

Hi Can someone have a look at my Hijackthis log and tell me if I can remove all the file missing entries and if there is any signs of further infection.Running win 7 64 bit with webroot antivirus and spysweeper +Symantec antivirus 2010 + malwarebytes free + spybot S & D +avenger +hijackthis.(Yes I know but I wanted to be sure)EDIT: I am now sure that I have some level of infection. 2 more scans have brough up this virus http://securityresponse.symantec.com/secur...-99&tabid=3though there seems to be about 6 hours between infections because I also have clean scansThanks in advance for any help you can give.

A:Hacktool rootkit removed. I think???

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

30 more replies
Answer Match 49.56%

Hey, i run windows xp pro n just today my norton has told me that is has detected a virus called "Hacktool.Rootkit". My virus definitions are updated regularly and have also virus scanned my pc after norton told me of this high threat virus. Unfortunately it hasnt been deleted and norton has once agan told me of the problem....can someone shed some light onto to how i can get rid of this thing please??
 

A:Hacktool.Rootkit...what is it, how is it removed???

To use RootKit Revealer please make sure you are logged in as an Administrator to the computer.
Please download and unzip Rootkit Revealer to your desktop.
Please leave the defaults set as they are to:
Hide NTFS Metadata Files: this option is on by default
Scan Registry: this option is on by default.

Launch rootkit revealer on the system and press the Scan button.
RootkitRevealer scans the system reporting its actions in a status area at the bottom of its window and noting discrepancies in the output list. It may take a long time please disconnect from the internet and leave the PC to be scanned until it is finished.
The log can be very large please edit out the items in the following folders in the log : C:\RECYCLER\NPROTECT and C:\System Volume Information, if in the log, before posting it.
Please post the balance of the log here in this thread using Add Reply (please double check that it has all been posted as it may be too long for one post)]
Then Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numb... Read more

1 more replies
Answer Match 49.56%

I've run Malwarebytes, removed infections, rebooted, re-ran Malwarebytes and have just one item - Rootkit.Trace

Can this be removed? After reading the forums it seems a reformat is my best bet? I work from home and this is my primary business computer so reformatting will be a huge task, however, I want to ensure it's gone. Also, if I do reformat, will I need to worry about back up files and documents that I reinstall causing a reinfection?

Thanks for your help!

A:Rootkit.Trace - Can it be removed?

For rootkits, reformating is the only 100% way to know something is gone. I recommend moving to the HJT forum for best cleaning results. That team uses advanced removal software that can only be used under the supervision of an expert. Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far. If you need any help with the guide, please let me know.

2 more replies
Answer Match 49.56%

Hi,

Recently I accidentally clicked on a link to a Phishing sight and didn't realize till after the fact that my Phishing filter was turned off. The sight instantly started downloading malware to my computer. I tried to manually stop it but as you probably know it was already too late. The false pop-ups started scrolling saying that my system was under attack and that I needed to purchase software to remove the infection. I realized what was going on and ran a scan with Malwarebytes immediately. It found 9 infections and removed them. The bogus pop-ups stopped popping up and disappeared.

I thought all was well but then when I used Google, the links started redirecting me to unwanted and unwarranted sights. It didn't always happen but when it did the same message was displayed at the bottom of the screen... "waiting for webpage http:// tru01dms3.com" along with various extensions wich did the redirecting. I updated and ran AVGFree 9.0 and Malwarebytes. Both said my system was clean. I also ran Glary Utilities (not an anti-virus tool) just to clean my registry. I deleted all of my temporary internet files and cookies. I even upgraded to IE8 and all to no avail.

Luckily I found these forums and without even posting my problem, I found enough information here to take care of it. I was infected with a TDSS Rootkit. I downloaded TDSSKiller and it made short work of the infection. Everything seems to be fine now. I just have one question.

Before I removed th... Read more

A:TDSS Rootkit removed

follow advice here and post the logs those programs make in your next reply to this topic
 

1 more replies
Answer Match 49.56%

I have a client who complained about a slow computer. TCPView revealed hundreds of Internet connections using svhost.exe. Noted that there numerous Application Error dialog boxes that would pop-up stating wmiprvse.exe "The instruction at 0x7c910cce referenced memory at 0x002e002e. the memory could not be read." Booted into Safe Mode with networking and started Process Explorer. Getting the same memory could not be read error messages from applications axwin frame window, wmiprvse, and 5Ua4j6gp.exe located in Docs&Set/All Users/Application Data. Also, viewing Process Explorer noticed Internet connections being made by Internet Explorer, but IE was starting as a service NOT an application. Reviewed TCP/IP connections of which there were numerous connections. All this was while in Safe Mode with networking.I did the following: Ran Symantec virus scan from a Symantec boot CD....results - nothing detected. Installed Malwarebytes and ran scan...results - found 6 infections. Installed SpyBot. Ran SpyBot scan....results - found 20 infections. Installed and ran SuperAntiSpyware...results - found 113 infections. Ran ComboFix in Safe Mode. It detects rootkit activity...then reboots. Even so, wmiprvse.exe memory instruction errors appeared numerous times even after ComboFix detected rootkit and rebooted to SafeMode. Attached is the ComboFix log.

A:Rootkit Detected but not removed...HELP!!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please downloa... Read more

2 more replies
Answer Match 49.14%

Was infected with AV Protection 2011 which was causing false 'infection' (firefox.exe is infected and running of application is impossible) messages and prompting me to purchase a virus protection program. Have run RKill, MalwareBytes and Webroot. All were unsuccessful. Left computer off overnight and upon reboot in Normal Mode this morning was not able to run any applications at all except IE which was 'not responding' after the window opened. Rebooted in Safe Mode and was able to complete the steps in the Preparation Guide. Followed all instructions in the guide, ran into problems with the GMER (not sure if i have 64bit, but very likely)- the Rootkit/Malware tab does not let me select anything except Services, Registry, files, c:\ and ADS. When the scan completed it says "GMER hasn't found any system modifications"
.
DDS (Ver_2011-08-26.01) - NTFSAMD64 NETWORK
Internet Explorer: 8.0.7601.17514

BrowserJavaVersion: 1.6.0_26
Run by IvieSeale at 11:40:41 on 2011-11-23
Microsoft Windows 7 Home Premium

6.1.7601.1.1252.1.1033.18.5992.4889 [GMT -

6:00]
.
AV: Webroot AntiVirus with Spy Sweeper

*Enabled/Updated* {53211D91-0C31-95F2-E3A5-



7661FB22889E}
SP: Windows Defender *Enabled/Updated*

{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Spyware Doctor *Enabled/Outdated*

{94076BB2-F3DA-227F-9A1E-F060FF73600F}
SP: Webroot AntiVirus with Spy Sweeper

*Enabled/Updated* {E840FC75-2A0B-9A7C-D915-



4D1380A5C223}
.
=======... Read more

A:Infected with AV Protection 2011, possible rootkit

Hi,If help still needed re-run DDS. Make sure that notepad has word wrap disabled to get logs in readable format, please.

15 more replies
Answer Match 49.14%

I have NOD32 for AV. I'd like to have a layered approach. I have Spybot S+D, and Spyware Blaster.

Now for something for the rootkits.
Thanks in advance.
 

A:What is best free anti rootkit protection?

Hi,
A well written review at this independent review site, I hope it's of use:
http://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

Richard
 

2 more replies
Answer Match 49.14%

This virus is a real pain. I run task manager when I log on and immediately open the file locations of several "random.exe" processes and end the process trees.
I also went into internet options and disabled the use of a proxy. For some reason internet explorer will work but firefox wont still. How can I completely remove this?

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:50:55 PM, on 11/24/2011
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Safe mode

Running processes:
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (... Read more

A:Privacy Protection virus with rootkit log

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429222 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

16 more replies
Answer Match 48.72%

I got given a netbook to fix by a friend. Obviously it has no cd drive, and my usb one refuses to play ball with it.Have tried some of the utilities to make bootable usbs but they don't seem to work on it either.Problem was the usual cannot get to the pages you want, constantly diverting etc.So, I ran malwarebytes, spybot, and in desperation adaware. Plenty of things removed but the underlying problem remained.Eventually I decided as a last resort before taking the hard drive out and attempting to restore it from another pc, to install kaspersky antivirus, which has worked miracles for me in the past.However, kaspersky kept detecting a rootkit (win32.tdss.y in atapi.sys) which it would try to remove, reboot and then find again.After trying sophos rootkit remover (found 2 in temporary guest files) the problem still persisted.I then ran combofix (I see now I shouldn't have, but unfortunately I didn't see those warnings till after.Anyway, the pc is now working fine, except for the junk under the keys stopping me pressing them, so here are the logs if one of you would be so kind as to take a look for me:DDS (Ver_10-03-17.01) - NTFSx86 Run by Guest User at 23:13:17.09 on 10/04/2010Internet Explorer: 7.0.5730.13============== Running Processes ===============C:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Kaspersky Lab\Ka... Read more

A:Rootkit not removed by kaspersky (tdss?)

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!If you have since resolved the original problem you were having, we would appreciate you letting us know.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your ... Read more

2 more replies
Answer Match 48.72%

I have a client computer (windows 7 pro) that had (has) a real bad rootkit (s)
(Trojan: DOS/Alureon.A and Rootkit.Boot.Pihar. )
I believe (believe being the key word) I was able to remove it with a combination of TDSSKILLER, Malwarebytes and Combofix. But now after the cleanup I am still noticing things that are not right.
 
When I run Malwarebytes (fresh install) to make sure nothing is still detected, it ran for over 8 hours…This whole time window Malwarebytes scan the same hidden folder showing millions of files in this one directory (all .js and .com files)
 
If I run Microsoft Security Essentials, it now runs for ever, I shut it down after 15 hours and it too also scan just shy of 2 millions files in this same hidden folder. (C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z1YZNYIO)
 
This is one of the files names:   plusoneCAQ5MLFB.js
Enclosed is a screen shot of folder path from Microsoft Security Essentials.

 MSE Scan_15 hours.jpg   196.25KB
  3 downloads
 
This hidden folder, I can’t find, showing hidden folders, Unhiding protected OS files, or by typing it in directly in Explorer.
 
Also noticing that when you try to go to boot options or BIOS (when computer boots). The keyboard lights comes on when computer starts, but when the push F2, F8 or F12 for boot options window comes up, the keyboard lights go out and you cannot access BIO... Read more

A:Infected with Rootkit - Removed but computer still not right

Hello Fubr I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", th... Read more

51 more replies
Answer Match 48.72%

I saw there is another post about this problem. I have a computer that when booted would say you are Infected. I ran comboFix which appeared to remove the problem. Malwarebytes aslo found and removed a few things. Everything appeared good on the service until I tried updating the computer and updating Microsoft Security Essentials. When I run combofix it says it has deteted rookit acitivty and needs to reboot. After it reboots it finds nothing. I have tried everything tdsskiller finds a problem in the MBR and removes it but upon reboot same problem. This is crazy... Any ideas..

A:Removed RootKit but can't get window update

Hello,Please follow the instructions in ==>This Guide<== starting at step 6.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.Orange Blossom

1 more replies
Answer Match 48.72%

I removed some kind of Rootkit with Combofix (which I ran twice), but now DNS isn't working in any applications. I got DNS to work in nslookup after repairing the connection, but if I ping or use a browser nothing resolves. Does anyone have any idea how to fix this? Thanks!

A:Rootkit removed by Combofix, now DNS problem

If you are dealing with a malware infection, please be aware that using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses. Please read the pinned topic ComboFix usage, Questions, Help? - Look here. Since you already ran Combofix, it should have saved a log to the root directory, usually C:\ComboFix.txt. Reviewing that log will be helpful in resolving your issue but they are not permitted in this forum.Please read the "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". When you have done that, post the required logs to include your ComboFix log in that forum, NOT here, for assistance by the Malware Response Team Experts.

2 more replies
Answer Match 48.72%

here are the logs from dds and gmer. i think i am clean but need second opinion. had avg2012, adobe reader, flash and java(will replace when clean with newer downloads.
Thanks in advance for all help,
Tim

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Tim at 20:14:41 on 2012-02-01
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1488 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Sony Shared\WMPlug... Read more

A:am i clean? removed rootkit and trojans.

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

3 more replies
Answer Match 48.72%

I removed some kind of Rootkit with Combofix (which I ran twice), but now DNS isn't working in any applications. I got DNS to work in nslookup after repairing the connection, but if I ping or use a browser nothing resolves. Does anyone have any idea how to fix this? Below is my Combofix log. Thanks.

ComboFix 11-09-19.01 - Sean T 09/19/2011 9:35.11.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1499 [GMT -7:00]
Running from: c:\documents and settings\Sean T\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((( Files Created from 2011-08-19 to 2011-09-19 )))))))))))))))))))))))))))))))
.
.
2011-09-19 16:07 . 2008-08-21 12:00 138112 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-19 00:23 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C98ED94E-DF6D-4BB1-A534-B79A597E4A9A}\mpengine.dll
2011-09-17 02:06 . 2011-09-17 02:06 -------- d-----w- c:\documents and settings\Sean T\Local Settings\Application Data\HighAndes
2011-09-17 02:06 . 2011-09-17 02:06 -------- d-----w- c:\documents and settings\Sean T\Application Data\HighAndes
2011-09-17 02:06 . 2011-09-17 02:0... Read more

A:Rootkit removed by Combofix, now DNS problem

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Remove the proxy settings.In Internet Explorer go to Tools - Internet Options - Connections Tab - Lan Settings and remove the reference to 127.0.0.1:61414 if found, then uncheck "Use a proxy server" and check "Automatically detect settings".===If you use Firefox in Tools Menu > Options... > Advanced Tab > Network Tab > Connection > Settings. Select the Auto-detect proxy settings for this network option===Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.Download DDS and save it to your desktop from here or here.Disable any script blocker, and then double click dds.scr to run the tool. When done, DDS will open two (2) logs: DDS.txt Attach.txtSave both reports to your desktop.Please just paste the contents of the DDS.txt log in your next post.===Third party programs if not up to date can be the cause infiltration of an infection.Please run this security check for my review.Download Security Check by screen317 from here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt; please post the contents of that document.===Please... Read more

2 more replies
Answer Match 48.72%

The other day I ran an MBAM scan. I noticed less than a week ago that another member of the household (who really should know better) had visited p--n sites. A few days after, the taskbar exploded with a whole bunch of programs. It was as if all of the system tray and background programs suddenly had active windows. (I thought I was just being butterfingers and had accidentally hit the wrong combo of keys. I have a special knack for that, especially since the left-side ctrl key sticks occassionally.) But maybe it was something else...?No other symptoms.MBAM said I had a rootkit called TDSS. Specifically, it said:Malware.TraceRootkit.TDSSDisabled.SecurityCenterDisabled.SecurityCenter (this was listed twice)What I Have DoneI opened the windows security center and it appeared to be functioning normally, but I am learning that very little can be trusted if I truly have a rootkit on my system.I visited bleepingcomputer to see what I should do. Printed guidelines.I downloaded fresh copies of dds and rootrepeal and renamed them.I pulled the cord on the internet and uninstalled several programs. Some were old security scanners which I feared were no longer trustworthy. Some were just old programs that I rarely used.I also cleared out files in temp folder (C:\Documents and Settings\Compaq_Owner\Local Settings\Temp ) except IadHide5.dll which said it was in use.I ran MBAM again and let it do its thing. Reboot and ran it again. MBAM doesn't show anything anymor... Read more

A:MBAM removed Rootkit.TDSS

Please post the RootRepeal log.

1 more replies
Answer Match 48.72%

The problem is with my wife?s computer so I?m not 100 percent familiar with her specs, but she?s running Windows XP Home edition on a Gateway 450ROG. The issues first started when her MacAfee subscription ended a month or two ago. I get the software through work for free and I?ve had problems in the past updating an out-of-date subscription so I took a little while to get to it. Finally yesterday I got the McAfee install file and went through the process to reinstall it (without installing the old version?just wanted to see if that would work). Everything seemed normal but during the middle of that, something popped up about updating to the newest IE, so I went ahead and did that. Yes, I had McAfee and IE installing at the same time. Probably not the smartest thing I?ve ever done. When that was all done, I rebooted and it came up with my wife?s wallpaper but no deskstop icons or anything. I let it sit for a while thinking maybe it was just taking a while to finish with whatever it had been doing before but it never went anywhere from there. So that?s problem number one. I ctrl-alt-del into task manager. From there I can see that ?explorer.exe? isn?t running so I manually start it and it comes up just fine. From there, I do a virus scan and it finds 8 problems. Six of those it fixes but 2 remain. One, called twext.exe, allows me to remove it so I do. The second is a file called ?winlogon.exe? and it doesn?t give me any option at all. So I reboot thinking I?ll try another scan... Read more

A:Rootkit.TDSS detected but not removed

Well, it occurred this me this morning that perhaps when I ran regedit using the Bart disk, it was running from the CD and not the C drive. So I used the explorer function on the Bart CD to find regedit under the C drive and modified the userinit.exe file in that manner. Rebooted and whalla (is that spelled right?)!!! Boots to the desktop like it should and everything. Taking a quick look around, I don't think we're exactly back to normal yet. For one, I can't find the boot.ini file where I last left it and the boot.ini tab doesn't come up in msconfig. Right now I'm scanning with Spybot. It's not too far in but already found Win32Agent.pz. Anyway, I'll keep looking around and see what I can discover and update this thread accordingly. Any suggestions welcome, of course.

14 more replies
Answer Match 48.72%

Hello, I have encountered several trojans and had them removed, my concern is am I still infected? My PC seems to be workin well, I am running Windows XP sp2, Zone Alarm Pro v7.0.462, Avast anti virus 4.7. My initial problem is posted here http://www.bleepingcomputer.com/forums/t/132791/paltalk-possible-rootkit-infection/. Thank you.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:13:41 PM, on 2/28/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\system32\CTHELPER.EXEC:\WINDOWS\system32\dla\tfswctrl.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Active Ports\aports.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywayR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize... Read more

A:Trojan, Keylogger, Possible Rootkit Removed

Hello crono2323 and welcome to the BC HijackThis forum. I don't see any signs of viruses or malware in the log. It looks fine.

Cheers.

OT

3 more replies
Answer Match 48.72%

Sorry to bother you. A newbie and I Thought I had it licked by reading through the other posts but everytime I had used Kapersky it got to the point where it would want you to reboot and the file would still be there. I am running Windows XP pro. Also my machine use to just boot up and start now it stops with an Administrator and Guest choice(s) as loggers. Any help would be greatly appreciated. And I will follow instructions....previously had downloaded Malwarebytes which showed clean and the Combofix.
 

More replies
Answer Match 48.72%

Hello. A few hours ago Malware Bytes popped up informing me that it had blocked a Trojan from executing. Seconds after that, Windows asked me for permission to run two programs, which I denied (I did not catch the program names, sorry). I immediately ran scans with Malware Bytes, HouseCall, and Ad-Aware.

MBAM detected an item labeled Rootkit.ZeroAccess, found at c:\programdata\microsoft\windows\drm\4177.tmp. I selected to remove it, which required a restart and aborted the Ad-Aware scan (though AA did detect the same item, and I instructed AA to remove it as well). Computer restarted, and a black ?Bootkit Setup? (I think) screen appeared saying it was removing a process found at the above path. Start up then resumed as normal (though Windows Update installed during the restart), and I ran scans with AA and MBAM again.

MB detected three objects, two called Trojan.Agent.EXPD1 and one Trojan.FakeMS. (Paths for Agent were C:\ProgramData\Microsoft\Windows\DRM\4176.tmp.dat and C:\Users\Giest\AppData\Local\Temp\BDBB.tmp while FakeMS was at C:\Windows\winsxs\x86_netfx-debugging_msdia70_b03f5f7f11d50a3a_6.1.7600.16385_none_a5658c87d101b1b3\diasymreader.dll). I selected to remove them and restarted the machine again.

Subsequent scans with MBAM show up as clean, and I?m not seeing any problems with my computer, but I understand that this is a tricky infection to deal with, an... Read more

A:Rootkit.Zero Access Fully Removed?

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462670 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Answer Match 48.72%

My laptop has been slowly dying over the past couple of days. Many stages/symptoms, too many to repeat here unless you give me guidance on what kind of information you're looking for. I installed and ran Malwarebytes and on the first run it only found about 8 items to be removed, but on running the second time it found over 600 items to remove - all basically looking related to some toolbar (sorry I can't remember the name but I've since lost the information I've had to kill my computer so many times now). When trying to remove those objects, the Malwarebytes died (and then I think my computer froze and I had to kill it). After running it again, it didn't find any more items to quarantine, but my laptop was dying even more. My wireless adapter wasn't running correctly, I was having trouble accessing the internet, my computer started freezing and I had to kill it manually a few times.

Eventually I got to the point where I couldn't log in on my username nor could I safely shut down. In safe mode, while logged in as Administrator, I inadvertently attempted to try some cleanup by running ComboFix before I caught the notice about not running before being told to. Since then I've seen the Prep guide and have run/obtained the following information. To note - while in safe mode, I lost the use of my keyboard (and ended up using the On Screen Keyboard to accomplish anything.

While running ComboFix it kept saying rootkit activity detected. Thou... Read more

A:rootkit activity dectected but not removed

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator&#... Read more

2 more replies
Answer Match 48.72%

Found out I had a Trojan:JS/Redirector.JA while trying to troubleshoot IE9 browser problems. Another forum told me how to find/remove it (boot with Windows Defender on a USB stick) when all the other malware scanners failed to find anything, (Malwarebytes, Spybot, HitmanPro, and several others). This is not the same as the regular Windows Defender btw.

One of the symptons was that Microsoft's Fixit kept saying DEP was disabled and it re-enabled it, but something kept immediately disabling it. Well now the rootkit is gone but Fixit still keeps finding/fixing the same problem.

So does anyone here have any ideas how to keep it enabled? I was thinking something in the registry must have gotten screwed up by the rootkit but I've run several registry fixes from CCleaner and others to no avail.

In case this helps anyone, the browser problems were such things as websites were taking way too long to load and the back button kept reloading the same current page without going back. Now, with that rootkit gone, websites load instantly and the back button works flawlessly. It was a Java exploit and it got in my computer before Sun issued a patch. I kept getting prompts from Sun to install the patch but when you clicked on it, the dialog box vanished so you didn't know if it worked or what. It also disabled Microsoft Security Essentials. When re-enabled MSE found dozens of "Exploit: Java/Blacole..." That's when I started running all the malware scanners and th... Read more

A:Trojan rootkit removed but now DEP won't enable

Have you had your malware logs analyzed by a trained malware expert and been given the all clean go ahead. If so by who and what forum, please. Or are you yourself a trained malware removal specialist. The reason I ask these questions is because, if you have not been deemed all clean, you could very well be wasting your time and the person helping you if you have remnants of malware lurking. It would be much better to know you are working on a fix for your issue without the potential for it not working because of malware.

2 more replies
Answer Match 48.72%

Hi thanks for the help

I have been helping friends and family remove malware and viruses for a long time but this is the first on removing a rootkit. I think I got the rootkit or rootkits removed but want to make sure before I work on the dns problem it also has.

What is strange is the computer will not connect to the internet (dns errors) but I'm still getting bytes sent and received without even opening a browser. I'm talking like any were from 5000 to 33000. This seems high and I'm thinking that something else is connecting and doing something at each boot.

Beside all the malware that malwarebytes and superantispyware removed, Kaspersky removed the following: virus.win32.zaccess.k and packed.win32.krap.hc

Also before I ran Kaspersky I did run combo fix and it said it removed a rootkit rebooted then the power went out and never had a chance to look at the log. To save sometime I also pasted the last comdo fix log.

If someone would check the logs and see if I did remove all the rootkits I can start working on the dns problems.

Thanks ahead of time for the great service you do for everyone.

George

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by HP_Owner at 18:09:36 on 2012-01-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.222 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS ... Read more

A:Rootkit & malware removed (win32zaccess) ???

As you've run ComboFix several times, I'd like to see this log as well so please copy and paste the contents here:

C:\qoobox\ComboFix4.txt

70 more replies
Answer Match 48.72%

Hi Guys,

I confess I should have asked for help before messing around with different tools to clean up my system. I have been there and I've learnt the lesson.

At this stage I'm not sure if I am infected or not, after running so many removal tools.

The machine works fine except for the LAN/WLAN connections. I can also boot in safe mode and normal mode.

Any help will be really appreciated.

Cheers,
Rod

A:PC was infected with rootkit, removed with Combofix

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

26 more replies
Answer Match 48.72%

Hello, while surfing the web last week, my computer got infected with some trojans (a.o. TR/FakeAV.AF), one of them installing HDD Rescue on my computer. Meanwhile I was continuely prompted with fake warnings like ?a critical error has occured while indexing data stored on harddrive. System restart required? and ?Damaged hard drive clusters detected. Private data is at risk?. The trojans at some point even seemed to take over (?) my Avira, or made a copy of it, I am not sure. After a lot of hassle I managed to manually remove HDD Rescue, but by this time (fake?)Avira was running fake system scans which only took about 10 minutes instead of ca. 1 hour.I started my computer in safemode, deleted my TEMP-folder, de-installed Avira, tried to install it again, but after re-installation it would not let me run system scans (also not in Normal mode).Installing AVG was somehow impossible, so I downloaded MBAM and it found the following:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bkaqoqocefuw (Trojan.Agent.U) -> Value: Bkaqoqocefuw -> Quarantined and deleted successfully.c:\Users\Miek\AppData\Local\Temp\err.log101561112 (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.c:\Users\Miek\AppData\Roaming\Adobe\plugs\kb101623450.exe (Trojan.Agent) -> Quarantined and deleted successfully.c:\Users\Miek\AppData\Roaming\Adobe\p... Read more

A:Rootkit TDL4 removed (?)- Am I safe now?

Update: Now DEP has closed Windows Installer, it didn't say why, and Windows Updater is telling me there is 1 important update, but this update does not seem to have a name or any more information to it, it looks strange to me, as I already installed 2 important updates today which did have additional information. A couple of days ago I noticed in my toolbar two icons of Windows Updater at the same time! Both were saying there were updates. Seems suspicious to me....

2 more replies
Answer Match 48.3%

I have gone through the gauntlet of malware removal/remediation software to remove the incredibly frustrating Rootkit. There are no longer infected files on my computer, according to the various scans and logs recommended by several Malware removal forums including this one. The only lingering issue is the "virus is detected and has been removed" action when trying to download files, caused by corrupted Windows Defender. I have been able to work around this by renaming the Windows Defender folder in Program Files, but I can't seem to restore the program back to its proper state. The icon in the Control Panel is blank. I uninstalled Java as I was advised that this is a common target of rootkit malware.
 
My FSS.txt log  yields the following item:
 
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll Reparse point on file detected.
 
Below is my DDS.txt log. I have also attached my attach.txt log. 
 
I have also run FRST and have the FRST.txt and Addition.txt logs posted as well.
 
Please help and thanks in advance!
 
Mark
 
___________________________DDS_____________________________
 
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 10.0.9200.16736
Run by Mark at 10:42:10 on 2013-11-16
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.2.1033.18.2015.1060 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ==... Read more

A:ZeroAccess Rootkit removed but traces remain

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/514222 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

86 more replies
Answer Match 48.3%

i on my grandmas pc and she had couple of things and removed them reruned the malware removal apps in safe mode again then 2 more times in normal mode nothing was dectected are showed up.just be sure its clean im gonna post hijackthislog

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:34:18 PM, on 7/17/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=EM&Loc=ENG_US&Sys=DTP&M=T3646
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search... Read more

More replies
Answer Match 48.3%

Hello forum...our pc's have been corrupted by someone(or organization) that has installed spyware. It started with wierd router firewall logs of port scans and dos attacks. We called our isp and received very little help. They also update this system of control every so often with more invasive tactics. Even with a nuke and boot this unidentified kit is instantly activated. Comodo rescue listed an unidentified mbr rootkit. Text files show logs of escalating admin privileges and registry shows all sorts of plug-ins with proxys and even some sort of firmware control. I doubt this is one person. They also install translation utilities for Chinese and other languages. My start menu has exe extensions and (remove properties) added. This is deep rooted stuff lol. I would like to 1.try and remove 2.identify the hackers to report and 3.find out how to keep them out for good! Here are some beginning logs of this crap. Thanks in advance...
 
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16514
Run by MEGA at 10:27:08 on 2013-11-05
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.1.1033.18.2430.1620 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Antivirus *Disabled/Outdated* {0C2D2636-923D-EE52-2A83-E643204A8275}
FW: COMODO Firewall *En... Read more

A:Unidentified virus/rootkit/botnet to be removed

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/513118 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

5 more replies
Answer Match 48.3%

Hi, I recently got infected with a Zeroaccess rootkit and several virus that came with it. I think that I have managed to remove the all the infections, but some of the problems that they caused still persist. I'm requesting help to fix those problems.
 
The origin of the infection might have been a program downloaded from P2P that I tried to run or a malicious website that I visited. I don’t know which one because both things happened almost at the same time.
 
The problems that I am currently experiencing are these:
When I run sfc /scannow, it returns an error message:
Windows Resource Protection found corrupt files but was unable to fix some of them.
Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log.
This suggests that there might still be some undetected problems in my system.
 
I use a program called WakeUpOnStandBy as an alarm clock. This program does what its name suggests (it wakes up my computer when it is in standby, i. e., sleep or hibernation). Since I got the infection, it can’t wake up my PC from hibernation.
NOTE: I haven't been able to upload the file attach.txt. It's very big (1.3 MB), so the uploader doesn't accept it. It doesn't accept a RAR archive either. I'd like to get feedback on what to do about this.
 
I have written down the process that I have followed to get rid of the infection:

The problem
I got infected with a lot of viruses, including a ZeroAccess rootkit. The... Read more

A:Zeroaccess rootkit removed, need to fix remaining damage

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/511691 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

more replies
Answer Match 48.3%

HI,I recently got infected by Antimalware Doctor on April 29, 2010 and followed all the Bleeping Computer instructions to removing the program. Everything seemed to work fine until yesterday when Mbam discovered a Rootkit Agent in my System 32 Driver folder. My browser then got re-directed and the Windows host process stops working. Now, each time I click on a link in Firefox, it gets re-directed to some ad-page. Also, from time to time, my desktop icons get re-arranged even though I disabled auto arrange...C:\Windows\system32\Drivers\jgtdmehf.sys (Avira also identified this) I scanned the computer in safe mode and Mbam said it would be quarantined after reboot. After reboot, a second scan revealed that it was still there. I then scanned using Avira and received the following note.The file could not be marked for deleting after reboot. Error description: A device attached to the system is not functioning.When i try to manually delete, i get message: Cannot read from the source file or disk.jgtdmehf.sys Date created: 4/29/2010 5:08 PM Size: 804 KB Date modified: 5/2/2010 10:10 AMThe requested security information is either unavailable or can't be displayed.I have run both spybot and rkill and neither found anything. However, from time to time, my Firefox gets re-directed to some ad page, and all of a sudden, my desktop tool bar changes colors and I get this message: Host process for windows services stopped working and was closed A problem caused... Read more

A:Trojan Rootkit Agent Cannot be removed by MBam

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

36 more replies
Answer Match 48.3%

I got a notice from AVG that I had a trojan and clicked to remove it. It was called Consrv.dll.

I then went to open malwarebytes and found that it was missing. All icons on my desktop were missing except for the recycle bin. My start menu also had all programs missing except for solitaire, spyder, and minesweeper.

I opened windows explorer and it only showed computer and desktop. I went through control panel and un-hid files and some showed up in windows explorer, not all, but most.

I ran tdsskiller removed rootkit.boot.pihar.b.

Then I ran aswmbr and it removed consrv.dll generic26.atmh and ch8l2.exe idp.trojan.60213a6a

I was then able to download malwarebytes and run a scan. concerv.dll and ch812.exe showed up one more time. I had them quarantined.

After a few more attempts after restarts malwarebytes, eset, and tdsskiller all showed clean.

My issue that remains is that I still do not have all my files on the desktop and various files are missing from windows explorer (pictures and music).

I need to know if I have a remnant that is still infecting my system or is there a setting that needs to be changed back to show files.

Thanks in advance for any help.

DDS:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Angie at 23:27:05 on 2012-04-08
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.1788.852 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-... Read more

A:I think I removed trojans and rootkit, but problems persist

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

21 more replies
Answer Match 48.3%

Hello!Thanks in advance for your help!I'm running Windows 7 Pro 64 bit.Yesterday morning I did a updated Avira antivir sweep and found that I had 3 detections of TR/Spy.Zbot.PC on my computer in the inbox/trash area of my computer. Spent most of the day cleaning it out and I think did it successfully. What proceeded, though, was strange happenings which made me question whether there was another infection of some sort on the comp. Some of them include: A hidden mystery folder named "癤㩤⼯㩄.lnk" popping up onto the Desktop which wasn't visible and only able to be found by search, which I Erased. Also, a warning screen of "pkzfkh.exe" failing at some point... did a quick search and that doesn't even seem to exist anywhere, on the Net or on my computer! Needless to say I've tried multiple things before posting here. They include:-Malwarebytes -nothing detected-Sophos Anti-rootkit free - nothing detected-GMER (which doesn't give me full access to all the nodes b/c I'm on 64 bit.)-Autoruns to see what's running and on there-Catchme.exe which brought up a curious: "detected NTDLL code modification:ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error" -- something tells me... Read more

A:Removed TR/Spy.Zbot.PC, but suspect a Rootkit still active

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

21 more replies
Answer Match 48.3%

Recently my laptop was infected by a Possible ZeroAccess rootkit after several hours I managed to boot my laptop in Safe Mode and use RogueKiller to remove it.
But I am not sure if I completely removed it and how to repair the damage done. My laptop takes a long time to boot up and can't download any files through a Browser. Still it would become unresponsive whenever I clicked anything on the screen, programs, start, etc when booting up normally.I thought it would be a good time to seek aid.

My laptop is a HP Envy, Windows 8.1, 16GB RAM with Intel i7 Processor, 64-bit OS.

A:Successfully Removed a Possible ZeroAccess Rootkit but Need Help Confirming.

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, ... Read more

62 more replies
Answer Match 48.3%

Hi,

I had a nasty bunch of malware infections that were causing my machine to slow to a crawl and repeatedly crash.

I downloaded Spyware Doctor and it found Trojan.Virtumonde, Rootkit.Agent, Trojan-Clicker.Small.JF, Trojan.PurityScan and TrojanDownloader.Conhook among other Adware infections.

It took several times rebooting while Spyware Doctor crashed while trying to remove the infections, but my machine is now functioning much better. The last time I ran a quick scan with Spyware Doctor, the computer got a clean bill of health.

Nevertheless, I am still suspicious that there are remaining hacker vulnerabilities and infections. I went through the 5 steps indicated, and Panda ActiveScan came up with quite a few remaining infections.

That log is as indicated below. Also, whenever I try to install two new Microsoft security updates as recommended, they fail, leading me to think that something is blocking the safety update.

Incident Status Location

Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM\Tools\Restart.exe ... Read more

A:Unsure if Rootkit.Agent and Virtumonde removed

Just a continuation, I am still having problems with my computer freezing up and crashing, and running a lot slower than normal.

19 more replies
Answer Match 48.3%

Re. the thread Removed TR/Spy.Zbot.PC, but suspect a Rootkit still active, http://www.bleepingcomputer.com/forums/topic384413.html

The folder in recent documents called 癤㩤⼯㩄 is caused by Dreamweaver CS5 and it's a harmless glitch. The first character means boil, but it's just gibberish.

That's all, just thought I'd help. I can't reply to the original thread.

A:re. Removed TR/Spy.Zbot.PC, but suspect a Rootkit still active

Hi,

thanks for letting us know. Is there anything else we can help you with?

regards myrti

2 more replies
Answer Match 48.3%

I picked up a trojan from a torrented file that is not detected as a virus by AVG. Upon running the .exe, AVG picked up it up as IDP.trojan. Since this happens occasionally with my torrent source, I sent the file for aggregate scanning on Virustotal. The log is at the end of the post.
 
Since it appeared that it was a potential false positive, I went ahead and ran the file after turning of my AVG real-time protection. Some time later, my computer experienced spikes of 100% CPU usage and the AVG icon on my desktop changed to a generic executable icon. I attempted to turn on real-time protection but it failed to restart and when I tried accessing the AVG folder I was denied access as I did not have sufficient permissions.
 
I rebooted in safe mode and noticed that connecting to the internet resulted in several processes with duplicate names. These processes terminated upon disconnection from internet. I also noticed that several 'system' processes were running on 32-bit even though i run a 64-bit system. I terminated those processes.
 
I attempted system restore but the window would not appear and I tried running system restore through the 'Repair your computer' at the boot screen. I was successful in choosing a restore point prior to that day but the system restore would not be able to complete. I also noticed two restore points created around the time of infection and labelled as 'Microsoft Visual C++ 2010 Redistributable'.
 
I brought down the computer to... Read more

A:Removed rootkit and IDP Trojan, is cleanup complete?

Logs
 
Virustotal
SHA256:
20629ab5cdf8f2406b4278595a9a5f5f4e7fcce355b358561e5e2af0526e7b87
File name:
adobe patch.exe
Detection ratio:
6 / 56
Analysis date:
2015-05-07 17:21:48 UTC ( 1 day, 13 hours ago )
Antivirus
Result
Update
Tencent
Trojan.Win32.YY.Gen.18
20150507
DrWeb
Trojan.DownLoader13.7719
20150507
Panda
Trj/Zbot.M
20150507
Avast
MSIL:GenMalicious-ETC [Trj]
20150507
Fortinet
MSIL/Kryptik.BXG!tr
20150507
ESET-NOD32
a variant of MSIL/Kryptik.BWG
20150507
ALYac
 
20150507
AVG
 
20150507
AVware
 
20150507
Ad-Aware
 
20150507
AegisLab
 
20150507
Agnitum
 
20150506
AhnLab-V3
 
20150507
Alibaba
 
20150507
Antiy-AVL
 
20150507
Avira
 
20150507
Baidu-International
 
20150507
BitDefender
 
20150507
Bkav
 
20150507
ByteHero
 
20150507
CAT-QuickHeal
 
20150507
CMC
 
20150506
ClamAV
 
20150507
Comodo
 
20150507
Cyren
 
20150507
Emsisoft
 
20150507
F-Prot
 
20150507
F-Secure
 
20150507
GData
 
20150507
Ikarus
 
20150507
Jiangmin
 
20150506
K7AntiVirus
 
20150507
K7GW
 
20150507
Kaspersky
 
20150507
Kingsoft
 
20150507
Malwarebytes
 
20150507
McAfee
 
20150507
McAfee-GW-Edition
 
20150507
MicroWorld-eScan
 
20150507
Microsoft
 
20150507
NANO-Antivirus
 
20150507
Norman
 
20150507
Qihoo-360
 
20150507... Read more

19 more replies
Answer Match 48.3%

I had a stubborn rootkit virus that re-directed me to random sites online and killed all my anti-virus scanning processes. I was finally able to quarantine it after several different anti-virus scans. In SAFE MODE, I used TDSSkiller, which found the virus but could not move it. Malwarebytes again, found but couldn't do anything. Finally, Dr. Web's CureIt was able to find and quarantine the file.During that time, I was using SAFE MODE WITH NETWORKING and was able to access the internet with out any problems.When I finished with Dr. Web's CureIt. I lost internet access. I got stuck in an "acquiring network address" loop. I re-booted in normal mode and ran Malwarebytes which finally ran! Nothing was found, but I still could not access the internet. I tried repairing the connection and found that windows could not renew my IP Addres (using Windows XP. I tried Start> run> ipconfig/renew and received the following error:No operation can be performed on Local Area Connection while it has its media disconnected.An error occurred while renewing interface Wireless Network Connection 2: The RPC server is unavailableI went to Start > Run > Services and located the Remote Procedure Call (RCP) and the Remote Procedure Call Locater services and set them both to start automatically.I did some research: DCOM Server Process Launcher and Wireless Zero Config are both working and set to start automatically. There are no dependencies for the RCP service, an... Read more

A:removed a Rootkit virus and now RCP server is unavilable

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/418816 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

2 more replies
Answer Match 47.88%

Hi, I'm new here sorry if I'm doing anything wrong with this post :c.

I recently discovered Antivirus Pro on my computer probably Last Saturday and acted quickly with Malwarebytes and after a few hours thought I got rid of everything. Until another Advanced Antivirus pro popped up a few days later. It disabled my desktop wallpaper, task manger, safe mode and pretty much everything I could use to rid the problem.

I downloaded AVG 8.5 and got rid of it but I still can't get my desktop back and the antivirus remover programs like MBAM can be opened but after I start scanning they disappear, the Icons become blank and read off this error " Windows Cannot access the specified device,path, or file. You may not have the appropriate permissions to access the item." I think I still have a Trojan downloader in my system because (Antivirus Doctor I think) Showed up yesterday I deleted the program but I know there still in there.

I'm also getting a Rundll error "Error loading tapi.nfo The specified module could not be found." When I start up my computer I downloaded safeboot and I'm now able to use safemode again but the rundll error still appears and occussionally I get a Blue screen that has a message "DRIVER_IRQL_NOT_LESS_OR_EQUAL" I'm guessing something is missing on my computer that is making it give me the errors and the blue screen.

I think I got the first virus from deviantart.com I have a regular account there and they... Read more

A:Possible Rootkit, Antivirus and malware protection programs not running. Really Need Help

Hello Ninjuhboyblu and to BleepingComputer.Let's see what we're dealing with here.Please install RootRepealNote: Vista users ,, right click on desktop icon and select "Run as Administrator."Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorDisconnect from the Internet or physically unplug your Internet cable connection.Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver. Temporarily disable your anti-virus and real-time anti-spyware protection.After starting the scan, do not use the computer until the scan has completed.When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.Extract RootRepeal.exe from the zip archive.Open on your desktop.Click the "Drivers" tab, and then click the button.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.~BladeIn your next reply, please include the following:RootRepeal log

6 more replies
Answer Match 47.88%

Originally on my Toshiba netbook I had a pop up window for Security Protection and any executable I tried to run was being terminated . Could not install malwarebytes in safe mode so I removed the hard drive and scanned externally with malwarebytes via another computer and removed multiple infections.

Upon reconnecting hard drive to the netbook, normal mode was once again usable; however, if I install malwarebytes and update it, it shuts down about 10 seconds into a scan and the icon on both the desktop and the program folder give the message "windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I tried reinstalling mbam and changing the name of the .exe but I have the same problem.

I have also run TDSS killer and it finds two infections called rootkit.win32.zaccess.c and another suspicious item c:\windows\3539339392:2146896173.exe. If I attempt to remove these infections using tdss killer it says infections cured but gives the message " c:\windows\system32\DRIVERS\ipsec.sys- processing error". If I scan again using tdsskiller, both infections are still present.

Any advice? I would appreciate it.

A:Security protection and rootkit.win32.zaccess.c infection

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

4 more replies
Answer Match 47.88%

Hello and thank you for your time.

I was browsing a week or so ago when a window popped up, AV Protection 2011, that I could not easily close. I forgot how I eventually closed it, but by that time my Firefox had been hijacked, searches were redirected. I restored the system to a previously good state using Windows system restore, but that didn't help, so I came here to bleepingcomputer. I found the removal guide for AV Protection 2011 and followed the instructions. Upon reboot Firefox.exe could not be started, so I uninstalled and reinstalled Firefox. That allowed me to start the browser, which no longer redirected searches. Then I noticed that I could not start Thunderbird, so I uninstalled and reinstalled that program, too. Thunderbird worked fine and I thought I was out of the woods. A day or so later my virus protection software, Symantec, reported a number of Trojans. I ran Malwarebytes again, in safe mode, but no infections were reported. I started going through the steps to post a new topic here. The first attempt to extract gmer.zip was blocked for security reasons, so I scanned the zip file for viruses and Symantec reported that gmer.zip and gmer.exe were both trojans and quarantined them. I disabled Symantec as much as I could (it could not be fully disabled) and was able to extract the zip file. While running gmer Windows failed (quick blue screen) and restarted. I disconnected my machine from the network, uninstalled my virus protection software... Read more

A:Followed AV Protection 2011 removal guide but still infected with rootkit

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/430393 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

9 more replies
Answer Match 47.88%

Hi there!
 
I have inherited a work PC that has been through a few hands. When I received it, I was unable to do Windows 7 updates nor was I able to download ANYTHING from the internet (there was NO antivirus on the PC).
 
I ran Combofix in safe mode and it found something called ZeroAccess Rootkit and said it removed it. I could then download from the internet, but there are several things that are still giving me problems like getting certain Windows updates to download and install; and also getting some programs services to start. 
 
I would really love to see if there is anything that y'all can do to help me get my PC back to a decent working condition. Thanks ahead for your time!!
 
Aprill

A:ZeroAccess Rootkit / Sirefef - Removed, need help fixing aftermath

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems. Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, ... Read more

25 more replies
Answer Match 47.88%

I make my living by this computer and now it snagged a Rootkit. This has a very bad reputation so I sure hope a kind and knowledgeable soul will help me get rid of it.
My system:
Dual boot XP and 7. The infection is on the XP side, though I haven't checked the other OS.
I use Zone Alarm Extreme.
 
The infection:
A couple of days ago I ran the usual Windows Update. On this occasion the Malicious Software Removal Tool found an object, I think it was called Win32/sirefef. After restart a window titled "zatray.exe - Ordinal not found" poped up. Coincidentally my Zone Alarm (ZA) icon refused to show up in the notification area. I contacted ZA support who informed me that this was a Windows problem not a ZA problem. I then: 
*Ran mbam but couldn't complete the scan (it became very slow so we stopped it)
*Restarted in Safe Mode and scanned using mbam. This time 5 objects were found, all labelled Rootkit.0Access. Three of them were registry entries (HKCU and HKLM), one was in Application Data for Google and another one was in \program files\google\desktop\install... Pressed the button to remove, then
*Restarted into normal mode. The zatray window no longer appeared and ZA came back to life.
*A rescan with mbam, however still showed one Rootkit.0Access.
*Several more cycles of rescans and restarts failed to remove the Rootkit which appears to reside in HKLM\SYSTEM\CurrentControlSet\Enum\Root\Legacy_*202EETADPUG
I also have an external hard drive which was connected to the in... Read more

A:Rootkit.0Access found by mbam but only partially removed

Hello BugsandWormsYum I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "th... Read more

30 more replies
Answer Match 47.88%

Hi there! I was working with the Malwarebytes forum a few weeks ago. I could not download Malwarebytes, and my browser was being hijacked. From there, they informed me that I probably had a rootkit. After running some programs and reporting the log files, they figured my computer was clean and the thread was closed. Since it is not just a Malwarebytes problem, I thought I would join your forum and see if you have some additional help for me.

OS - Windows Vista Home premium 32 bit

Symptoms - Computer running slow, almost slower than dial-up. Pages sometimes need to be refreshed a few times before the graphics will load properly.
- File download is enabled on my computer. There is only one user account on this computer, it has admin. privileges. When I download something, it looks as if the file downloads... I select where to save it to, the progress bar runs, and it looks like a normal download. However, when I go to retreive the download, it is not there.

I have run disk defrag, checked disk for errors, I have my antivirus and one other program running from startup programs... I shut off all the others regularly. (I was on dial-up for 10 years, I still practice the tricks for speed)
For tool bars, I have... menu bar, favorites bar, command bar and status bar... so not much for tool bars.
I have 3GB of RAM... that should be plenty for web surfing.
I have switch my Windows color scheme from Areo to vista basic.
I didn't have many desktop icons (10 of them) until I downl... Read more

A:Slow computer after virus/rootkit supposedly removed

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

24 more replies
Answer Match 47.88%

I had a rootkit installed that kept triggering my antivirus. I reached out for help on one of these virus related forums however since I don't have HTTP access on that computer anymore, I can't remember find my way back to my posting. I was advised to run combo fix.

I must say, it removed all of my problems and my laptop is now virus free however I do have one major glitch.

After running and rebooting, my laptop no longer has access to anything via HTTP. I can't connect to standard web pages nor any other type of HTTP communication. However, HTTPS does work fine. When running the IE Network Diagnostics, it confirms this exact scenario.... FTP and HTTPS connections succeed however HTTP do not.

I have the combofix log and would be willing to post it however I am not suppossed to do so here and I am not sure how I can get back to my original posting (don't even think it is this exact site) to continue with assistance.

Any help is appreciated.

A:Removed Rootkit with ComboFix, HTTP doesn't function

What operating system are you using?

2 more replies
Answer Match 47.88%

Hello, we appear to have a virus Rootkit. We have Webroot Secure Anywhere antivirus, and it seems to pick up a rootkit located at C:\\Windows\\system32\\DRIVERS\\i8042prt.sys

When clicking remove and re booting it appears the corrupted file re installs itself.

The main problem we are having now is search engine redirects. Also Windows Firewall won't turn on, we get an odd popup every once in a while from the system tray that says something like "some windows startup programs were blocked" if I try to open this to show which programs are blocked an error box pops up with "Windows Defender: Application Failed to Initialize: 0x80070006 The handle is invalid."

Also, when trying to turn on the windows firewall an error pops up with "The security service can't be started." And windows security center is not working.

I initially had a virus I believe called Windows Security 2012 - which was a rogue anti-virus, where I followed the steps located at http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012. This appears to be completely removed. But have now noticed the redirects. Oh, for some reason the google re-directs are only happening in Firefox and Chrome. I did perform a windows update an install ie9 after removing the the rogue anti-virus.

We are running vista 32 bit. Any assistance would be greatly appreciated.
Thanks!!

A:Rogue antivirus removed, followed with Google redirect, rootkit?

Hello and welcome. Lets run these and review the logs.Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Devices List Users, Partitions and Memory size. List Minidump FilesClick Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.<<<<<Please download TDSSKiller.zip and and extract it.Run TDSSKiller.exe. Click Start scan.When it is finished the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default). Let the options as it is and click ContinueLet reboot if needed and tell me if the tool needed a reboot.Click on Report and post the contents of the text file that will open.

Note: By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder. The Log have a name like: TDSSKiller.Version_Date_Time_log.txt.<<<<Rerun MBAM (MalwareBytes) like this:Open MBAM in normal/regular mod... Read more

9 more replies
Answer Match 47.88%

first of all thanks for your time

i came here for help with another problem which happened to be in my regedit, that had to do with programs brining up the "open with" menu..but i've fixed it with xp_exe_fix, so i think that is all taken care of. I recently recovered from/deleted from my computer the Windows Police Pro / desote virus, with spyware doctor and y manually deleting the files in safemode. Now my new problem is that my computer is running a lot slower, and on startup (heres the big one) spyware doctor detects and blocks a Rootkit.tdss which wont show up in my scans, and i can't find it. Heres my hjt file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:48 PM, on 9/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10c.exe
C:\Users\CrabMang\Desktop\iexplore.exe
C:\Users\CrabMang\Desktop\iexplore.exe
C:\Users\CrabMang\Desktop\iexplore.exe
C:\Users\CrabMang\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.alienware.com/Mothership...%&ai=636E3D34343436393426706F3D35353339333641
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Searc... Read more

A:Rootkit.tdss after windows police pro removed - vista

Update: didn't mean to bump so early but have some significant news

Last night i turned my computer off and this morning it would freeze after imputting my password and trying to sign on. it did this 3 times before i restarted in safe mode. In safe mode i ran a spyware doctor scan and it actually found the rootkit.tdss. I clicked to fix it, and it said it was removed and needed to reboot to completely remove the virus. So i rebooted and thankfully, it started normally without a problem, not in safe mode. So for the first time Spyware Doctor didn't give me a pop up that it had blocked Rootkit.tdss on startup but when i ran a scan, the rootkit.tdss was still there, and somehow spyware doctor had found it again (not in safe mode). So i clicked to fix it, and spyware doctor said it deleted it (no reboot required). now everything i think is running fine, of course i can't be sure, so the question is should i still be worried or can i just forget the whole mess now? How can i know if it's really gone? Thanks very much for your time
 

1 more replies
Answer Match 47.88%

Hi,

I asked for help in http://www.bleepingcomputer.com/forums/topic461930.html/page__pid__2776508#entry2776508 and I was instructed to follow the instructions for requesting help and posting here. I reproduce here again my problem:

A few days ago I realized my pc was infected by viruses/malware. Sound commercials would be heard, end and then start again after a while. I first run Avast and MalwareBytes AntiMalware and they detected threats [MDE-B][Susp], Zwangi, malicious URL blocked globalroot\systemroot\svchost.exe, and others. Every one in a while, Avast would block some numeric website.

After searching on web forums for similar situations, I ran a few things such as ComboFix, TDSSKiller, bootkit remover, exe helper, rkill and maybe others. The result was that I was able to get rid of the sound commercials, which I found out came from a file called Svchost.exe in the Windows folder. This file would be created again after you deleted it, but after running these tools, they removed Rootkit.Boot.Pihar.c and Olmarik trojans. After doing this I ran other scans by several alternative antivirus, Eset and Panda Online Scanner, and they did not detect anything. Same for Avast on Boot-time scan and malwarebytes.

Anyway, I thought I was clean but I tried to use Firefox and the program would freeze, as it used to happen when I had the infection. I reinstalled it and installed it again and it keeps happening. It doesn't happen with Internet explorer, which is what ... Read more

A:Not sure if Rootkit.Boot.Pihar.c and Olmarik trojan were removed right

Hi,I will be helping you. Can you please give me the logs from TDSSKiller, ComboFix and run aswmbr:Please download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itClick the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.regards myrti

20 more replies
Answer Match 47.88%

Hello tech pro's

I understand you guys are really busy, so if it takes time to get to my thread, I understand and I am being patient.
I am a music lover. This morning I found myself on this website [http://idmbreakingnews.blogspot.com/] where I clicked on a link to download some music. Silly me for being so trusting. I ended up with a Trojan called Rootkit.Win32.Agent.pp

I have Norton Antivirus installed (with definitions as current as this morning) and I ran a full system scan. Norton picked up the Trojan and 'supposedly' repaired the problem. I, however, dont trust that all the 'baddies' are gone from my machine. The reason for this is because I did some research on the specific Trojan and what I read is that it hides other programs in your computer. I know antivirus programs sometimes miss things, so my question is this.... Can somebody please help me to thoroughly scrub my computer of any potential 'bad guys' that may be hidden? I would be very appreciative.

I am currently using a different (clean/fresh OS install) computer in my house to write this thread.

Thank you for your time

A:Rootkit.Win32.Agent.PP found.. supposedly removed..

IMPORTANT NOTE: Rootkit.Win32.Agent.pp is related to a rootkit component. Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to:What danger is presented by rootkits?Rootkits and how to combat themr00tkit Analysis: What Is A RootkitIf your computer was used for online banking, has credit card information or other sensitive data on it, you should stay disconnected from the Internet until your system is fully cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer, not the infected one. ... Read more

4 more replies
Answer Match 47.88%

As per this topic here http://www.bleepingcomputer.com/forums/topic418479.html/page__gopid__2411783#entry2411783
I am posting some logs concerning the removal of Rootkit.win32.zaccess.e that infected ipsec.sys among others

AntiZeroAccess log
Webroot AntiZeroAccess 0.8 Log File
Execution time: 13/09/2011 - 00:31
Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3
00:31:22 - CheckSystem - Begin to check system...
00:31:22 - OpenRootDrive - Opening system root volume and physical drive....
00:31:22 - C Root Drive: Disk number: 0 Start sector: 0x00000800 Partition Size: 0x12A14400 sectors.
00:31:22 - PrevX Main driver extracted in "C:\WINDOWS\system32\drivers\ZeroAccess.sys".
00:31:23 - InstallAndStartDriver - Main driver was installed and now is running.
00:31:23 - CheckSystem - Warning! Disk class driver is INFECTED.
00:31:23 - CheckFile - Warning! File "afd.sys" is Infected by ZeroAccess Rootkit.
00:32:16 - DoRepair - Begin to perform system repair....
00:32:16 - DoRepair - System Disk class driver was repaired.
00:32:16 - DoRepair - Infected "afd.sys" file was renamed.
00:32:16 - DoRepair - Infected "afd.sys" file was successfully cleaned!
00:32:16 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.
00:32:16 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!
00:32:16 - Execution Ended!
Webroot AntiZeroAccess 0.8 Log File
Execution time: 1... Read more

A:Zero Access rootkit removed-unable to pull down an IP address

I have reinstalled the corrupted HP related networking programs and copied over a fresh ipsec.sys. Basically the netbook eternally is stuck trying to get an IP.

50 more replies
Answer Match 47.88%

I did a hitmanpro scan and had a result for a sector 0 MBR infection and had it delete it.  It then had me reboot the sys.
 
When I rebooted there was only 2 old users.  I logged into each of them neither of which had any files and most (not all) programs are gone.  By "gone" I literally mean they are gone.  For instance Mozilla thunderbird was installed before the virus reboot.  There is no data file, it is not listed in "add/remove programs" there isn't even a directory under the Program Files(x86) and that goes for a lot of other programs that were installed.  It's crazy...I don't even get a result for hitman when searching the computer nor is it in \program files  or add remove programs and it was the one that asked me to reboot so I now for sure it was there before the reboot.  Not sure if hitmanpro has a portable app but I did the download from bleepingcomputer and installed so I know it's not just a "missing" file it was actually installed.
 
I checked c:\Users\  and went through all the users desktop folders and they are all empty.  It is like it did a system restore and removed personal data files as well...like a rollback.  However the reboot didn't take long at all.  It was like a regular reboot not like a roll back or system restore which can take a while and for all the programs that have been removed.
 
There isn't another windows partition or a \windows.old that it's booting from either.... Read more

A:Sector 0 Rootkit Removed installed programs and data

Update:  I just did a scan on a 2nd system and have the same infection.  I have not cleaned it and here are some of the details:
 
*********************
Master Boot Record (sector 0) - Bootkit
 
Windows disk signature: 8B6AC2E5
 
Partition Type LBA Number of sectors
0 07 2048 40960000
1* 07 40962048 447432704
2 00 0 0
3 00 0 0
***********************
following that is a bunch of hexidecimal in 2 seperate tables.  One showing the info in sector 1 and the other table showing the info that will replace it.
 
I did have a thought.  I notice another partition called recovery.  Inside is a tool called rollback by horizon-datasys.  Is it possible hitman has confused the sector 0 virus for something from the Rollback program and when replaced the 0 sector it effectively undid anything after rollback was installed.  This might explain why some programs are still on the system like adobe reader and flash player yet others are completely gone.  Trying to figure it out and any help would be appreciated.
 
Thanks...would like to undo what was done.

2 more replies
Answer Match 47.88%

Malwarebytes found Rootkit.fileless.mtgen today and quarantined it.  I tried to run Microsoft Safety Scanner to and Windows Defender full scan and neither would run.  After searching around I also found and ran Kapersky TDSS killer and it did not find anything.
 
How do I know this malware has been removed from my PC?
 
  

A:Malwarebytes found Rootkit.fileless.mtgen - Is it removed?

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scr... Read more

0 more replies
Answer Match 47.88%

Hi All,

I had a rootkit - Win32/Olmarik - according to eset. I used an eset removal tool to get rid of it. I ran Malwarebytes originally and removed some viruses. I then did a complete scan with AVG 2012 including a rootkit scan and it found nothing. I then ran the eset removal tools for Win32/Olmarik and it was removed.

Files and folders were hidden. I ran unhide (much better than using attrib!) and got the files and folders viewable again.

However, if you try to double click a folder or open something like the control panel, it's window never displays. If you start task manager you'll see the folder or control panel program is running. It's just not displaying. My guess is that some registry settings are mucked up.

Has anyone seen this and know a cure for it?

Thanks!

Mike

A:rootkit removed but explorer windows opening and not displaying

I found a link that resets windows explorer back to it's default settings which fixed my problem. This is for Win7. Here's the link:

http://www.sevenforums.com/tutorials/15692-folder-view-settings-reset-all-default.html

Hope this helps someone else.

Mike

2 more replies
Answer Match 47.88%

I have Bitdefender on my PC and I did a scan and it said I had a rootkit and needed to be restarted to remove so I restarted and now normal boot goes to blue screen every time stop 0x0000007E, and safe mode works. I tried scan with updated malwarebytes in safe mode, and it comes back clean. I have ran Defogger and attached DDS log:

DDS (Ver_2012-10-14.05) - NTFS_AMD64 NETWORK
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_35
Run by Matt at 22:31:43 on 2012-10-17
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3837.2900 [GMT -4:00]
.
AV: Bitdefender Antivirus *Disabled/Outdated* {98CD50CE-5097-4098-9669-6C401FB3969C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Bitdefender Antispyware *Disabled/Outdated* {23ACB12A-76AD-4F16-ACD9-57326434DC21}
FW: Bitdefender Firewall *Disabled* {A0F6D1EB-1AF8-41C0-BD36-C575E160D1E7}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe... Read more

A:Rootkit Removed Now Only Safe Mode Boot Vista

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.===Let see if we can restore your computer to a date prior to running Bitdefender and restarting your computer.Follow the directives listed here.http://windows.microsoft.com/en-US/windows-vista/Start-System-Restore-from-a-command-promptSelect a restore point prior to running Bitdefender. This should possibly restore the infection but will take care of it.If successful please run the DDS tool and post a fresh log for my review.Wait for further instructions.

16 more replies
Answer Match 47.88%

Working on a client's laptop. Typical fake AV malware situation. Used rkill and MBAM to isolate and remove. Still having issues with something using task scheduler to initiate ping, which quickly consumes 95% processor and a huge amount of memory. Logs follow:

TSG:
Tech Support Guy System Info Utility version 1.0.0.2

OS Version: Microsoft® Windows Vista&#153; Home Premium, Service Pack 2, 32 bit

Processor: AMD Athlon Dual-Core QL-60, x64 Family 17 Model 3 Stepping 1

Processor Count: 2

RAM: 1789 Mb

Graphics Card: NVIDIA GeForce 8200M G, 256 Mb

Hard Drives: C: Total - 104355 MB, Free - 2436 MB; D: Total - 10113 MB, Free - 1790 MB;

Motherboard: Wistron, 360A

Antivirus: None

DDS:
.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26

Run by Ashley at 20:23:05 on 2012-01-05

Microsoft® Windows Vista&#153; Home Premium 6.0.6002.2.1252.1.1033.18.1790.824 [GMT -6:00]

.

SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\nvvsvc.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k secsvcs

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\... Read more

More replies
Answer Match 47.88%

Hi there,as requested, please see below, and thanks once again for your help.Problem Description: infected with Antimalware Doctor virus, rootkit virus, and additional malwareaction taken: used 'rkill' to terminate Antimalware Doctor, and then used MBAM to remove malware. Further scans with Norton completed and no viruses found. However, google searches still redirect and Windows Update can not be accessed. Completed a scan of ComboFix which suggested rootkit virus was present and logs state 3 items have been modified (including main rootkit).Webpages still redirect, no access to Windows Update, and laptop does not go into hibernation. I noticed that at one point i had three WUAUCLT.exe running, and i am now consistantly out of usable HDD space (its a small HDD anyway, but i usually have 400mb free atleast, i now have about 3mb). windows updates seemd to have instaled themselves and i am now being prompted to restart the aptop, which i won't do for fear of who knows what may be activated should i continue.LOGSCOMBOFIXComboFix 10-08-16.04 - Robert Chohan 17/08/2010 23:31:27.3.1 - FAT32x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2039.1515 [GMT 1:00]Running from: c:\documents and settings\Robert Chohan\My Documents\prevent\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).Infected copy of c:\windows\system32\DRIVERS\imapi.sys was ... Read more

A:Antimalware Doctor removed, but rootkit virus remains

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

18 more replies
Answer Match 47.46%

Whenever I turn my laptop p.c. on my real-time protection is turned off. After I turn it back on and start my computer the next time it's turned off again. This has been going on for about a week.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.51.2
Run by Desktop at 16:41:58 on 2014-03-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.7990.5072 [GMT 13:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
C:\Windows\system32\svch... Read more

A:Infected with suspected rootkit that keeps turning my real-time protection off

Whenever I turn my laptop p.c. on my real-time protection is turned off. After I turn it back on and start my computer the next time it's turned off again. This has been going on for about a week.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16736  BrowserJavaVersion: 10.51.2
Run by Desktop at 16:41:58 on 2014-03-18
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.64.1033.18.7990.5072 [GMT 13:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_1c0e2d1db9f5b08e\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\Hpservice.exe
C:\Program Files (x86)\Stardock\MyColors\VistaSrv.exe
C:\Program Files (x86)\Stardock\MyColors\WBVista.exe
C:\Windows\system32\svch... Read more

6 more replies
Answer Match 47.46%

Hi
I’m running Windows 7 SP1. My computer had been running incredibly slow for a couple of days when Avast found a Trojan which had infected switchboard.exe. Stupidly, I did not note the name of the Trojan and simply pressed delete. I was trying to load google.com at the time. Avast recommended running a scan of the MBR so I restarted the computer then the scan completed then the computer shut down. When I started it again I had no internet access and required administrator permissions to change settings.
 
 
I´d appreciate any help or advice you might have.

A:Avast removed infected switchboard.exe then after rootkit scan no internet

I've reformatted and reinstalled the OS that seems to have fixed it. No further help needed. Thanks

2 more replies
Answer Match 47.46%

Got infected with some malware through an email.  Ran multiple scans of Microsoft Security Essentials, which did nothing and then ran Malwarebytes several times and it eventually said that Win32/Zbot was gone.  The computer was still not operating properly....lots of popups with popup blocker on and just generally slowly and poorly.  I was unable to open any of my Adobe PDF files, but reloaded Adobe reader and that now appears okay.  Word documents are fine too.  Even though the scans say I'm not infected another window opened up and said I was infected with Rootkit.Sirefef.Spy and Trojan. Fake AV.  I then ran Malwarebytes' Beta Rootkit tool and it said that my computer was clean also.  I don't believe it is because I'm having all sorts of slow downs, popups and the like.  Any help or suggestions would be appreciated.
 

A:Win32/Zbot removed, now Rootkit.Sirefef.Spy and Trojan.Fake AV

Hello wahoo, lets also do these and see.Please download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Download TDSSKiller and save it to your desktop.Extract (unzip) its contents to your desktop.Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.If an infected file is detected, the default action will be Cure, click on Continue.If a suspicious file is detected, the default action will be Skip, click on Continue.It may ask you to reboot the computer to complete the process. Click on Reboot Now.If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here....ADW CleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right... Read more

1 more replies
Answer Match 47.46%

Infected with Rootkit.TDSS. Apparently removed using Combofix. I ran it from D:\ instead of desktop. Computer seems to be running fine now but I can not open any files that were in root d:\ These files include .doc, .jpg, .pdf, .txt files. The folders in d:\ are ok and files inside the folders are still fine and can be opened. Everything else is also ok.

1) Why is it important to run Combofix from the desktop? (it is instructed but I have not come across any explanation for it).
2) Double clicking on the mentioned files opens them but with various error messages. txt files open with garbled characters.
3) I have Credant mobile guardian running on the machine.

Thanks for comments and ideas.

A:Removed Rootkit.TDSS using Combofix, files in root d:\ do not open now

ComboFix (CF for short) is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. When CF is run without trained assistance, it can no longer be considered a "safe" tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.***************************************************1) Why is it important to run Combofix from the desktop? (it is instructed but I have not come across any explanation for it).At the request of the author, information about the inner workings of CF are not available for public view. That's the decision of the creator and we will abide by that decision. However, I will say that every instruction given by Staff here at BC is done so for the benefit of the user. Disregarding any detail can have serious consequences. You will need to post a DDS log in the HJT forum so that a HJT Team member can take a look at your situation and see if the damage can be reversed.Please read the information about getting started. After you have followed the steps in that guide, I would like you to start a new thread HERE and include a link to this thread.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. It will likely take 12-14 days for a reply due to the backlog of help requests.~Blade

3 more replies