Tech Problem Aggregator

Exploit rogue Spyware Scanner (type 140)

Q: Exploit rogue Spyware Scanner (type 140)

My son downloaded some videos on how to fix his car from You Tube and since then my laptop has been getting worse and worse. I ran Sammsoft ARO and Malware. I have since taken both off my computer thinking that might help. I have AVG, but it comes up with nothing when I scan. I keep getting the threat alert scaneriche.cz.cc/scan/dim_sp2/free as the file name and Exploit Rogue Spyware Scanner (type 140) as the Threat name.
I found a post about rkill on a random site and downloaded rkill, but every time I try to run it my computer goes to blue screen with a loooong message and then reboots automatically.
When I try to use the internet, I am directed to different sites that I don't want.
Help!!

A: Exploit rogue Spyware Scanner (type 140)

Hello kathym and welcome to BC.

We're so sorry about the delay, do you still need help?

4 more replies
Answer Match 94.2%

I recieved a threat alert on my AVG 8.0 that I had something called Exploit Rogue Spyware Scanner type 621. I ran the AVG Scan and it showed nothing. I ran Adaware and all it found were some tracking cookies. I started getting redirected when browsing with internet explorer and I down loaded Mozilla because the pop ups and redirects became so bad I couldn't use My Internet Explorer to get to any place for help... This is My HighJackThis Log.... I do not know why all My AVG Scans come back that everything is fine. Please can You Help me... I have No Idea What this is.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:26:49 PM, on 3/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpe... Read more

More replies
Answer Match 92.1%

DDS does work on Vista 64bit so i have to use Hijackthis. Anyways AVG detected after I clicked a link by mistake while googling. Avg hasn't detected it before this happened and hasn't since.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:54 PM, on 3/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files (x86)\AVG\AVG8\avgtray.exe
C:\Program Files (x86)\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKLM\Software\Micr... Read more

A:AVG just detected: exploit rogue spyware scanner (type 621). Vista 64 bit

Hello and Welcome to TSF.

We no longer use HijackThis as our initial analysis tool.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please start a new thread in our Virus/Trojan/Spyware forum along with the required logs

1 more replies
Answer Match 90.6%

My PC's been running wierd for about a week now and in that time numerous infections have been found, quarantined and removed. Last virus scan came back clear 'hooray!'... or so i thought...I use AVG free 8.5 and within the space of 45 mins i have received two seperate threat alerts. The first one was exploit phoenix exploit kit type 1112and the second one was exploit rogue scanner type 1148 The next step was unplugging it and drop kicking it out the window until these threat alerts popped up as it proves the machine is still under the influence of something. Can someone please advise me on the 'whats', 'hows' and 'whens' to restore my PC back to how it should be?Many much thanks in advance!

More replies
Answer Match 80.1%

While doing some research via Google yesterday, a redirect to an infected site was attempted twice. When I noted the odd name of the site coming up in the URL (and when the page had barely begun to load), I clicked back to Google. Meantime, on the way to the redirected site, AVG had popped up with a virus alert of Exploit Rogue Scanner Type 1007, listed twice. The site name was also identified.

I ran the ATF cleaner, then a full AVG scan which found no problems, and followed up with an MBAM scan which also found no problems.

Can I rely on these two results without running any other diagnostics?

Thanks, folks.

A:Exploit Rogue Scanner Type 1007

Me too. For the past 6 days the browser has been hijacked. Sometimes I get transferred as soon as I click on a Google link, sometimes the transfer appears to occur later, after already visiting the correct site. AVG Safe Search add-on in Mozilla does not complain about the link. AVG only very occasionally throws up a warning (Explot Rogue Scanner Type 1007) after the hijack. PC Tools Spyware Doctor (free version) and AVG 9.0.733 find nothing on complete scans (files, registry, etc ...).

8 more replies
Answer Match 79.5%

Hello,
Thanks so much in advance for helping me.

Running XP and keep getting redirected when I search via yahoo. AVG has detected 'exploit rogue scanner type 1652'.
Ran malwarebytes anti-malware but nothing is found.

A:Exploit rogue scanner type 1652 detected by AVG

Here is my DDS log...
DDS (Ver_10-12-12.02) - NTFSx86
Run by Mark at 7:03:11.82 on Fri 02/04/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.347 [GMT -5:00]

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\s... Read more

3 more replies
Answer Match 79.5%

hi i have this virus on my comp,,and cant seem to get rid of it..avg keeps blocking it but would like to get it off comp (EXPLOIT ROGUE SCANNER (TYPE 889) can someone plz helpEDIT: Moved from Vista to more appropriate Am I Infected forum ~ Hamluis.

More replies
Answer Match 78.6%

While browsing a messageboard using Firefox I received a supposed AVG Antivirus pop-up about "exploit rogue scanner (type 922)". I think it only said threat detected so I wasn't sure it it had been blocked or if I had been infected with anything. From what I have read, this was probably not a genuine AVG notice, but a faked one.
I didn't notice any problem until a couple of days later when I was unable to access some websites. This problem is worse for Firefox, but there are some websites I cannot access on either Firefox or AOL/Internet Explorer.

I usually run AVG and Malwarebytes Anti-Malware, and was unable to find anything with these. In addition I have tried Trend Micro, Bit Defender, Lavasoft Adaware, Kaspersky, Panda Active Scan, F secure, Spybot S&D, SuperAntiSpyware, Hijack This and found nothing significant (only false positives as far as I can tell, Panda giving a Virtumonde in Viewpoint media player, Kaspersky saying I had a virus in my hosts file when in fact it was entries previously inserted by Spybot to block "bad sites").
I had some problem running rootkit detectors, although for Gmer I believe that was because I didn't have AVG disabled. With AVG disabled I was able to run a full Gmer scan although this took a long time and slowed down towards the end - I was able to save a log file before the CPU usage went to 100% and I had to manually switch the computer off.
I still have problems running some of the sections of Root... Read more

A:exploit rogue scanner (type 922), websites blocked, possible rootkit?

I think I have fixed the problem on AOL (which may have been due to a recent AOL security update) by going herehttp://help.aol.co.uk/why-cant-i-access-a-...802091909990001and applying step no 5. I seem to be able to get to any site on AOL now though access is a bit intermittent on Paypal for example.The problem on Firefox remains. I wondered if it could be due to a corrupt profile but anything I try - creating a new profile, clearing cache and cookies - doesn't fix it. It sounds very much as though I have a Vundo trojan as described herehttp://support.mozilla.com/en-US/kb/Firefo...ertain+websitesAny clue as to how to find and get rid of it?And now unfortunately my stand alone Internet Explorer is exhibiting the same problems as Firefox which I'm sure it wasn't before

2 more replies
Answer Match 108.78%

Hi!
I have a problem with my Firefox browser directing me to all types of pages when I click on a search result.
A pop up from AVG comes up indicating a threat - Exploit Rogue Scanner (type 1652) is blocked while I'm browsing sites.
I have AVG free and scanned the computer. It shows no infections. The only errors AVG found is in the Rootkit scan, where I get 28 errors of a IRP hook and when I have AVG remove them and restart they keep showing up on the rescan. The pop ups still go.
I found an identical problem solved in your forum (Browsers redirecting and malware programs not running or updating Do not know how to remove/ posted by bd1000 on 02 November 2010 - 07:25 PM), could you please help me as well?
Thank you
Below is the DDS scan log of my computer. I have attached the requested files.

DDS (Ver_10-11-10.01) - NTFSx86
Run by Kalina at 1:53:28.50 on ЇҐІєЄ 11/12/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1251.1.1033.18.2038.1354 [GMT 2:00]

AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
c:\Program Fi... Read more

A:Browsers redirecting problem, AVG pop up 'Exploit Rogue Scanner (type 1652)'

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will ap... Read more

19 more replies
Answer Match 108.78%

Hello BC community. Hopefully I am posting in the correct section. I have followed the steps, and I have included the required logs below.I shall begin with what I know. I consider myself to be of decent computer knowledge; I know how to write HTML, I properly run Windows 98/XP/Vista without many problems, and I can, and have on occasion, installed hardware (new graphics card, etc).Currently, AVG is giving me warnings that is has blocked "Exploit Rogue Scanner (type 1178)". As far as I know, this is a rare form and is extremely difficult to remove. The effects of this 'virus' include: opening and leading to completely random webpages. I have attempted to research how to remove such a problem. However, my google searches have yielded me little results and the virus still persists (on occassion, AVG tells me the Exploit Rogue Scanner threat is blocked).Here is what I have done to remedy the situation:Switched from IE to Mozilla Firefox.Complete Scan with AVG Free (AVG version: 9.0.851 -- Virus DB: 271.1.1/3043). It did not remove the ERS1178.Complete Scan with Spybot-SD (version: 1.6.2). It did not remove the ERS1178.Complete Scan with Malwarebytes' Anti-Malware (version: 1.41). I have a log for 22July2010. It did not remove ERS1178.Complete Scan with SUPERAntiSpyware Main Menu (version: 4.40.1002). It did not remove ERS1178.(Note: I do not run these protection software at the same time).Finally, I would like to thank those who spend the time reading my po... Read more

A:Exploit Rogue Scanner (Type 1178) - Desperately need help! Logs Included

Hello mercmaniaWelcome to BleepingComputer ==========================Download OTL to your desktop.Double click on OTL to run it. When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in boldnetsvcs%SYSTEMDRIVE%\*.*%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav %systemroot%\system32\drivers\*.sys /90%systemroot%\system32\Spool\prtprocs\w32x86\*.dllCheck the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================

21 more replies
Answer Match 107.52%

I have been having problems with virus/error alerts on my Dell laptop (Windows XP) so earlier today I loaded my laptop in Safe Mode and ran:1st - Malwarebytes (3 objects found)2nd - AVG Anti-Virus (scan was done in Command Prompt and did not provide a report, it just closed when completed)3rd - Malwarebytes one more time (no objects found, did not save either reports). Then I restarted my laptop in normal mode, upon loading I get 4 RUNDLL error boxes that popup: 1. Error Loading c:\windows\blps40.dll2. Error Loading c:\windows\system32\cf5m8x.dll3. Error Loading c:\windows\system32\lc9l4h.dll4. Error Loading c:\windows\system32\vztjkaj.dllAVG Free's Resident Shield Alert also pops up with the following notifcations:File: C:\documents and settings\Amy\local settings\temp\Jlj.exeInfection: Trojan Horse Generic20.ICAResult: Infected <-- There are a few of these notificationsAndFile: ...\system32\winlogon.exeInfection: Trojan Horse Patched_c.JQJ Result: Object is white-listed (critical/system file that should not be removed) <-- there are SEVERAL of these notificationsI have also gotten an AVG Popup saying that a certain file was infected with an "Exploit Rogue Scanner (type 1349)." I apologize, but I have closed out that box so I do not have the name of the infected file. DDS.txt:DDS (Ver_10-11-10.01) - NTFSx86 Run by Amy at 13:57:21.85 on Thu 11/18/2010Internet Explore... Read more

A:Infected with Trojan horse Patched_c.JQJ and Exploit Rogue Scanner (type 1349)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please downloa... Read more

21 more replies
Answer Match 106.68%

IE pops up with "this page cannot be displayed" or just fake "you're computer may be infected" type messages... Then AVG pops up saying "threat detected"... When I run AVG or MalwareBytes, I get nothing... I just want to know how to make it stop
 

More replies
Answer Match 106.68%

Folks,I have been trying off and on for 2 weeks to clean this machine. It is my brother in laws computer and used by his kids to play many on-line games. It came to me with a BSOD which I recovered from by removing Antivirus XP malware using Malwarebytes Anti malware. I subsequently cleaned about 30 infections off the machine. I have scanned it with AVG Free, Malwarebites, Spybot S&D, Ad-Aware, House call and Bit defender (online). Still It has a browser highjacker in both Firefox and IE v8. I am getting repeated virus alerts from AVG concerning iastor.sys and one concerning kxdiypod.sys. I have tried to replace iastor.sys by renaming it and copying a new version. Every time I mess with it, I get another AVG alert and it replicates itself. Please help!DDS (Ver_10-03-17.01) - NTFSx86 Run by Michele at 17:54:04.18 on Sat 04/24/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.202 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) Copyright Information 0============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exesvchost.exeC:\Program Files\AVG\... Read more

A:Exploit Rogue Spyware scanner

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

17 more replies
Answer Match 88.2%

My Toshiba laptop with Windows 7 was showing a pop up (thought to be from Windows Security) stating I had a virus. I cannot figure out how to get rid of it. I have scanned with everything and quarantened 3 trojans. Ran anti spyware, anti virus again with nothing showing, however the pop up keeps happening. Can you tell me how to get this "exploit rougue scanner" trojan/virus/thing gone for good. Thank you so much for your help/adviceEDIT: Moved from Win 7 to Am I Infected forum ~ Hamluis.

A:Exploit rogue scanner

Hello and welcome... I think if we try this we can get a foot in the door.You need to do all the steps as some pertain to your issue..Please follow our Removal Guide here Remove Antispyware Soft (Uninstall Guide) You will move to the Automated Removal InstructionsAfter you completed that, post your scan log here,let me know how things are.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

1 more replies
Answer Match 86.94%

My infected computer is in real bad shape. All of a sudden my "security" system detects theres a virus and a whole different anti virus application pops up saying i should download it, trying to push me to pay. It infected everything, i mean EVERYTHING. I can't run a single application without it interrupting and telling me to buy buy buy. I managed to track it and i tried to delete but it needs the administration's permission which is me (I have vista) and i continue and it still can't delete it. I know its the Rogue Scanner. I can't delete anything or get on the internet or anything. I hope you guys can help Im on the other computer in the house posting this because its that bad.

I have AVG, thought it could protect but I guess not. I read that the Exploit Rogue Scanner makes additional virus to be a diversion for it to work behind the security systen and then acts like the new security system.

If you need anymore information I'll try to answer them.

Please help.

A:Exploit Rogue Scanner of some sort

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

1 more replies
Answer Match 86.94%

Hi. My computer has been redirecting all searches (in IE and Firefox) to random websites since last night. I'm running Windows XP and we did try to download Adobe Flash Player yesterday, so I'm wondering if maybe that was the problem. We deleted Flash Player this morning, but that didn't fix the problem. So,if anyone could help, that'd be great.Occasionally we see a pop up window that says "Threat Detected" and underneath that it identifies the threat as "Exploit Rogue Scanner (type 1634)" if that helps at all.
Thanks.

EDIT: We ran AVG security software earlier and it didn't catch anything. We also ran MalwareBytes and it pulled up 12 things. We removed all of those, but nothing changed. I can post the logs if need be.

NOTE: Every time I try to post our log from HijackThis (I've seen others doing it), we get a "Internet Explorer cannot find webpage," so I'm not sure we'd even be able to post that if you requested it. I tried emailing the log to myself, same issue. The only way I could post anything (email or here) was to take out the log.

More replies
Answer Match 86.94%

My infected computer is in real bad shape. All of a sudden my "security" system detects theres a virus and a whole different anti virus application pops up saying i should download it, trying to push me to pay. It infected everything, i mean EVERYTHING. I can't run a single application without it interrupting and telling me to buy buy buy. I managed to track it and i tried to delete but it needs the administration's permission which is me (I have vista) and i continue and it still can't delete it. I know its the Rogue Scanner. I can't delete anything or get on the internet or anything. I hope you guys can help Im on the other computer in the house posting this because its that bad.

I have AVG, thought it could protect but I guess not. I read that the Exploit Rogue Scanner makes additional virus to be a diversion for it to work behind the security systen and then acts like the new security system.

If you need anymore information I'll try to answer them.

Please help.
 

More replies
Answer Match 86.1%

Hello, sorry I'm new to this forum so i may not know the rules here, but i just found this sub forum of this site and i decided to ask a few questions. Okay so basically last night, i was just randomly on Facebook, so then i just clicked the search friends button and i suddenly got this string of findings by my Anti-virus AVG, which i will show you in the screenshot attached to this message. Furthermore, i took the initiative to try and clear out the viruses by deleting the infected files through the registry and manually deleting them from the system32 folder which some of the viruses got into.Those were called the following:mzzup.dllqzzup.dlldzzup.exeThese were all found in my system32 folder which i successfully deleted, however, there came a bunch of popups in my Mozilla firefox afterwards when i was searching about the virus on google and whenever i clicked on a link it would give me this totally random website so I'm guessing its the works of the virus. As a result of this, i uninstalled Mozilla Firefox in hopes of getting rid of the random pop ups, but to no luck it came back afterwards. Although right now, the popups don't seem to be present, I STILL want to make sure that my computer is completely cleaned of this virus, spyware, adware, or whatever it was.Furthermore, this morning, when i was browsing in Firefox on a canucks website, i got this virus that got detected by AVG called an Exploit Rogue Scanner (type 1148) as you can see in the screenshot, whi... Read more

A:Trojan Horse, Exploit Rogue Scanner

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other... Read more

2 more replies
Answer Match 85.26%

Hello, sorry I'm new to this forum so i may not know the rules here, but i just found this sub forum of this site and i decided to ask a few questions. Okay so basically last night, i was just randomly on Facebook, so then i just clicked the search friends button and i suddenly got this string of findings by my Anti-virus AVG, which i will show you in the screenshot attached to this message. Furthermore, i took the initiative to try and clear out the viruses by deleting the infected files through the registry and manually deleting them from the system32 folder which some of the viruses got into.

Those were called the following:
mzzup.dll
qzzup.dll
dzzup.exe

These were all found in my system32 folder which i successfully deleted, however, there came a bunch of popups in my Mozilla firefox afterwards when i was searching about the virus on google and whenever i clicked on a link it would give me this totally random website so I'm guessing its the works of the virus. As a result of this, i uninstalled Mozilla Firefox in hopes of getting rid of the random pop ups, but to no luck it came back afterwards. Although right now, the popups don't seem to be present, I STILL want to make sure that my computer is completely cleaned of this virus, spyware, adware, or whatever it was.

Furthermore, this morning, when i was browsing in Firefox on a canucks website, i got this virus that got detected by AVG called an Exploit Rogue Scanner (type 1148) as you can see in the screensho... Read more

A:Virus: Trojan Horse, Exploit Rogue Scanner

Apparently I can't post the whole DDS log for some reason, here is the rest of the log

DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default

19 more replies
Answer Match 84.42%

I've been working at this for about a week now and don't remember everything I've done. AVG sometimes identifies this as an Exploit Rogue Scanner. Sometimes it finds nothing.

When I click on a link I get some random website. A Wireshark trace shows the requested website actually downloads but then 2 or 3 more websites load immediately afterward.

I've, also, been redirected to a website that asks me to take a survey,even after typing in an address in the address bar. I close that web page almost subconsciously so I don't have much info on it.

Any help would be greatly appreciated.

~Perry
DDS (Ver_09-12-01.01) - NTFSx86
Run by Gemarl at 3:47:38.54 on Fri 12/25/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2636 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:&#... Read more

A:Search engine redirect problem (Exploit Rogue Scanner?)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

39 more replies
Answer Match 76.02%

I've recently acquired the false Zinaps malware "remover," and i'm trying to get rid of it. I've reasd that its really recent, so my previous scanners probably will not do the job. Could I get some help?

The lower task bar "notifies" me constantly with a yellow triangle with an exclamation mark. It reads "Windows has detected spyware infection. It is recommended to use special antispyware tools to prevent data loss. Windows will now download and install the most up-to-date antispyware for you."

By the way, this is Windows XP

Also, my computer's been excruciatingly slow recently (even before Zinaps), so if you could help me take care of those too?
 

A:Zinaps rogue spyware scanner 7.0 removal

Here's the HiJackThis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:21:54 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\P... Read more

1 more replies
Answer Match 76.02%

I'm infected with a Fake spyware scanner by the name of Zinaps 7. Can you help me get rid of it?

Thanks.
 

A:Help me delete Zinaps 7 rogue spyware scanner

Welcome to TSG

Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Close all other windows except HijackThis.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, copy and paste that file back here.

Do NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
 

1 more replies
Answer Match 74.34%

Hello, i suspect this all happened a few days ago when a friend attempted cracking a software program for me. Which he did do, but I see I am paying for it. The day it was cracked AVG detected a trojan downloader, I don't remember the name since i dismissed it.(Had gotten them before with no problem.) But I still ran avg scans in normal and safe mode and deleted all files it showed as a threat. About 4 days later after no problem my computer started acting sluggish all of a sudden, the next day AVG detected a new threat "Exploit Spyware Scanner" through the web alert I believe it was and told me the infected file and process was IEXPLORE.EXE, which was odd since I had deleted internet explorer a long time ago. I finally found it in program files and attempted to delete it but it wouldnt let me. The files I was able to delete from the IEXPLORE.EXE folder would come back the second I deleted them so I gave up and started looking for help. Around this time I started getting popups mostly spyware/adware removal related while firefox was inactive. The site I went to suggested running SuperAntiSpyware removal program, so I did. Out of 50 minutes of scanning it has found these problems:
Adware.Vundo/Variant-PrintDlgExW 9 files
Adware.Vundo/Variant 2 files
Trojan.Downloader-NewJuan/VM 2 files
Adware.Hotbar/ShopperReports(low risk) 24 files
Adware.Zango/Shopping Report 137 files
Adware.Vundo Vairant 7 files
Trojan.Vundo-Variant/NextGen-Six 4 files
Trojan Vundo Variant... Read more

A:Exploit Spyware Scanner/Vundo & Trojan infection

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instructed to do so! Let me know if any of the links do not work or if any of the tools do not work. Tell me about problems or symptoms that occur during the fix. Do not run any other programs or open any other windows while doing a fix. Ask any questions that you ... Read more

2 more replies
Answer Match 68.04%

Hi. For the past week I've been having redirecting issues on Google links and as of today it takes multiple reloads before I can get to the Google site/applications. I scanned my PC with AVG Free 2012 and I'm told I have Trojan Horse Crypt.ANVH, which is whitelisted by AVG. Late last night I started getting messages about Exploit Phoenix Exploit Kit (Type 769) which was located in svc.host. SVC.HOST randomly goes from 90k mem usage to 500k- 1million usage. I'm also getting tons of random cookies (which I think the trojan is the cause?) just from being connected to the internet, though I won't have any applications open at the time. When I ran Gmer like the Welcome Guide said to, the application kept freezing in the middle of scanning, so I had to download the .EXE file instead of the .ZIP, but that didn't work either (1st try: froze computer. 2nd try: computer froze then randomly rebooted). I am currently rerunning Gmer under the name iexplorer.exe, but I want to get this post up as soon as possible to get this fixed. I'll post the data, if I can get it, from Gmer when it pops up down below. One last thing -phew- My windows firewall, when I double-click to activate it, gives me a message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?". When I click yes, I then get the message "Windows cannot start the Wind... Read more

A:Infected with: Trojan Horse Crypt.ANVH and Exploit Phoenix Exploit Kit (Type 769)

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated f... Read more

27 more replies
Answer Match 67.2%

A small child got on my computer and was playing games over the weekend and must have downloaded a virus. I have Windows XP. The first issue was my keyboard was not responding. It still does not work, except for the standby button. However it does fully function in Safe Mode.

Next problem when I rebooted was that I had the virus "antivir soloution pro". I think I have successfully removed it by following some guidelines posted on your website in another post. However when I run an AVG virus scan, it shows the following infection "Exploit Phoenix Exploit Kit (type 1112)" and it shows it in two different files with no option to remove them.

My keyboard still does not respond with Windows either.

Any help would be apreciated.

A:Exploit Phoenix Exploit Kit (type 1112) virus?

Hello a couple more to run..Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".From your regular user account..Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click that browser at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, ple... Read more

3 more replies
Answer Match 67.2%

I am having problems with the Exploit Phoenix type 1691 and my computer is redirecting to random links. AVG gave a threat warning on this and the filename was airlinoe.com/makoppskq/ypxvfzhmfo.php, it says the threat was blocked. then the Generic host process for win 32 encounters a prob and has to close. I cannot open the windows firewall because the windows firewall settings and internet connection sharing (ICS) services are not running but they will not start.

This is my first time here asking for help so I really don't know what other information you need but here are the log files.

Thanks for your help!

DDS (Ver_10-11-10.01) - NTFSx86
Run by dds at 11:57:31.42 on Fri 11/19/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.424 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:&... Read more

A:exploit phoenix exploit kit type 1691 and redirecting

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

8 more replies
Answer Match 67.2%

how can i get rid of this virus please? My avg program blocks it everytime on my laptop. so i presume the virus is on the server? but cannot access my website www.ksamui.com from my laptop. funny but no problem from my android phone. have 2 subdomains also cannot access from laptop but ok with mobile.
my staff has same problem with her laptop ( not connected to mine in any way )
so really no idea to know if it is my computer or what ?

Tech Support Guy System Info Utility version 1.0.0.2
OS Version: Microsoft Windows 7 Ultimate, 32 bit
Processor: Pentium(R) Dual-Core CPU T4400 @ 2.20GHz, x64 Family 6 Model 23 Stepping 10
Processor Count: 2
RAM: 2010 Mb
Graphics Card: Mobile Intel(R) 4 Series Express Chipset Family, 781 Mb
Hard Drives: C: Total - 102304 MB, Free - 14547 MB; D: Total - 72406 MB, Free - 64922 MB; E: Total - 130427 MB, Free - 9535 MB;
Motherboard: Dell Inc., 0K138P
Antivirus: AVG Anti-Virus Free Edition 2012, Updated and Enabled
 

More replies
Answer Match 67.2%

Good morning,

Yesterday AVG intercepted several "attacks" that led me to run two Malwarebytes scans and then a Combofix scan on my husband's advice. Even so, the AVG notices of "attacks" intercepted continued.

I found this forum and another posting by SouthernLady90 who was being helped by KevinF80 with a similar situation. I ran all the scans that Kevin suggested and am not sure if my system is cleaned up or not, as I don't know how to interpret the log reports given.

I'm hoping to learn if my system is now cleaned completely.

Sweetbeba Pat

My info (just run with the AVG disabled from last scan):

OS Version: Microsoft Windows 7 Professional , Service Pack 1, 64 bit
Processor: Intel(R) Core(TM) i5 CPU 661 @ 3.33GHz, Intel64 Family 6 Model 37 Stepping 2
Processor Count: 4
RAM: 3771 Mb
Graphics Card: Intel(R) HD Graphics, 1757 Mb
Hard Drives: C: Total - 953766 MB, Free - 727350 MB;
Motherboard: Gigabyte Technology Co., Ltd., H55M-USB3, x.x,
Antivirus: AVG Anti-Virus, Disabled

HiJack This Log: (just run)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:05:54 AM, on 10/18/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\NEC Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.e... Read more

A:Removing Exploit Blackhole Exploit Kit type 2062

Well, I know after 24 hours that my system still is not cleaned up - AVG has thrwarted several attacks since I posted my info. I'll start tracking what gets reported.
 

1 more replies
Answer Match 65.94%

Hi there, i am running windows XP SP3 and AVG 9 internet security v9.0.894. i have been dealing with a browser hijacker, using mostly Firefox v4 and chrome (not IE)usually happens when trying to use a google search link. AVG gives me a pop up window that tells me it blocks a threat "exploit blackhole exploit kit (type1397) and the process listed under it is system32/svchost.exe i sometimes just get a browser tab opening by itself to some other site. i have tried malwarebytes anti-malware, spybot sd and nothing has worked. Can i have some help please. i have a hijack this log from today and will post when instructed to.

thanks again very much.

More replies
Answer Match 65.94%

Twice whilst playing CS:S I have had the following message pop up.
I have scanned with both Malwarebytes and AVG and nothing has been detected.
What should I do?
I was on the same server both times.

I have looked through my processes list and there is no process with the ID 5848, the closest is Catalyst Control Center (5548)

A:Exploit Eleonore Exploit Kit (type 1194) help!

Have you checked to see if AVG quarantined the file?

3 more replies
Answer Match 65.94%

My AVG free has put the file in question in qurantine, but I haven't been able to delete it from there. I don't know what else my be active, I don't have much experience here.I ran the progs suggested in this thread to others. posted below.DDS (Ver_10-03-17.01) - NTFSx86 Run by Compaq_Owner at 11:36:31.78 on Sat 07/24/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.161 [GMT -5:00]AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exesvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\AVG\AVG9\avgnsx.exeC:\WINDOWS\sm56hlpr.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\hp\drivers\hpls... Read more

A:Exploit Phoenix Exploit Kit ( type 1112)

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies
Answer Match 65.94%

Hi there...I'm new to this forum and really need help with my computer. I'm basically a computer illiterate...I know how to use it and that's about it. I have an eMachine T2682 and I have Windows XP. It's been getting slower and slower over the past months, then last week I got a link through Yahoo Messenger trying to get me to open up a picture in Facebook. Yes, I was stupid enough to fall for it, I'm afraid to say. Since then it's really been wiggin out...I've run my AVG and it came up with this Exploit Phoenix Exploit Kit (type 1112)....but before that I got xgukxzrvux.exe\cleansweepupd.exe TrojanHorseSHeue3.ANKU . To me....this is all jibberish and means nothing. I have also been having a problem of clicking on a website and being taken to a totally different site. I downloaded and ran the HijackThis program and have copied and pasted the result of that. If there is any way you guys could help me.....I'd be so grateful. I'm on disability and so home alot of the time and I have a 13 year old daughter and a 9 year old son....so they like to be on here alot too. I appreciate your help in advance.

Lisa

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:42:37 PM, on 7/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
... Read more

More replies
Answer Match 65.94%

Hello,

to start off; I am near completely or completely computer-illiterate [as stated..]

I was surfing a blog earlier today [wordpress?] that I visit on a daily basis. It kept redirecting me to an 'ce.ms' URL [see below]. Then McAfee blocks incoming malware and tells me:

The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.
URL: 2222wrwrwr.ce.ms/main.php?page=423b262d0a1a9f70
Name: Blackhole Exploit Kit (type 1889)

and this happens every time I visit the site. I've "googled" my problem but there's nothing solid out there.. other than it's a russian built malware costing up to $1500. I am pretty worried because I've used my credit card, online, today!

Please.. Help! - Henchman

ps. I am currently 1,5 hour into a malware scan using Ad-Aware
 

A:Blackhole Exploit Exploit Kit (type 1989)

Hi and Welcome!! My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
The fixes are specific to your problem and should only be used for the issues on this machine.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Having said that....Let's get going!! :thumbup:
----------
 

2 more replies
Answer Match 65.94%

I found this 'threat blocked' alert on my screen thismorning from AVG, Firefox wasn't even open at the time. I have had problems for the past week or so, with page redirection and also some kind of sys32 error which pixelates my screen and tells me to restart my computer. I'm running window XP sp3. have AVG antivirus plus, it is full version but a friend downloaded it for free somehow and i not sure it is lagit.

Even though the alert is sayin the treat is blocked i am still having problems with page redirection (it happened again 10min ago)

Does any1 no about this exploit kit and can some1 help me find and remove this problem

Also just this second a generic host process for Win32 problem occurred, not sure if its part of the same prob or not but i have the error signature.(this error did not mess up the screen and ask me to reboot).

Cheers, Ant83

A:Exploit Phoenix Exploit Kit type 1122

Hello,it's not legit and probably what carried the malware. that's the free part,thay give you software and steal your identity,Let's do this and get a log...Reboot into Safe Mode with Networking How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode with Networking using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. >>>> Download this file and doubleclick on it to run it. Allow the information to be merged with the registry.RKill....Download and Run RKillPlease download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4

Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
If nothing h... Read more

29 more replies
Answer Match 65.94%

And other possible malware.

Recently while visiting a forum that I am an administrator for, I received a warning from my Avg Free about a possible exploit that had been detected, otherwise known as the listed Exploit Blackhole Exploit Kit (type 1889). As I have been the admin of the site for several months now, I was immediately extremely concerned, as there was little difference to my usual patterns of surfing.

About the only major change I had preformed in this instance involved using firefox in place of my usual google chrome, so that I was able to browse more anonymously then I usually would be able to. While I would normally shrug it off as a simple one off corrupted advertisement, over the last few weeks if not months, I've been experiencing random bursts of uncontrolled lag and slowdowns in general functions, as well as addons mysteriously stopping functioning after causing even larger lag spikes. As requested by the site, the following is my Hijack this log.

########################

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:03:31 AM, on 4/10/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\... Read more

A:Exploit Blackhole Exploit Kit (type 1889)

6 more replies
Answer Match 65.94%

Dear Sirs, Last week the infection began by diverting my google or bing searches to websites other than those listed. For example, if I searched for "adjustable wrenches" and and I clicked on one of the companies listed as sellers, my computer would be directed to another website. When I ran scans with SuperAntiSpywar and Malwarebytes, both pulled up scads of infections which I then removed. But the next day, both programs would find many more. When I ran scans, AVG warnings (or what looked like legitimate AVG warnings) would sometimes pop up, mentioning infection by Exploit Phoenix Exploit (type 1112). Eventually the problem grew and the infection seized control of my computer such that I couldn't open any problems. I took the computer to a shop and they seemed to have removed the problem, but today the misdirection of searches has begun again. Apparently, the shop didn't completely remove the problem. In addition, I again can't open up any programs in normal mode, but I can enter Safe Mode with Editing and open programs up. I've posted my dds.txt below.RegardsP.S.: I've edited this post to mention that I ran TDS Killer, but it didn't find anything.DDS (Ver_10-03-17.01) - NTFSx86 Run by HP_Administrator at 9:07:13.50 on Mon 08/02/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.475 [GMT -7:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Upda... Read more

A:Exploit Phoenix Exploit (type 1112)?

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

64 more replies
Answer Match 65.94%

Hi,I hope i've come to the right place. I have been having recurring trojan/ malware problems causing my desktop PC to run at a snails pace on and off for the past month or so.As the post suggests the latest find was Exploit Phoenix Exploit Kit (Type 1450)My PC is running:Windows XP (I think service pack 3)My web browser was internet explorer, but I believe my engineer friend has now changed it to Google Chrome on my behalf (Currently not liking it to be honest)Firewall:Zone AlarmThe anti-virus software I am running is:AVG anti-virus free edition (This blocks a threat everyday pretty much)Spybot Search & Destroy (which today found adware such as adviva, doubleclick, mediaplex & webtrends live)Malware Bytes (regularly finds trojan's/ viruses etc.)I also had emisoft a-squared, although i believe this has now been removed by an engineer that I occasionally use for my PC help.I'm not sure where these viruses spawned from but I stupidly opened an email that I believe was called something along the lines of Canadian pharmacy something-or-other. And since then I've had no end of issues.The most noticeable problem I am having is constant 50-100% CPU usage, mostly being eaten up by servicehost.exe. Which basically renders my PC useless at some point every time I use it.No idea what extra information to add to be honest. Whatever info you need, just ask and I will provide.Thankyou in advance.P.s. I have also posted this question for a second time in this discuss... Read more

A:Exploit Phoenix Exploit Kit (Type 1450)

Hello and welcome. Let's get a current log.We need to disable Spybot S&D's "TeaTimer" if running.TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.If prompted with a legal dialog, accept the warning.Click Mode > Advanced Mode.
You may be presented with a warning dialog. If so, click YesClick on Tools and then Resident
Uncheck this checkbox: "Resident TeaTimer {protection of over-all system settings) active"Close/Exit Spybot Search and DestroyNext run ATF and SAS:Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".From your regular user account..Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center s... Read more

18 more replies
Answer Match 65.94%

AVG found Exploit Blackhole Exploit Kit Type 2314 and says its "blocked" but will not allow to quarantine or delete.
TDSSKiller finds nothing. Came here for help.
Running a Windows XP SP3 Machine

Any help is appreciated!!

THANKS!!

A:Exploit Blackhole Exploit Kit Type 2314

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

3 more replies
Answer Match 63.42%

So in short, AVG, whenever I search from there and go to conceptart.org, it says this warning: Exploit Phoenix Exploit Kit 769 and then lists the forum link I was attempting to go to through that search engine as the source. Not sure how I'm supposed to deal with this? I am extremely tech illiterate, and the little I did search didn't yield much.

Does anyone have any idea what I should do to make sure the forum is safe to go on? Thanks.

A:Exploit Phoenix Exploit type 769?

Hello and welcome, kittycat732. I'd like to run these.Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1 <<<== Use this one first.Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThe... Read more

3 more replies
Answer Match 60.9%

Hi there! Recently, I'm pretty sure I downloaded a virus or worm or whatever it technically is called. I used system restore to go back to the day before and I hoped that would have taken care of it. Well, it mostly did, but now when I search for websites on yahoo or google, if i click a link I just get redirected to another really sketchy website. I scanned using Malwarebytes and my AVG and it turned up nothing. I even put my computer in safe mode and scanned with malwarebytes and it still found nothing. Occasionally AVG will pop up with an infection saying that the process name is svchost.exeHere's a link to the picture http://www.mediafire.com/imageview.php?quickkey=xcybk20yoyzI checked on these forums for several similar problems and they were able to fix theirs, so I'm hoping you guys could do the same for me I know a decent amount about computers but I was just looking for some more help. Thanks so much!

More replies
Answer Match 58.8%

HJT log; I ran Micro Security Essentials full check and it found some Trojans, I removed them but the issues still persist. I'm getting pop ups on the bottom of my screen on IE, Fire Fox And Chrome. Ran a Melwarebites but it didn't think I had anything. I'll post the log for that to. Let me know if anyone could take a look at this and see if there's something wrong with computer.
Appreciate it very much.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:26:25 PM, on 3/27/2013
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16470)
Boot mode: Normal

Running processes:
C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
C:\Users\Owner\AppData\Local\Akamai\netsession_win.exe
C:\Program Files (x86)\Secunia\PSI\psi_tray.exe
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files (x86)\ASUS\AI Manager\AsShellApplication.exe
C:\Program Files (x86)\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files (x86)\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Aeria Games\Ignite\aeriaignite.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Owner\Desktop\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,D... Read more

A:Infected: Trojan, TrojenSPY, BackDoor, Exploit, Rogue, & VirTool. Please Help

16 more replies
Answer Match 57.96%

My neighbor's computer has been infected by some type of rogue antivirus. I think she got it from a link posing as a youtube video. The computer will come on and start like normal. Then it shows the antivirus like it is doing a scan. When I hit control alt delete it advises that the task manager had been disable by the administrator. It will show that she is sending out bulk email but the names on the email list are not anyone she knows. It will also show that a virus had infected her computer. The name of it is virus protector and below that it says new age of antivirus protection. In the right corner it shows (5 1) 1.0 0.36. If I go to safe mode it does the same thing. I have tried going in under different people's logons. When I go to safe mode I get the virus protection. I have tried windows key r and windows key s. It will not let me access the start up at all. I have tried safe mode with networking. I am able to get into safe mode prompt. But do not know what to do from there. The computer acts like it is reading usb ports and cd's but will not allow it to show on the screen. I tried the superantivirus from a jump drive but will not read it. The computer is a dell running windows xp. Any help would be greatly appriciated.

A:Some Type of Rogue Antivirus

Okay I got my neighbors computer fix. If people are having the same problems then they maybe able to go to safe mode command prompt andtype in control panel. control panel should come up. I had to do a search for rstrui.exe. I clicked on it and restored her computer to the day before she got the virus.

I did a search on ask.com. I typed in How can I remove Virus protector from safe mode command prompt. That is where I found the information. The website was www.2-viruses.com/remove-virus-protector. Don't know if this will help someone in the future but I am thankful for the comments at the end because that is what saved her 120.00

4 more replies
Answer Match 57.96%

On saturday i suddenly got a message from avg that said "rogue scanner 1007 etc...". i did a scan with malwarebytes,search and destroy, etc, and i thought it went away. but today i was redirected to a site, randomly, and i got another message "rogue scanner 1031". I did a Hijackthis scan, and was wondering if anyone could please help .Running processes:C:\Program Files (x86)\Pando Networks\Media Booster\PMB.exeC:\Program Files (x86)\Hp\Digital Imaging\bin\hpqtra08.exeC:\Program Files (x86)\Hewlett-Packard\Media\TV\TVAgent.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exeC:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exeC:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exeC:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exeC:\Program Files (x86)\Common Files\Java\Java Update\jusched.exeC:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exeC:\Program Files (x86)\Hewlett-Packard\Shared\hpqToaster.exeC:\Program Files (x86)\Internet Explorer\iexplore.exeC: ... Read more

A:Rogue scanner 1031 plz help

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Answer Match 57.12%

I have been having some problems with winrscmde warnings showing up on my desktop. Initially I dismissed these warnings, thinking that it was a genuine process that had stopped running. Too late I realized that this wasn't benign. As the computer that has this is not always used on a regular basis, I did not immediently notice that my fan was running louder that usual and that things seemed to be running slower as well.  Both AVG and MBAM have caught things that seem to reappear with repeated scans. Included are the results of my DSS scan. 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16476
Run by Machelle at 22:33:32 on 2013-04-13
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.6143.3498 [GMT -4:00]
.
AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32... Read more

A:Help with winrscmde and Expoit rogue scanner

Hello m1nnowI would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", t... Read more

20 more replies
Answer Match 57.12%

About a week ago I sat down at a computer that is kept on, but is not always used daily and saw a warning telling me that winrscmde had stopped running. Unfortunately, I assumed it was legit and basically dismissed it. I returned to the computer several days later and discovered that the  same warning was back. In addition to this, AVG had blocked several things, including a HTML Framer and an Exploit Rogue Scanner. When I ran MBAM, it found 2 trojans that it claimed to have cleaned up. Several scans later, MBAM is still removing those same two trojans and AVG is blocking something seemingly evey hour or so. I feel that I am really out of my depth here and would really appreciate some help.

A:Help with winrscmde and Expoit rogue scanner

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeClick Go and post the result. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.* Double-click mbam-setup.exe and follow the prompts to install the program.* At the end, be sure a checkmark is placed next to Update Malwareby... Read more

7 more replies
Answer Match 57.12%

Hello good people. On any computer when I try to open a site called Free Docs (Documentaries)I always get
the message "AVG has blocked the Phoenix Exploit Kit Type 769". I like the site and haven't been able to log onto it for almost two months. I suppose I should be trying to contact the webmaster but I wanted to try Bleeping first.
ky
Great site, this is my first time on it. If anyone has dealt with this can you let me know if you were able to resolve it?

Thanks so very much~ Funky

A:Phoenix Exploit Kit Type 769

Phoenix exploit kitAVG detects this somewhat active Webthreat and its 6 known variants. http://www.avgthreatlabs.com/webthreats/info/phoenix-exploit-kit/Phoenix exploit kit is a threat that is spreading. It is currently ranked 10 in the world for online threats. Phoenix exploit kit has been detected by AVG on victims' machines in 180 countries during the last month. There are currently 190 websites in 26 countries that host Phoenix exploit kit.Are you sure the website is safe?Roger

3 more replies
Answer Match 56.7%

Whatever it is i have been cleaning it of my machine every time i scan my machine.

I did get i virus a month or so ago but i got it of relatively quick.

Should i be concerned about these?

Also according to avg it found it while it was trying to turn on or something.

Is it like tracking cookies always there being a pest but never doing real damage or is it something bad

Thanks for replies also here is a pic

P.s also what are those java things

A:What is the pdf.exploit that my scanner keeps talking about

Hi computergeekguy.

Firstly I would remove AVG and replace it with Microsoft Security Essentials & Malwarebytes. Why? Because Microsoft Security Essentials has better detection, is lighter and doesn't cause BSOD's.

I would then run a Scan using Microsoft Security Essentials and Malwarebytes to see if it can detect and remove it.

Next if none of this helps, I would either Disable or Update Java on every Browser or uninstall it completely until the infection is gone.

If Malwarebytes or MSE finds and removes the infection, run an SFC Scan to repair any files the virus could have corrupted.

2 more replies
Answer Match 56.7%

Hi White Knights, Good Guys and Gals,

My PC was attacked, likely through Internet Explorer today, since I haven't downloaded anything. The following are is the list of Malware that XP Security Center has notified:

=email-worm.win32.netsky.q
=rootkit.win32.agent.pp
=backdoor.win32.kbot.al
=net-worm.win32.mytob.t
=net-worm.win32.dipnet.d
=virus.win32.hala.a
=trojan.downloader.js.multi.ca
=virus.win32.gpcode.ak

and Trojan Remover has identified
c:\windows\system32\vacinit.dll

and Mcafee
NTROSKRN... (rootkit trojan)

The program "Protection Systems" continues to pop up prompting me to buy along with random IExplorer bombs despite having removed it from programs. The system regularly freezes when I employ anti-malware programs.

I have attempted to use in normal and safe operating mode (Mcafee from safe command prompt)
=Mcafee VirusScan Enterprise (halts early in operation, Identifies NTROSKRN and 11 cookies)
=Stopzilla (Halts early in operation)
=Malwarebytes(fails to open even with changed name)
=Rooter Malware Finder (Eric_71) (operates results indeterminant)
=Trojan Remover (Runs. results indeterminant)

I am not in a good position to format the PC (in the wilderness).

Any advice what is preventing these malware programs from operating?

Thanks, and happy to repay the favor particularly if you like homebrew since PC wars arent my specialty!

Lookingtree

DDS (Ver_09-06-26.01) - NTFSx86
Run by Iamcomputer at 20:41:08.59 on Wed 07/15/2009... Read more

A:Unknown Attack Disables Malware Scanner/Antivirus/Spyware Scanner

Hi, lookingtree Welcome.Please read and follow all these instructions very carefully.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**If you are using Firefox, make sure that your download settings are as follows:Tools->Options->Main tabSet to "Always ask me where to Save the files".During the download, rename Combofix to Combo-Fix as follows:

It is important you rename Combofix during the download, but not after.Please do not rename Combofix to other names, but only to the one indicated.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease d... Read more

2 more replies
Answer Match 56.7%

I have ESET NOD32 Antivirus 4.2.67.10, it came with my computer. I recently had an attack by one of those rogue scanners, I don't remember which one. I knew I didn't install it, intentionally, so I ran my antivirus software and thought that would be that. However, every time I run a scan I get the same trojan file as if ESET isn't cleaning it properly.

This is the file ESET finds everytime I run a scan.
Operating memory ? \GLOBAL??\0b043b2e\WINDOWS\$NtUninstallKB12330$\184826670\Desktop.ini - a variant of Win32/Sirefef.DN trojan - cleaned by deleting [1]

Since the attack by the rogue scanner: when I do google searches and click on weblinks I get sent to other sites, and sometimes new tabs will also generate. Unsure if it related but when I use gmail, sometimes my cursor will change location making typing an email frustrating.

Also, this is my first PC in a long time, used to game, and have since gone to Mac. In the past I had prefered to stay away from Symantec, Norton, etc. is there any other less invasive anti-virus software available?

A:Rogue scanner, ESET, sirefef trojan

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated f... Read more

26 more replies
Answer Match 56.7%

I noticed yesterday that Explorer 7 and Outlook Express were acting up, and my computer was running slow in general. Explorer quit responding MANY times and Outlook could not send/receive emails. I updated and ran Ad-Aware Personal (which stopped responding after the scan was complete), Spyware Doctor, and Norton Internet Security 2008, and though Spywares were detected and removed on both of the latter programs, my computer continued to have the aforementioned symptoms. Early this morning when I was on MySpace, I got a pop-up about buying Antivirus 2009 and though I don't think I responded at all (I was half asleep), Explorer 7 immediately redirected to a webpage that began scanning my computer for viruses and I was inundated with pop ups trying to sell me a virus cleaner. I just Xed out all the pages. My Browsing History shows: 192.168.2.1 and antiviralscanner14.com, though I did not visit either of these pages. I Googled "antiviralscanner14" and only found a yahooanswers entry about it. Since I don't trust those answers I searched a bit more about fake virus scanners, etc and found a Wikipedia article about rogue antivirus programs. I firmly believe I have something of this type, but do not know which one. I followed the advice in the Wikipedia article to use HijackThis and followed instructions from Trendmicro.com to you.

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 9:36:21.34 on Fri 02/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Ed... Read more

A:Exploere 7 Redirected to Rogue Anivirus Scanner

YEA!! I REMOVED IT! It was Win32Tr\.\NewMedia Here is a screen shot of where it took me:Here is Lavasoft's info about these bugs: http://www.lavasoft.com/support/securityce...?p=366#more-366HOW I REMOVED IT1) Backed up all files2) Restored to a date before (unauthorized) software change3) Downloaded Ad-Aware Anniversay Edition, updated and ran scan4) Scan found [ Win32Tr\.\NewMedia - "Serious Threat" - MALWARE that trys to infect registry by redirecting your browser to rogue anivirus and causes popups to purchase product, and thereby release infection. ]5) DELETED, restarted, ran again and it appears to be gone!NOTE: Ad-Aware 2008, Malwarebytes, Spyware and Norton Internet Securitry 2008 all missed it, and though my computer acted better after I restored to an earlier date, I wanted to make sure I had done all I could. And I'm glad I did! Best of luck!

2 more replies
Answer Match 56.7%

Trying to fix a friends computer, seems he has numerous rogue spyware/antivirus programs on his computer including Security Tools and maybe a couple others. I am working on getting a combo fix log right now. Tried to manually edit the registry, however the virus won't even let me open regedit. Tried to run Malwarebytes, but about a minute in it crashes (I'm guessing due to the virus).

Please advise in what direction to go in from here. Thanks!

A:Massive Rogue Virus Scanner Infections

As no logs have been posted, I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

2 more replies
Answer Match 56.7%

Hi all.A few weeks ago, I got a popup 'computer scanner'. Unfortunately, I used the task manager to stop it before getting its name (figured I could find it and delete elsewhere--NOT!). Nothing odd in HJT, Trend Micro, Panda, Spybot, MBAM, SAS, or my Avira Antivir (except a temp file in the activescan one day after that that I quarantined). Figured it was a fluke.Got another last night. Called itself "Computer Security" in the Application tab in task manager and I ended it. Nothing came up in MBAM (see attached). Tried searching for this "Computer Security" scanner, couldn't find a thing as it's too generic.Avira Guard found another infected file last night after the 'scan'. Says, "contains recognition pattern of the HTML/Infected.WebPage.Gen.HTML script virus"Changed temp files from the last time... I quarantined it. I'm not a gamer, pirater, rarely download 'cept necessary programs from trusted sources (to the best of my ability) and try to keep the system lean & relatively tight 'cept I do allow scripts (with permissions) and am a researcher, having to access Myspace, FB, Twitter & thousands of searched sites. Have a Compaq Presario V5000 XP SP3. Wireless FIOS. Free Zonealarm, fiance has the router locked-down w/some custom rulesets, too.Followed Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help and pasted the first DDS log but was unable to attach the rest of the f... Read more

A:Rogue virus? Unnamed / unfound scanner

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

17 more replies
Answer Match 56.7%

Hi, please help. There is a yellow triangle icon in my task bar that keeps popping up messages about my computer being infected with adware/spyware. There was also a wierd green/red icon but Ad-Aware got rid of that - I think it was spyware quake. I have downloaded spycleaner gold, and spyware doctor, spyware doctor found stuff on scan, but won't let me fix it without paying $30 that I don't have... Anyway, I have spent 2 days now trying to get rid of this, and am at my wits end here. My computer and my internet are running as slow as slush, seriously, I am connected at .1 Kbps, normally I run at 115Kbps, this is horrible. My dad purchased norton 2006 for me, and I can't install it, the "live update" won't work. (I'm not a kid, TMI but I'm 28) I normally use firefox, but just now switched to internet explorer in order to run a panda scan. Internet explorer is totally hijacked, with "perfected security" popping up, and "pestcontrol" and a few others...Here is my hijack this logfile:Logfile of HijackThis v1.99.1Scan saved at 12:12:36 AM, on 4/14/2006Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\P... Read more

A:Rogue Spyware- Spywareno, Spyware Quake, Perfected Security, And More...

Click here to download SmitfraudFix (by S!Ri). Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.Click here to download System Security Suite. Extract it from the zip file into a folder.Click here to download ewido security suite - it is a trial version of the program.Install ewido security suiteWhen installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".Launch ewido, there should be an icon on your desktop double-click it.The program will now go to the main screenYou will need to update ewido to the latest definition files.On the left hand side of the main screen click updateThen click on Start UpdateThe update will start and a progress bar will show the updates being installed. Do NOT run a scan yet. Exit the program.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press EnterThis program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log in your next reply.IMPORTANT: Do NOT run any other options until you are asked to do so!

10 more replies
Answer Match 56.28%

First problem I noticed was my Google reader feed going to a 404 when all other pages loaded fine. Then Google started redirecting. AVG has picked up a few things, and MBAM has gotten rid of a Trojan, but none of these have solved the problem. Last night I started getting Blue Screens as well. Not the traditional BSOD that I'm used to, where "Fatal Exception _________ has occurred," but one where Windows has stopped working, and it needs to shut down to save data. Any advice, assistance, and help with this would be most appreciated. I followed the preparation guide, and am posting the DDS log. Per its instructions, given that I am running Win7 x64, I have not created a GMER log.

Thanks in advance for any help.

~Ralph

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Andrew at 3:30:59 on 2012-02-16
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3563.2140 [GMT -6:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2012\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2012\avgcsrva.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.... Read more

A:Phoenix Exploit Kit (type 769) infection

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

17 more replies
Answer Match 56.28%

Hi,
AVG warned me that it detected: exploit javascript obfuscation type 156, on my computer after visiting a website and removed it. Is this sufficient or should I take further steps?
 
Thanks,
Mary
 
Moderator Edit: Moved from Internal Hardware to a more appropriate forum at OPs request
Roger

A:exploit javascript obfuscation type 156

The word obfuscate means to make obscure, unclear, alter or modify. When that term is used in conjunction with Java it means to obscure the real meaning and intent of JavaScript code. Obfuscated JavaScript code can be found inserted into compromised webpages by attackers who attempt to infect visitors with vulnerable or unprotected computers. Depending on the anti-virus vendor such a detection will have various names but essentially mean the same thing. Trojan:JS/BlacoleRef.DD is a detection name for an obfuscated JavaScript, often found inserted into compromised websites. This threat is designed to load a hidden IFrame that loads behind the user's browser, redirecting it to an exploit server known as "Blackhole"...There are no common symptoms associated with this threat - links are activated within IFrames while viewing web content on maliciously modified pages. Alert notifications from installed antivirus software may be the only symptoms....A user may be infected when they visit a compromised webpage. A vulnerable webpage may allow an attacker to successfully inject a client-side script, which then executes when a user visits the compromised page.About Trojan:JS/BlacoleRef.DDIf your anti-virus provided a warning for an obfuscated JavaScript while you were surfing a website, most likely that type of threat was blocked/quarantined and there is nothing else to remove.If you want to perform a more thorough browser clean up, please refer to:How to Clear Your Browser's Cach... Read more

21 more replies
Answer Match 56.28%

About a week ago, I received a pop-up message from AVG that it had blocked a threat called "Blackhole Exploit Kit (type 2062)". I looked at my task manager and noticed that a svchost.exe process was using up an unusually large amount of resources, typically about 500,000 K or more of memory usage and causing my computer to run rather slow. I scanned my computer with Malwarebytes and with AVG, but they turned up with nothing. The AVG pop-ups kept coming up occasionally so I used system restore to revert back to a previous restore point. However, the problem keeps occurring. There is always a svchost.exe process using up a lot of resources. I end the process in the task manager, but it comes back a few minutes later. Also sometimes my Windows taskbar and other window themes change from its default blue color to a generic looking gray color. I appreciate any kind of assistance that I can get.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Jeff at 21:27:27 on 2011-10-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2201 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.e... Read more

A:Blackhole Exploit Kit (type 2062)

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

18 more replies
Answer Match 56.28%

Hi recently it seems I have picked up the above rootkit and it has made my computer time very frustrating.As I have very little computer knowledge I was hoping someone could walk me through the fix.I have read your 'Before you post' section and have been working my way through the list but when I try to do the GMER (Twice now) somewhere after the first hour my computer crashes and I lose the lot.I have all the other data waiting to go and I have Combofix ready as well.Just one other point about this redirect, I find that even when using IE if I get a mail with a link it will open on a Google page and not IE so I can't use it, this also happens with MSN, I can open it and chat but if I try to read my hotmail it opens a Google page.Gee I hope that makes sense. Thank you in advanceKenMod. edit. Instructed member to post logs. Has problems doing so. I have removed my replies and merged/paraphrased the member's posts. ~ OBGot a problem.Every time I try to post my DDS log I get an 'Internet Explorer cannot display the webpage' error KenSee if I can do an attach...Attachment not working eitherI am going to need to think through how to get these details loaded, I'm in Australia and it's midnight here so I might try again in the morning if thats ok?KenDDS (Ver_10-03-17.01) - NTFSx86 Run by Ken at 11:58:39.45 on Thu 15/04/2010Internet Explorer: 8.0.6001.18904Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.61.1033.18.1015.343 [GMT 10:00]SP: L... Read more

A:Exploit Neosploit Toolkit (type 779)

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

15 more replies
Answer Match 56.28%

I was surfing the net when my AVG internet security defender popped up and told me there was an exploit on the website.
Is there anyway to know if I have the exploit?
AVG claimed to block it, but I want to make sure.

More replies
Answer Match 56.28%

I use AVG and it was their Web Shield Alert

saying

Exploit Javascript Obfuscation (type 607)

I have no idea what that means and can't seem to find any information about it all, even from AVG help/forums.

It also has

Process Name Crogram Files/Mozilla Firefox/Firefox exe

my OS is Windows 7 .

plse can you help me
 

More replies
Answer Match 55.86%

Only apparent symptoms are pop ups in new tabs on Firefox, many programs crashing randomly and slower than normal system speed.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Sarah at 9:34:29.51 on Mon 03/28/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_24
AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.xfinity.com/?cid=xfactiv_eg_self_main
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin... Read more

A:AVG reporting Blackhole exploit kit type 1889

Good evening. Download aswMBR.exe from here and save it to your Desktop. Double click the tool to run it. Click the Scan button to, well, start the scan - obvious really! Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log. On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any. You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

4 more replies
Answer Match 55.86%

Over the weekend, our web site was hacked. In researching the information about how to fix it, my investigation of .htacess redirects led me to a site where I immediately gained an AVG notification of an active threat. This may have impacted two different computers of mine as I working simultaneously from that web site on each one. My gmail account was hacked this morning; I have since locked it down with the two-step verification (I feel like a fool for not doing this previously), but I am now also receiving an AVG warning repeatedly on the laptop. It's been a bad enough computer weekend that I wish I'd become a carpenter.

The specifics of the AVG message are:

Danger: Surf-Shield has detected active threats on this page and has blocked access for your protection.
The page you are trying to access has been identified as a known exploit, phishing, or social engineering web site and therefore has been blocked for your safety. Without protection, such as that in the AVG Security Toolbar and AVG, your computer is at risk of being compromised, corrupted or having your identity stolen. Please follow one of the suggestions below to continue.

URL: rss.alexa.com/urls?m=3&h=1&n=10&r=1&u=1
Name: Facebook Clickjacking (type 1911)

Threat was blocked!

File name: rss.alexa.com/urls?m=3&h=1&n=10&r=1&u=1
Threat name: Exploit Facebook Clickjacking (type 1911)

When I click on Show Details, I get the following:
Process name: C:\Program File... Read more

A:Exploit Facebook Clickjacking (type 1911)

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

23 more replies
Answer Match 55.86%

Upon attempting a log-in to a family member's personal blogsite, AVG popped up with an "Accessed File is Infected" warning. The "Threat Detected" file name is focus-de.pichunter.com.moneycontrol-com.ampsguide.ru:8080/index.php?js. The threat name is "Exploit Javascript Obfuscation (type 894).

I then ran a full AVG scan; no threats were detected. My question is....can I trust the AVG scan results or should I dig a little further to find out if any bad boys are still lurking out there? If so, please direct me in that search.

BTW, I immediately notified the blogsite's owner and have been informed that the infection has been removed; I won't be using the site any longer, as the owner is no longer blogging there.

Thanks, wonderful Bleepers.

A:Exploit Javascript Obfuscation(Type 894) Virus

Hello, well we should check a few things, Exploits are commonly the result of a malicious javascript exploiting a hole in some software. So update your Windows fully. If XP ,click start. You will see a Windows Update selection in the pop up menu.Update Adobe Reader.Adobe Reader 9.2UN check this box Free Google Toolbar (optional)Check JAVA versioin.Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).Next run ATF:Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate ... Read more

5 more replies
Answer Match 55.86%

Hello, often when I search the web and click on a search result, my browser redirects me to another site. My antivirus program (AVG Free 9.0) has identified a problem but has been unable to remove it. This is what it has told me: "C:\WINDOWS\system32\vimc.exe";"Potentially harmful program HackTool.BVK";"Moved to Virus Vault""C:\WINDOWS\system32\vimc.exe";"Potentially harmful program HackTool.BVK";"Moved to Virus Vault"File name: lenetun.com/info/sun.htmlThreat name: Exploit neosploit toolkit (type 1109)Process name: C:\WINDOWS\Pcykya.exeProcess ID: 1356Also, when I tried to run GMER, I got a dialog box saying it ran into a problem and had to close. I tried to run it again and my computer instantly crashed, giving me a blue screen saying something along the lines of "the program was terminated to avoid further damage to your computer". So, it seems I've been infected! Thank you for your help. I've attached the Attach.txt file, but as mentioned above was not able to generate a log using GMER. The DDS.txt log report follows:DDS (Ver_10-03-17.01) - NTFSx86 Run by Kyle S at 17:40:52.48 on Tue 06/01/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.83 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============... Read more

A:Exploit neosploit toolkit (type 1109)

Hello, k988.My name is aommaster and I will be helping you with your log.I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.ThanksShould you still require assistance, please take note of the points below:Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad. The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.Please do not install, update, or run any programs for the duration of the fix.If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.If you are running Vista, please run all the fixes as an administrator. This is done by right-... Read more

7 more replies
Answer Match 55.86%

Hello,Looking for some guidance. AVG lists several Online Shield findings (Exploit Neosploit Toolkit;Exploit Rogue Security Threat Analysis; Exploit Rogue Scanner) on the other halfs computer. As well as redirects on google to other websites. Windows Taskmanager is disabled and can not update Windows or Windows Defender. I have read the Prep Guide and have the results. Thanks in advance for the assistance. Working on cars is easy compared to this!JohnDDS (Ver_10-03-17.01) - NTFSx86 Run by CINDY D at 15:38:13.17 on Fri 07/16/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1919.1270 [GMT -4:00]AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exec:\Program Files\Microsoft Security Essentials\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\svchost.... Read more

A:Exploit Neosploit Toolkit (Type 1142)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEmsconfigsafebootminimalactivexdrivers32netsvcs%SYSTEMDRIVE%\*.exe/md5st... Read more

18 more replies
Answer Match 55.02%

Hello.
I have 64-bit win7 ultimate OS.
I'm getting "Exploit Fake Flash Player [Type 1747]" pop-up every time I go to youtube website.
Symptoms started from last 5-6 days.
It blocked all the Google services.
My AVG Anti-virus pops up every time I use ay Google services.
So, I formatted my C drive and re-install the win7.
Now I'm getting AVG pop-up only when I try to use youtube website.
It's showing the error: Exploit Fake Flash Player [Type 1747]
Still I'm getting this pop-up or whatever it is called
 

 avg.png   14.61KB
  0 downloads
AdwCleaner scan log is:-
# AdwCleaner v4.207 - Logfile created 02/07/2015 at 12:21:44
# Updated 21/06/2015 by Xplode
# Database : 2015-07-02.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : KinG - KING-PC
# Running from : C:\Users\KinG\Downloads\adwcleaner_4.207.exe
# Option : Cleaning
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\AVG Secure Search
Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHelper.ScriptHelperApi.1
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [vProt]
... Read more

A:Exploit Fake Flash Player [Type 1747]

Someone help!!

10 more replies
Answer Match 55.02%

Hello, since the past 10 day I keep getting the Exploit Fake Flash Player (type 1747). This happens whenever i try using Facebook, Google, Youtube or Gmail. When i try accessing these sites any page of the site won't load immediately after which my AVG anti-virus will pop-up with the Exploit Fake Flash Player (type 1747) notification. Mostly it occurs just for one of the 4 sites although at times multiple sites won't work. As per my knowledge it happens only with these 4 sites.
 
Details of my Laptop:
Manufacturer: Dell
Model: N5110
Processor Intel® Core™ i5-2450M CPU @ 2.50GHz
Installed memory (RAM): 4.00 GB
System type: 64-bit Operating System
Operating Systems: Dual-boot
Windows 7 Home Basic Service Pack 1 (Pre-installed at time of purchase)
Ubuntu (Don't remember which version as i use it 2-3 times a year)
Windows Firewall enabled
AVG AntiVirus Free Edition 2014
 
 
I have tried solving the problem on my own couple of times. When I first came across the problem i figure it must be a malware so i ran a MalwareBytes Anti Malware scan on my laptop. Here are the results of the scan. I have quarantined everything that was detected.
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 25-08-2014
Scan Time: 08:27:03
Logfile: mbam 25-8-2014.txt
Administrator: No
 
Version: 2.00.2.1012
Malware Database: v2014.08.24.07
Rootkit Database: v2014.08.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: D... Read more

A:Exploit Fake Flash Player (type 1747)

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/546368 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

9 more replies
Answer Match 55.02%

Hi,
I am not sure how it started, but since yesterday my AVG antivirus keeps popping up saying it has blocked an "Exploit Fake Flash Player (type 1747)" threat.  I have scanned the computer with AVG and it said it has healed 7 files.  However, the malware still exist and the "Exploit Fake Flash Player" message keeps popping up.  My computer has slowed down due to this and my google chrome cannot access Gmail and Yahoo.
 
I have tried using Lenovo's Rescue and Recovery to restore the computer back to a month ago, but unfortunately the attempt doesn't kill the malware.  Would you please advise how I can remove it? 
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.55.2
Run by GALLANT at 22:03:52 on 2014-08-01
Microsoft Windows 7 Professional   6.1.7601.1.1252.61.1033.18.7757.5471 [GMT 8:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetw... Read more

A:Exploit Fake Flash Player (type 1747)

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.  Which router model do you use? Tell me the vendor and the exact model number.Also, do the following:  Scan with Gmer rootkit scannerPlease download Gmer from here by clicking on the "Download EXE" Button.Double click on the randomly named GMER.exe. If asked to allow gmer.sys ... Read more

15 more replies
Answer Match 55.02%

My AVG keeps identifying and "securing" this Exploit Fake Flash Player.  I read an earlier log about it and I think the router is probably infected but I want to take the proper steps to correct things.
 
I have two problems with that right now.  I've been trying to download dds from bleepingcomputer.com and I wait and wait but my computer has not even loaded the page.  (The problem is on my desktop PC.  I'm typing this on my MacBook).  Is there another, better, faster way to get what I need? 
 
Also, I expect I will need the correct settings for my router to complete this process but I don't know what those settings are (or what they look like when I see them) or where to get them.
 
I thank you for your help.
 
**UPDATE** I went ahead and reset the router (Belkin F9K1103v1) to its default state using the little button in back.  Things seem to be working much better but I'd still like to make sure everything gets cleaned up properly if someone can help me with that.

A:Exploit Fake Flash Player (type 1747)

**ANOTHER UPDATE**  The Exploit Fake Flash Player has returned so I guess I fixed nothing.  I did manage to run the DDS report:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17280
Run by Steidtman at 16:09:05 on 2014-10-07
Microsoft Windows 7 Enterprise   6.1.7601.1.1252.1.1033.18.8191.3132 [GMT -5:00]
.
AV: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus Free Edition 2014 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
c:\PROGRA~2\AVG\AVG2014\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2014\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
C:\Program Files\B... Read more

28 more replies
Answer Match 55.02%

I was reading an article on cleaning malware at:http://www.maximumpc.com/article/howtos/ul...r_pc_junk_filesIn the article they refer people over to www.combofix.org which has a link that appears to download combofix from bleepingcomputer.com...On the same page it recommends a program called "Spyware Cease" which my AntiVirus detected as a virus.Featured antispyware softwareSpyware Cease: Removes and Protects from: Spyware, Adware,Trojans, Hijackers,Worms,Keyloggers, Rootkits, Rogue Antispyware ,Password Stealers, Tracking Threats and other Malware attacks!scan you computer for free - Current Version: 3.0 (File Size: 3.63 MB)In looking on the net for info on this software I have found mixed reviews.I installed it on an isolated PC that I use for software testing and then ran combofix - and combofix removed "Spyware Cease"I believe it is a "rogue" program.1. Is Spyware Cease a rogue program?2. Is combofix.org a rogue site?Your thoughts?

A:Is "Spyware Cease" a rogue anti-spyware app?

Spyware Cease is available at several of the major download sites so it appears legit or they would not be hosting the program. http://www.softpedia.com/get/Internet/Popu...are-Cease.shtmlhttp://downloads.zdnet.com/abstract.aspx?k...mp;docid=914643http://www.download.com/1770-20_4-0.html?q...htype=downloadsHowever, how effective it's detection/removal scanner is...that's another question. I don't know any experts who use this program. As such, i recommend that you use one with a proven track record like those mentioned in BC's Freeware Replacements For Common Commercial Apps or Trustworthy Anti-Spyware Products.Please note the message text in blue at the top of this forum. You should not be using Combofix unless instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Combofix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

8 more replies
Answer Match 55.02%

My laptop is infected with Spyware Protect 2009 - using Avast anit-virus; spybot and the spyware remains. Here is my hijack log... please advise.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:28 AM, on 2/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauc... Read more

A:Rogue Spyware - Spyware Protect 2009 - HELP!

Used Malwarebyte's Anti Malware - problem solved.
 

1 more replies
Answer Match 54.6%

I got all of these viruses and i can't work properly because of these.

Zlob.Trojan, Rogue.VirusTrigger, Rogue.Errorsmart, Rogue.System Antivirus 2008

I think i got more malware on. I believe it started when my sister inserted her flash disk on my pc.

What do i do?

A:Zlob.Trojan, Rogue.VirusTrigger, Rogue.Errorsmart, Rogue.System Antivirus 2008

Hello please run an MBAM scan on this PC. DO NOT put that Flash drive into any other PC's it is infected.Please download Malwarebytes Anti-Malware and save it to your desktop.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main ... Read more

12 more replies
Answer Match 54.6%

Hey guys. As of about a week ago, I'm repeatedly getting an alert on an
Exploit Fake Video Player Type 1750 that's being blocked.
Any idea what this is? Any idea on how to remove it? The constant notification is driving me crazy.

A:Help removing Fake Exploit Video Player Type 1750

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/554230 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies
Answer Match 54.6%

Okay before I continue, I've never posted here before, but i've read the rules, and if this doesn't follow any specific criteria that it needs to when posting, I apologise in advance.
 
I'm running windows 7
I have downloaded a virus (or malware, i dont know, im not very good with terms) and I don't think AVG is getting rid of it. Every hour or so my AVG AntiVirus free keeps popping up with messages like "threat successfully removed, exploit fake update (type 1573) It's been doing this for about 3 days now, so I don't think it's going to go away any time soon. Now also every time I start my computer up and open google chrome, a website comes up called something like "download-mirror.org/" and then a load of random characters. and it keeps wanting me to update chrome, but it's obviously not legit
 
Whenever I do a computer scan with AVG, it doesn't pick it up, but it randomly picks up threats (they're all Exploit Fake update (type 1753). over the course of the day even when it's not scanning.
 
I have pictures of the AVG error messages, but I don't know how to add screenshots to posts.
 
Sorry if it's too vague, if anyone could tell me how to put screenshots in then that'd be great. (gyazo and puush aren't working for me for some reason)
 
 
 

A:Google Chrome Exploit Fake Update (type 1753)

Welcome aboard   Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware to your desktop.NOTE. If you already have MBAM 2.0 installed scroll dow... Read more

4 more replies
Answer Match 54.6%

I own a vista Windows 7. I gave it to my brother over a year ago and got it back a few days ago, he had been trying out different Anti-virus software’s and hadn’t found one he liked, and he said he had a lot of trouble and confusion with AVG and their free trials before he gave it to me, some didn’t work or had to be reinstalled.
So I got the Kaspersky Pure 3.0 Trial version after removing his AVG software, and it suddenly came up with all these viruses and they seem like they are the same one. He said my computer has not been acting strange up until this point and the worst it’s doing now is just being slower than usual. So I don’t know if I have just gotten these viruses, he never noticed them, or that the computer has had them for a while. Kaspersky says they cannot be disinfected.
 
 
I have 7 Trojans, my computer isn’t acting odd to me, but this is pretty alarming, it was only 2 at first then, 5, and then when the scan finished it was 7 and I don’t know why or if they multiplied or something.
 
A window keeps popping up from Kaspersky and in the red box it calls the threat a (this is exactly what it says):
 
HEUR:Exploit.Java.CVE-2012-1723.gen
 
Status Detected; Not Processed.
 
When I clicked info to see what is on it:
 
Kaspersky’s Malicious Software description.
 
Category: Trojan.

Type: Exploit
 

These utilities penetrate remote computers to use them as zombies (by using ba... Read more

A:7 Trojans. Type: HEUR:Exploit.Java.CVE-2012-1723.gen Please help!

Hello Antony88 I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same"... Read more

14 more replies
Answer Match 54.6%

First, thanks for taking a look at my problem.  Your attention and time are appreciated!
 
The machine in question is a Dell Precision M6600 running Windows 7 Pro.  A scan with Vipre from ThreatTrack Security discovered a file it called Lookslike.swf.malware.h which it quarantined and eventually deleted.  Subsequent deep scans with Vipre came up clean.  However, Microsoft Safety Scanner came back with 12 files infected, calling the malware Exploit.Java/Obfuscator.w.  The MS scanner said it could not do anything about the matter.
 
All updates to Windows, Vipre, Java and Adobe products have been made and the machine is currently not displaying any strange behavior.  However, since it is a machine that gets heavy use on very important, time-sensitive projects, I would like to get ahead of the issue and do anything I can to remove the threat entirely.  Normally I would just back up the data and do a clean reinstall of Windows but this particular machine is chock full of difficult to reinstall software that I would much rather leave in place.
 
Any assistance is very much appreciated.
 
-Scott

A:Exploit:Java/Obfuscator.w found by MS Safety Scanner - Help Removing, Please

Hello mudhustler and welcome to BleepingComputer!       
 
My name is Sirawit and I'm here to help you.
 
Please note that I'm currently in training and my fixes need to be approved first, that may delay our fix a bit, but I will normally reply back in 24 hours.
 
If I don't reply after 3 days, feel free to PM me.        
==========================================================================Some points for you to keep in mind:
Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I wi... Read more

15 more replies
Answer Match 53.34%

Hi everyone:Using Windows 7, Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10I inadvertently downladed a trojan, and AVG popped up with a "threat detected!" alert listing the Exploit Crimeware Exploit Pack (Type 1636) as a blocked threat. I clicked OK, and the alert has popped up 2 more times since then over the course of an hour or so, but hasn't popped up since (it's been like 5 hours now since I've seen that). The threat is listed in AVG's virus vault as:Severity: Infection / Virus Name: Trojan horse downloader generic 10.RBK; Path to file: c:\Users\IMMIGRANT\AppData\LocalTemp\Dmw.exeSince this occurred, Windows 7 has now been periodically throwing an application error that states "GoldS has stopped working". This error was reported for the first time (that I could find) just YESTERDAY here on the forum. (I did a quoted google search for "golds has stopped working" and the post I've just linked to here was the ONLY instance of this phrase in google, so it seems like this is might be some brand-new thing that's on the loose.)NOTE: I downloaded GMER and tried to create a log per the specifications given in the instructions for posting malware issues. However, all of the checkboxes on the righthand side are UNCHECKED and GRAYED OUT except for services, registry, files, C:\, and ADS; The program will *not* let me check the boxes per the instructions... Read more

A:PC Infection: Exploit Crimeware Pack Type 1636/"GoldS has stopped working"

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

5 more replies
Answer Match 53.34%

Earlier today I got a pop-up saying my computer was infected and that I should run my "AntiVirus". This was followed by another popup offering to install "AntiVirus". I ran AVG which had the following results "C:\WINDOWS\system32\spoolsv.exe (1632)";"Virus found Win32/Heur";"Reboot is required to finish the action""C:\DOCUME~1\UserXP\LOCALS~1\Temp\133.tmp";"Virus found Win32/Heur";"Moved to Virus Vault""C:\Documents and Settings\UserXP\Desktop\Cryptload_1.1.8\router\FRITZ!Box\nc.exe";"Potentially harmful program RemoteAdmin.BX";"Moved to Virus Vault""C:\Documents and Settings\UserXP\Desktop\Cryptload_1.1.8.rar:\router\FRITZ!Box\nc.exe";"Potentially harmful program RemoteAdmin.BX";"Potentially dangerous object""C:\Documents and Settings\UserXP\Desktop\Cryptload_1.1.8.rar";"Potentially harmful program RemoteAdmin.BX";"Potentially dangerous object""C:\OFFICE\MSDE2000\MSDE2KS3.EXE";"The file is signed with a broken digital signature, issued by: Microsoft Corporation.";""I then rebooted. This did not fix the problem. I had the same issue, but now when I tried to run any program, I would get a popup saying that that program was infecte... Read more

A:(Phoenix Exploit Kit (type 1112)) Google results redirect to ad pages and IE starts on it own

Scratch that....still being redirected."C:\WINDOWS\system32\drivers\ipsec.sys";"Virus identified Win32/Patched.DX";"Object is white-listed (critical/system file that should not be removed)""C:\Documents and Settings\UserXP\Local Settings\Temp\smss.exe";"Trojan horse Clicker.AKBZ";"Moved to Virus Vault""C:\Documents and Settings\UserXP\Local Settings\Temp\loader.exe";"Trojan horse Clicker.AKBZ";"Moved to Virus Vault"I reran malwarebytes also in safemode which found the followingMemory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljkujpta (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ljkujpta (Trojan.Downloader) -> Quarantined and deleted successfully.Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\Documents and Settings\LocalService\Local Settings\Application Data\jjenaryln\btiqojstssd.exe (Tro... Read more

6 more replies
Answer Match 53.34%

Hello,

My computer has become infected with the following trojans/rootkits, and I've everything I know how (which is very little) to fix it, with no effect. I discovered this forum while googling the relevant trojan names and come to you humbly for whatever assistance you may offer.

The first problem I noticed was computer/browser slowdown. There was an svchost process that was listed as using over half of my RAM. I suspected an infection and so ran my antivirus/malware software -- Avast, AdAware, & Malwarebytes. Nothing was discovered. Shortly after this alerts began popping up from Avast saying it was blocking communication to a certain website. I'm sorry, I didn't take this as seriously as I should have at first and did not write down anything about these first warnings. Repeated scans again revealed nothing. I remembered from removing one of the "AntiVirus" rootkits from a girlfriend's computer that starting in safe mode, installing a new Malwarebytes, and then scanning may help. I tried that, and two trojans were discovered, both named Exploit.Drop.7, and I removed them. After this I also ran the Free Windows Registry Repair command, as well as the registry repair function of C-Cleaner (I'm not sure why, in retrospect, I just remembered doing that last time). I restarted the computer again. It appeared to be working normally, and I accessed the internet and checked e-mail, etc. However, in just a few minutes I again notice... Read more

A:Infected with Rogue.FakeHDD, Trojan.FakeAlert, PUM.Hijack.StartMenu, PUM.Hijack.TaskManager, Exploit.Drop.7, etc.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

28 more replies
Answer Match 52.92%

dell inspirion e 1505
windows xp media center version 2002
service pack 3

My Moms laptop has some serious problems. It started around the 21 she showed me she had one of the fake anti virus popups(Internet Security 2010 or 2011). I tried to remove and thought I got it in time but I couldnt run malwarebytes. Now I can not run any type of scanner. Malwarebytes, adaware,and superantispyware start to run then just stop without any errors. then I get the following message when I try to rerun them: "Windows cannot access the specified device, path, or file. You may not have the appropriate permission to access the item." And avg 2011 cannot scan because there are no active components shown in the program.

Any help would be appreciated.

A:Infected and unable to run any type of scanner.

hi,

Your post is a few days old, if you still need help just reply back.

1 more replies
Answer Match 52.08%

i need a real time spyware scanner for free. I also need a virus scanner (realtime) avast, avg, or antivir? Does anybody have suggestions?
 

A:real time spyware spyware scanner? (free)

16 more replies
Answer Match 51.66%

Hi. I have many rogue spyware programs popups, ultimate cleaner, privacy protector, error cleaner, spyware & malware detector etc etc hear is HJT log. Task manager has been disabled. Macafee changes log show new dll files added, bxsnvqt, dopfwrllwr, aslpmqk on the day I got the malware. Thanks
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Progr... Read more

More replies
Answer Match 51.66%

PLEASE HELP!!
i have this darn spyware that jst won't go away.
It says "Exploit Rogue Spyware scanner (type 621)" then another windw come up that has "Bonuspromooffer.com" i have downloaded AVG 8.5, Malwarebytes, and windows defender, plus i already had the Adaware program. these programs found a lot of viruses and spyware, but this Rgue one keeps coming back. plus now my computer is runnng so slow, it's like dial-up or worse. can nyone help me getrid of this?
 

More replies
Answer Match 51.66%

I've recently been through the ringer with just about every known virus on the face of the earth. After getting a fake window's police pro ad pop up, all hell broke loose. I was able to rid my computer of that, but later aquired AV CARE and many more viruses through a ghost in my system. This rogue virus(es) have caused mass havoc on my computer. I cannot open or install any anti-virus/anti maleware problems. I've tried the .com hijack but that was to no avail, the antivirus scanners shut down after 10 seconds. Whatever is on my computer deleted xp, or at least appears to have, my computer doesn't recognize any sound input/output and only beeps through the sound card like way back when with MS DOS.. I've tried everything under the sun and I've come to terms that my computer is just going to have to be redone. I don't have a problem with that, thankfully awhile back I saved all my valuable information, documents, music files,etc. on spare hardrives. HOWERVER, there is one VERY IMPORTANT folder that I need to re-add to my data E-DRIVE because there are new files i need on my new computer! (I make music and alot of my new unfinished projects are in this folder) This lil virus, maleware or whatever the hell it is won't let me copy and paste, wont let me send the folder, won't let me drag, won't even let me send to a flash drive. I don't know what to do, I need to get the new computer up and running as fast as possible but I need thi... Read more

A:Rogue Spyware

Moved from HJT to a more appropriate forum. Tw

2 more replies
Answer Match 51.66%

Hi I'm a new member here but nonetheless I need help. I received this spyware called windows XP 11. It's a spyware. It turned off my firewall and override all of my anti-virus's. I ran MBAM in safe mode and it let me remove the spyware, but when I rebooted my computer, it was still there.

I got rid of the virus. But now every time I try opening ANYTHING, it gives me with the 'open with' prompt, so the files aren't able to open correctly. I'm not able to connect to my control panel, I dont have 'rundll32.exe' The 'open with' prompt is giving me a bunch of programs i can run the file with. I'm not able to Download ANYTHING, because it gives me 'open with' prompt.

Please guys, thank you so much.

Edit: I can't even run as an administrator because I don't have a password and it is asking me for one.

It's 3 am, please leave your comments I will get back to you in the morning.

More replies
Answer Match 51.24%

Had a client unknowingly install rogue spyware on her laptop. Needless to say she was pretty upset. As a teacher she needs access to her files for lesson plans and was locked up. The rogue spyware was disguised as Internet Security I was able to get into the system and install HJT. Here is the log file.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:23:10 PM, on 2/27/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\TOSHIBA Service Station\TSS.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\PCMAgent.exe
C:\Program Files\CyberLink\PowerCinema for TOSHIBA\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Linksys\Links... Read more

A:HJT Log FIle - Rogue Spyware

HiJackThis 2.0.4 needs to be installed in that computer and allowed to install in the default location: C:\Program Files.

You currently have the HiJackThis.exe file running from the E drive, which is improper.

Most of the HiJackThis log is also missing.

-----------------------------------------------------------

You wasted your time running a scan with Malwarebytes Anti-Malware 1.60.1.1000 because you didn't select and remove what it found.

The "No action taken" entries in the scan log confirm that.

-----------------------------------------------------------

Download and install SUPERAntiSpyware 5.0.0.1144.

Make sure to update its definition files during the install process.

-----------------------------------------------------------

Follow these instructions next, carefully and completely.

DON'T use the computer while each scan is in progress.

Start Malwarebytes Anti-Malware.

Click "Scanner(tab) - Perform quick scan - Scan".

If infections or problems are found during the scan, the number of them will be highlighted in red.

When the scan is finished, click "Show Results".

Make sure that EVERYTHING is selected, then click "Remove Selected".

If you're prompted to restart to finish the removal process, click "Yes".

Start Malwarebytes Anti-Malware again.

Click "Logs"(tab).

Highlight the scan log entry, then click "Open".

When the scan log appears in Notepad, copy-and-paste... Read more

1 more replies
Answer Match 51.24%

Hello,

Thanks for helping me with this issue.
I cannot get rid of a rogue spyware application.
I tried using Malware Byte's and VIPRE anti-virus software. VIPRE keeps finding the virus after each scan of my computer, but whether I choose quarantine or remove the virus remains and I still see the red circle/white x icon in my systray that tries to install antivirusagent or system guard.

Here is my DDS.txt log:
DDS (Ver_09-06-26.01) - NTFSx86
Run by Brian at 5:46:03.29 on Thu 07/02/2009
Internet Explorer: 6.0.2800.1106 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1023.496 [GMT -4:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\1233955266\ee\AOLSoftware.exe
C:\WINDOWS\System32\brastia.exe
C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Program Files\Logite... Read more

A:Infected by rogue spyware

Hi,Please download GooredFix from one of the locations below and save it to your DesktopDownload Mirror #1Download Mirror #2Ensure all Firefox windows are closed.To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).When prompted to run the scan, click Yes.GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).Download ComboFix by sUBs from here or hereNote: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.**Save it to your desktop**Double click on ComboFix.exe & follow the prompts. If you are prompted to install the Recovery Console I recommend you go ahead and hit yes.When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT logNotes:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know. ComboFix disconnects your machine from the internet when it runs. This connection should be automatically restored when ComboFix completes its run. If ComboFix runs into difficult... Read more

9 more replies
Answer Match 51.24%

I am reasonably sure I have removed the rogue program antispycheck 2.1 from a neighbours computer. I used the advice on bleeping computers (many thanks).
I deleted all relevant folders, files and registry entries and used HJT to remove a few relevant odds and ends.
I stopped aspch from running at start up. I uninstalled antispycheck 2.1 using Add/Remove programs.
I ran another registry cleanup to make sure no references remained.
I also removed 12 Downloader.Zlobs and a quantity of spies.
Re-running anti virus and anti spy programs shows the computer is now clean.

However, I am unable to remove the live link to the antispycheck website which lives in the Windows XP notification area.
It is a shield just like the Windows security shield, it flashes alternately from red to blue to red to blue.
Making sure I was off-line I clicked the shield to see what URL it was linked to. This was antispychecker.com/?aid=1012
Something is also resetting the Windows automatic update to 'off'.

At regular intervals of about a minute the shield throws out one of two false warning balloons.
The yellow triangle in the balloons looks quite genuine but the System alert asks you to either download antispyware or download a tool for removing malware.
I would be grateful for advice on stopping this little blighter from operating.

Regards

Awestruck

A:Rogue Anti-spyware

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner screen:Click on the Show Results button to see a list ... Read more

1 more replies
Answer Match 51.24%

my dads laptop has some sort of rogue spyware program on it. ive dealt with one before on a friends computer but its been a while. just guide me thru the steps and gimme a link to hijackthis. thanks for the help
 

A:need help, rogue spyware program

16 more replies
Answer Match 51.24%

Hi, I have an annoying anti-spyware pop-ups that won't go away. I did everything on the preparation guide, yet the pop-up keeps coming back. I haven't noticed any significant performance problems since this pop-ups started about a week ago. This is the website the pop-ups send me too: //antispyware-reviews.biz/?wmid=4663&pwebmid=R3n1c2Bg8A. Also, now that I have installed Zone Alarm it picks up the pop-ups and asks if I should allow or deny, which is nice. However, this is oviously not a solution. The application that Zone Alarm identifies when the pop-ups try to appear is sjyxwnkn.exe. I have posted below my Hijack This log. Thanks for any help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:50:47 PM, on 2008-03-29Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16609)Boot mode: NormalRunning processes:C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exeC:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\RtHDVCpl.exeC:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exeC:\Windows\WindowsMobile\wmdc.exeC:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exeC:\Program Files\Common Files\logishrd\LComMgr\Communications_Helper.exeC: ... Read more

A:Rogue Anti-spyware Pop-up

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new HijackThis log, along with a description of any problems you are experiencing. If we do not hear back from you within a couple of days we will need to close your topic.When posting your logs please post them directly into the reply. Do not attach them.Thank you for your patience.

1 more replies
Answer Match 51.24%

My computer is running slower than usual and I keep getting either Adultfriendfinder pop-ups or rogue anti spyware pop-ups. I need help!Logfile of HijackThis v1.99.1Scan saved at 11:13:36 PM, on 3/31/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.e... Read more

A:Rogue Anti-spyware Pop-ups

Hello DancerchickPlease download VundoFix.exe to your desktop.Double-click VundoFix.exe to run it.Put a check next to Run VundoFix as a task.You will receive a message saying vundofix will close and re-open in a minute or less. Click OKWhen VundoFix re-opens, click the Scan for Vundo button.Once it's done scanning, click the Remove Vundo button.You will receive a prompt asking if you want to remove the files, click YESOnce you click yes, your desktop will go blank as it starts removing Vundo.When completed, it will prompt that it will shutdown your computer, click OK.Turn your computer back on.Please post the contents of C:\vundofix.txt and a new HiJackThis log.David

6 more replies
Answer Match 51.24%

I somehow wound up with "Spyware Guard 2008". I cannot click any links online and only half of my programs will run properly, random firefox pages pop up out of knowhere and my pc is running very slowly.
Everytime i try to run smitfraudfix.exe or try to install a spyware removal application they fail, and it brings me to the windows error report screen.

I need to have this problem fixed :( Im dependant on my computer for employment.



__________________________________________________________
gmer.exe would not run on the infected computer, so I cannot attach the ark text file.. I have included attach.txt and the dds

here is the DDS.



DDS (Version 1.1.0) - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2814.2402 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
c:\program files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Sean\Desktop\dds.com

============= FINISH: 1:39:03.92 ======... Read more

A:[SOLVED] HELP - ROGUE SPYWARE. Please help

bump please.

I was able to run exterminate it , a free spyware checker but of course, not remover. I have "Net Sky", "Spyware Gard 2008", and "Vundo" .

I might just reformat today, all of the spyware is on my first harddrive and I've put everything onto :/D.

3 more replies