Tech Problem Aggregator

Nuwar B / Legacy_tdssserv malware

Q: Nuwar B / Legacy_tdssserv malware

H iMy nigthmare started with my computer getting the Nuwar B virus. I searched the internet for ways to remove it and found a post that said to delete any and all entrys in the registry with tdssserv in it.When I run CA anti spyware it says there is malware named legacy_tdssserv in the hkey_local_machine\system\controlset001\enum\root But now when I navigate there to delete it, its not there.I found it there the first time and deleted it but after that I dont see it even tho CA anti spyware says its still there.That was my first mistake. Actually my first mistake was not posting here first. My third mistake was to try to delete these 4 files via the recovery console.C:\windows\spoolerdr.exeC:\windows\system32\spooler.exeC:\windows\system32\drivers\tcpip.sysC:\windows\system32\drivers\tmcomm.sysFor the first 3 files when I pressed enter nothing happend. But for the 4th I got an error message saying that the file could not be found. I rebooted and tried to connect to the internet and could not.I tried to undo my mistakes by finding the files on my XP disc and reinstalling them. (thinking I had actually deleted some or all of them) I could not find them therefore I could not reinstall them. I had posted my problem on one other forum a few weeks ago but have not gotten any help from them. If you decide to help. I will not do another thing to my computer unless instructed by an expert from this forum.I really need some help and appreciate any you would offer. ThankyouDDS (Ver_10-03-17.01) - NTFSx86 Run by Tim at 15:28:56.04 on Sun 04/11/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.478 [GMT -5:00]AV: CA Anti-Virus *On-access scanning enabled* (Outdated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}FW: CA Personal Firewall *enabled* {14CB4B80-8E52-45EA-905E-67C1267B4160}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupsvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exeC:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exesvchost.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Executive Software\DiskeeperServer\DKService.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\PGPsdkServ.exeC:\Program Files\Dell Support Center\bin\sprtsvc.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exeC:\WINDOWS\system32\cidaemon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exeC:\WINDOWS\System32\DSentry.exeC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exeC:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXEC:\Program Files\Logitech\ImageStudio\LogiTray.exeC:\WINDOWS\Logi_MwX.ExeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exeC:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exeC:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exeC:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exeC:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exeC:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exeC:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeC:\Program Files\DellSupport\DSAgnt.exeC:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exeC:\Program Files\CA\CA Internet Security Suite\ccprovsp.exeC:\Program Files\Windows Media Player\WMPNSCFG.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exeC:\lotus\register\remind32.exeC:\Documents and Settings\Tim\Desktop\Defogger.exeC:\Program Files\Philips\Philips Lime Service\bin\Lime.exeC:\Documents and Settings\Tim\Desktop\dds.scr============== Pseudo HJT Report ===============uSearch Bar = hxxp://minisearch.startnow.com/uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7uStart Page = hxxp://mail.lycos.com/lycos/Index.lycosuInternet Connection Wizard,ShellNext = iexploreuInternet Settings,ProxyOverride = localhost;*.localBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dllBHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dllBHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dllTB: {E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - No FileTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileEB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dlluRun: [WebCamRT.exe] uRun: [JwrqRfY4Q] ntkninst.exeuRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startupuRun: [PhilipsLime] "c:\program files\philips\philips lime service\bin\LimeAlive.exe"uRun: [EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\docume~1\tim\locals~1\temp\E_S1C9.tmp" /EF "HKCU"uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenteruRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exeuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [NBJ] "c:\progra~1\ahead\neroba~1\NBJ.exe"mRun: [DVDSentry] c:\windows\system32\DSentry.exemRun: [mmtask] c:\program files\musicmatch\musicmatch jukebox\mmtask.exemRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXEmRun: [LogitechGalleryRepair] c:\program files\logitech\imagestudio\ISStart.exemRun: [LogitechImageStudioTray] c:\program files\logitech\imagestudio\LogiTray.exemRun: [Logitech Utility] Logi_MwX.ExemRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"mRun: [278k3pU] sheuery.exemRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [MoneyStartUp10.0] "c:\program files\microsoft money\system\Activation.exe"mRun: [PhilipsDM] "c:\program files\philips\philips device manager\bin\DeviceManager.exe"mRun: [EPSON Stylus CX6000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibia.exe /fu "c:\windows\temp\E_S1DB.tmp" /EF "HKLM"mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXEmRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCentermRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"mRun: [DXM6Patch_981116] c:\windows\p_981116.exe /Q:AmRun: [atr.exe] mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"mRun: [cafwc] c:\program files\ca\ca internet security suite\ca personal firewall\cafw.exe -clmRun: [capfasem] c:\program files\ca\ca internet security suite\ca personal firewall\capfasem.exemRun: [<NO NAME>] mRun: [capfupgrade] c:\program files\ca\ca internet security suite\ca personal firewall\capfupgrade.exemRun: [QOELOADER] "c:\program files\ca\ca internet security suite\ca anti-spam\qsp-5.1.18.0\QOELoader.exe"dRunOnce: [RunNarrator] Narrator.exedRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exeStartupFolder: c:\docume~1\tim\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\tim\startm~1\programs\startup\lotuss~1.lnk - c:\lotus\register\remind32.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXEIE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeDPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cabDPF: JT's Blocks - hxxp://download.games.yahoo.com/games/clients/y/blt1_x.cabDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cabDPF: Video Poker - hxxp://download.games.yahoo.com/games/clients/y/vpt0_x.cabDPF: Yahoo! Blackjack - hxxp://download.games.yahoo.com/games/clients/y/jt0_x.cabDPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cabDPF: Yahoo! Checkers - hxxp://download2.games.yahoo.com/games/clients/y/kt4_x.cabDPF: Yahoo! Cribbage - hxxp://download.games.yahoo.com/games/clients/y/it1_x.cabDPF: Yahoo! Dots - hxxp://download.games.yahoo.com/games/clients/y/dtt1_x.cabDPF: Yahoo! Euchre - hxxp://download2.games.yahoo.com/games/clients/y/et3_x.cabDPF: Yahoo! Graffiti - hxxp://download.games.yahoo.com/games/clients/y/grt5_x.cabDPF: Yahoo! Hearts - hxxp://download.games.yahoo.com/games/clients/y/ht1_x.cabDPF: Yahoo! MahJong - hxxp://download.games.yahoo.com/games/clients/y/ot0_x.cabDPF: Yahoo! MahJong Solitaire - hxxp://download.games.yahoo.com/games/clients/y/mjst4_x.cabDPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cabDPF: Yahoo! Pool 2 - hxxp://download.games.yahoo.com/games/clients/y/pote_x.cabDPF: Yahoo! Pyramids - hxxp://download.games.yahoo.com/games/clients/y/pyt1_x.cabDPF: Yahoo! Sheepshead - hxxp://download.games.yahoo.com/games/clients/y/dt0_x.cabDPF: Yahoo! Spades - hxxp://download2.games.yahoo.com/games/clients/y/st3_x.cabDPF: Yahoo! Towers 2.0 - hxxp://download.games.yahoo.com/games/clients/y/ywt0_x.cabDPF: {01111C00-3E00-11D2-8470-0060089874ED} - hxxp://help.rr.com/Foundrysdccommon/download/tgctlar.cabDPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxp://supportcenter.rr.com/sdccommon/download/tgctlcm.cabDPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CABDPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CABDPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cabDPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocxDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} - hxxp://www.pestscan.com/scanner/axscanner.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dllDPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cabDPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cabDPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cabDPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - hxxp://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138260848812DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} - hxxp://secure2.comned.com/signuptemplates/ActiveSecurity.cabDPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www3.ca.com/securityadvisor/virusinfo/webscan.cabDPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cabDPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cabDPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} - hxxp://lycosmail.lycos.com/hanmail-ax/AttachMail.cabDPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Bejeweled%202/Images/armhelper.ocxDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cabDPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dllTCP: {53DE6C06-E977-41ED-982A-2FB99D9A88A6} = 208.67.222.222,208.67.220.220Notify: PFW - UmxWnp.DllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\tim\applic~1\mozilla\firefox\profiles\mwhc1hnx.default\FF - prefs.js: browser.search.selectedEngine - GoogleFF - prefs.js: browser.startup.homepage - hxxp://lycosmail.lycos.com/lycos/Index.lycosFF - component: c:\program files\mozilla firefox\extensions\{01a8ca0a-4c96-465b-a49b-65c46fad54f9}\components\Contribute.dllFF - component: c:\program files\mozilla firefox\extensions\[email protected]\components\qfaservices.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\============= SERVICES / DRIVERS ===============R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2008-6-24 93712]R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [2004-12-2 6097]R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2008-6-24 63504]R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2008-6-24 45584]R1 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2008-6-24 115216]R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2009-7-11 26352]R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2009-7-11 21104]R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2009-10-13 739696]R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2009-7-11 21488]R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-7-11 32240]R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2008-6-24 134648]R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2008-6-24 66576]R2 PGPsdkServ;PGPsdkService;c:\windows\system32\PGPsdkServ.exe [2004-2-18 65536]R2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2007-10-18 1010192]R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2007-10-18 801296]R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2008-6-24 281104]R2 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2009-7-11 238832]R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-1-10 24652]R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2008-6-24 88816]R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-8-16 189704]R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2009-10-13 133520]S2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2009-7-11 144960]S3 NUVision;NUVision II Video Service;c:\windows\system32\drivers\nuvvid2.sys [2003-8-16 153760]S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [2004-12-2 299923]=============== Created Last 30 ================2010-04-11 06:00:27 0 ----a-w- c:\documents and settings\tim\defogger_reenable2010-04-07 03:00:22 0 d-----w- c:\program files\Trend Micro2010-04-06 00:16:12 19584 -c--a-w- c:\windows\system32\dllcache\rasirda.sys2010-04-06 00:16:08 714762 -c--a-w- c:\windows\system32\dllcache\r2mdmkxx.sys2010-04-06 00:16:07 899146 -c--a-w- c:\windows\system32\dllcache\r2mdkxga.sys2010-04-06 00:16:06 41472 -c--a-w- c:\windows\system32\dllcache\qvusd.dll2010-04-06 00:16:06 3328 -c--a-w- c:\windows\system32\dllcache\qv2kux.sys2010-04-06 00:14:58 25216 -c--a-w- c:\windows\system32\dllcache\ovsound2.sys2010-04-05 01:23:23 65278 -c--a-w- c:\windows\system32\dllcache\netflx3.sys2010-04-05 00:41:50 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys2010-04-05 00:41:46 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys2010-04-05 00:41:36 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys2010-04-05 00:41:34 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys2010-04-05 00:41:19 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys2010-04-05 00:41:18 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys2010-04-05 00:41:17 56832 -c--a-w- c:\windows\system32\dllcache\msdvbnp.ax2010-04-05 00:41:02 15232 -c--a-w- c:\windows\system32\dllcache\mpe.sys2010-04-05 00:39:59 19016 -c--a-w- c:\windows\system32\dllcache\ktc111.sys2010-04-05 00:39:57 47066 -c--a-w- c:\windows\system32\dllcache\ksc.nls2010-04-05 00:39:56 37376 -c--a-w- c:\windows\system32\dllcache\kousd.dll2010-04-05 00:39:51 253952 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll2010-04-05 00:39:50 48640 -c--a-w- c:\windows\system32\dllcache\kdsui.dll2010-04-05 00:39:31 8192 -c--a-w- c:\windows\system32\dllcache\kbdkor.dll2010-04-05 00:39:30 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll2010-04-05 00:39:21 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys2010-04-05 00:39:06 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll2010-04-05 00:39:05 5632 -c--a-w- c:\windows\system32\dllcache\kbd103.dll2010-04-05 00:39:04 6144 -c--a-w- c:\windows\system32\dllcache\kbd101c.dll2010-04-05 00:39:03 6144 -c--a-w- c:\windows\system32\dllcache\kbd101b.dll2010-04-05 00:38:56 26624 -c--a-w- c:\windows\system32\dllcache\irstusb.sys2010-04-05 00:38:55 18688 -c--a-w- c:\windows\system32\dllcache\irsir.sys2010-04-05 00:38:54 28160 -c--a-w- c:\windows\system32\dllcache\irmon.dll2010-04-05 00:38:53 23552 -c--a-w- c:\windows\system32\dllcache\irmk7.sys2010-04-05 00:38:52 151552 -c--a-w- c:\windows\system32\dllcache\irftp.exe2010-04-05 00:38:51 88192 -c--a-w- c:\windows\system32\dllcache\irda.sys2010-04-05 00:38:44 45632 -c--a-w- c:\windows\system32\dllcache\ip5515.sys2010-04-05 00:38:43 90200 -c--a-w- c:\windows\system32\dllcache\io8ports.dll2010-04-05 00:38:42 38784 -c--a-w- c:\windows\system32\dllcache\io8.sys2010-04-05 00:38:40 13056 -c--a-w- c:\windows\system32\dllcache\inport.sys2010-04-05 00:36:59 48128 -c--a-w- c:\windows\system32\dllcache\hpgt33tk.dll2010-04-05 00:35:58 34173 -c--a-w- c:\windows\system32\dllcache\forehe.sys2010-04-05 00:34:59 26141 -c--a-w- c:\windows\system32\dllcache\el589nd5.sys2010-04-05 00:33:59 24648 -c--a-w- c:\windows\system32\dllcache\dfe650.sys2010-04-05 00:32:58 20736 -c--a-w- c:\windows\system32\dllcache\cmbp0wdm.sys2010-04-05 00:31:59 66082 -c--a-w- c:\windows\system32\dllcache\c_708.nls2010-04-05 00:30:59 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys2010-04-05 00:29:59 77568 -c--a-w- c:\windows\system32\dllcache\ati.sys2010-04-05 00:29:58 96128 -c--a-w- c:\windows\system32\dllcache\ati.dll2010-04-05 00:29:55 97354 -c--a-w- c:\windows\system32\dllcache\aspndis3.sys2010-04-05 00:29:49 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys2010-04-05 00:29:47 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys2010-04-05 00:29:45 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys2010-04-05 00:29:44 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys2010-04-05 00:29:43 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys2010-04-05 00:29:32 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax2010-04-04 22:39:11 46112 -c--a-w- c:\windows\system32\dllcache\adptsf50.sys2010-04-04 22:36:27 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll2010-04-04 16:38:41 0 d-----w- c:\program files\Support Tools2010-04-04 07:22:23 164926 ----a-w- c:\windows\system32\drivers\TCPIP.SY_2010-04-04 03:41:54 0 d-----w- c:\windows\system32\wbem\Repository2010-04-04 03:41:18 0 d-----w- c:\program files\CCleaner2010-04-02 20:52:48 77312 ----a-w- c:\windows\system32\ztvunace26.dll2010-04-02 20:52:47 75264 ----a-w- c:\windows\system32\unacev2.dll2010-04-02 20:52:47 69632 ----a-w- c:\windows\system32\ztvcabinet.dll2010-04-02 20:52:47 162304 ----a-w- c:\windows\system32\ztvunrar36.dll2010-04-02 20:52:47 153088 ----a-w- c:\windows\system32\UNRAR3.dll2010-04-02 20:52:44 0 d-----w- c:\program files\Trojan Remover2010-04-02 20:52:44 0 d-----w- c:\docume~1\tim\applic~1\Simply Super Software2010-04-02 20:52:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software2010-03-28 20:56:46 0 d-sh--w- c:\documents and settings\tim\IECompatCache2010-03-28 19:48:31 0 d-sh--w- c:\documents and settings\tim\PrivacIE2010-03-28 19:42:37 0 d-sh--w- c:\documents and settings\tim\IETldCache2010-03-28 19:34:30 0 d-----w- c:\windows\ie8updates2010-03-28 19:26:27 0 dc-h--w- c:\windows\ie82010-03-28 19:20:45 64000 -c----w- c:\windows\system32\dllcache\iecompat.dll2010-03-28 19:20:40 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll2010-03-28 19:20:40 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll==================== Find3M ====================2010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k72010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k62010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k52010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k42010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k32010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k22010-04-10 05:41:35 64 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k12010-04-10 05:41:35 108482 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k02010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll2006-09-11 13:34:49 29784 ----a-w- c:\program files\popcorn Terms.html2006-06-10 03:05:04 1083938 ------w- c:\program files\xchat-2.6.4.tar.bz22006-02-13 04:51:25 5632 --sh--w- c:\program files\Thumbs.db2005-11-01 22:13:22 480 ----a-w- c:\program files\datetime.pyc2005-11-01 22:13:22 477 ----a-w- c:\program files\_winreg.pyc2005-11-01 22:13:22 477 ----a-w- c:\program files\_socket.pyc2005-11-01 22:13:22 474 ----a-w- c:\program files\select.pyc2005-11-01 22:13:22 468 ----a-w- c:\program files\zlib.pyc2005-11-01 22:13:22 468 ----a-w- c:\program files\_ssl.pyc2005-11-01 22:13:22 468 ----a-w- c:\program files\_sre.pyc2003-05-23 22:24:37 13430 ----a-w- c:\program files\realgta3.txt2003-05-23 22:24:30 14546 ----a-w- c:\program files\realgta3cz.txt2003-04-20 02:37:51 75 ----a-w- c:\program files\autorun.ini2001-09-17 09:45:18 127 ----a-w- c:\program files\setup.bat2001-09-17 09:44:12 1007761 ----a-w- c:\program files\unpack.exe2001-08-20 14:44:28 149431 ----a-w- c:\program files\strings.txt2001-08-17 14:55:30 2420981 ----a-w- c:\program files\CARD.HLP2001-08-13 21:21:14 8153 ----a-w- c:\program files\Readme.txt2001-08-08 17:46:20 248179 ----a-w- c:\program files\Bonus.prf2001-07-26 18:34:02 2591 ----a-w- c:\program files\AUTORUN.INF2001-07-13 14:55:54 27648 ----a-w- c:\program files\startw.exe2001-07-05 19:39:42 2645 ----a-w- c:\program files\Sierra.inf2001-07-05 18:13:42 16826 ---ha-w- c:\program files\cardgame.GID2001-07-03 19:28:12 100 ----a-w- c:\program files\Register Online.URL2001-07-03 19:26:56 80 ----a-w- c:\program files\LANGUAGE.INF2001-06-20 18:47:42 31991 ----a-w- c:\program files\autorun.txt2001-05-09 14:49:32 176128 ----a-w- c:\program files\INSTAIDE.DLL2000-11-07 21:52:52 15182560 ----a-w- c:\program files\out2kmst.msp2000-11-07 20:26:12 670620 ----a-w- c:\program files\pptmst.msp2000-11-07 20:01:26 647452 ----a-w- c:\program files\excelmst.msp2000-11-02 22:05:20 59904 ----a-w- c:\program files\readadm.doc2000-10-27 21:40:04 30120448 ----a-w- c:\program files\sp2admin.msp2000-09-12 19:17:58 27374 ----a-w- c:\program files\habits.prf2000-07-06 14:17:04 91279 ----a-w- c:\program files\fonts.prf2000-03-18 07:29:04 49152 ----a-w- c:\program files\INJECT.EXE1999-08-19 18:31:04 48 ----a-w- c:\program files\Sierra Web Site.URL1997-12-24 15:45:58 105472 ----a-w- c:\program files\SOS9503.DLL2008-07-26 03:29:25 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072520080726\index.dat============= FINISH: 15:32:20.95 ===============GMER 1.0.15.15281 - http://www.gmer.netRootkit scan 2010-04-11 21:46:48Windows 5.1.2600 Service Pack 3Running: gmer.exe; Driver: C:\DOCUME~1\Tim\LOCALS~1\Temp\fwdoapoc.sys---- System - GMER 1.0.15 ----SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateKey [0xF116A6EA]SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwCreateSection [0xF18C3FD2]SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwCreateSymbolicLinkObject [0xF116B40B]SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwMakeTemporaryObject [0xF116B75C]SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenKey [0xF116A64E]SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwOpenSection [0xF116B130]SSDT \SystemRoot\System32\DRIVERS\kmxagent.sys (HIPS Agent Driver/CA) ZwSetInformationProcess [0xF18C3662]SSDT \SystemRoot\System32\DRIVERS\KmxSbx.sys (HIPS Registry, Spawning and Devices Guard driver/CA) ZwSetSystemInformation [0xF116B538]---- Kernel code sections - GMER 1.0.15 ----.text ntoskrnl.exe!_abnormal_termination + F0 804E275C 4 Bytes JMP 58F116A6 .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7036340, 0xFFF3F, 0xF8000020].text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D6300, 0x234A20, 0xF8000020]---- User code sections - GMER 1.0.15 ----.text C:\Program Files\Dell Support Center\bin\sprtcmd.exe[3792] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 51981CE2 C:\PROGRA~1\DVDREG~1\DVDShell.dll (DVD Region-Free Shell Module/Fengtao Software Inc.).text C:\WINDOWS\Explorer.EXE[3932] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 51981CE2 C:\PROGRA~1\DVDREG~1\DVDShell.dll (DVD Region-Free Shell Module/Fengtao Software Inc.)---- Devices - GMER 1.0.15 ----AttachedDevice \FileSystem\Ntfs \Ntfs kmxagent.sys (HIPS Agent Driver/CA)AttachedDevice \FileSystem\Ntfs \Ntfs KmxFile.sys (HIPS File Guard driver/CA)AttachedDevice \FileSystem\Ntfs \Ntfs VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)AttachedDevice \FileSystem\Ntfs \Ntfs VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)Device \Driver\USBSTOR \Device\0000008e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 PGPsdk.sys (PGP Software Development Kit NT Driver/PGP Corporation)Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)Device \Driver\Modem \Device\00000074 kmxfw.sys (HIPS Firewall Driver/CA)Device \Driver\AFD \Device\Afd KmxCF.sys (HIPS Content Filter Driver/CA)Device \Driver\USBSTOR \Device\0000008d sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)AttachedDevice \FileSystem\Fastfat \Fat KmxFile.sys (HIPS File Guard driver/CA)AttachedDevice \FileSystem\Fastfat \Fat VET-REC.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG)AttachedDevice \FileSystem\Fastfat \Fat VET-FILT.SYS (CA Antivirus File Protection Driver/Computer Associates International, Inc.)---- Files - GMER 1.0.15 ----File C:\Program Files\Common Files\Adobe\Help\he_IL\Flash\CS3\index\deletable 4 bytesFile C:\Program Files\Common Files\Adobe\Help\he_IL\Flash\CS3\index\segments 27 bytesFile C:\Program Files\Common Files\Adobe\Help\he_IL\Flash\CS3\index\_1.cfs 1587 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\content.css 387 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\help.html 768 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\helpmap.txt 47 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\homepage.png 101885 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\index 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\index\deletable 4 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\index\segments 27 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\index\_1.cfs 1733 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\localeSpecific.css 249 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Acrobat\CS3\meta_1_1.xml 100 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\content.css 387 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\help.html 730 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\helpmap.txt 47 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\homepage.png 22516 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\index 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\index\deletable 4 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\index\segments 27 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\index\_1.cfs 1529 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\localeSpecific.css 249 bytesFile C:\Program Files\Common Files\Adobe\Help\hr_HR\Flash\CS3\meta_1_1.xml 100 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\content.css 387 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\help.html 761 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\helpmap.txt 47 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\homepage.png 101885 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\index 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\index\deletable 4 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\index\segments 27 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\index\_1.cfs 1790 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\localeSpecific.css 249 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Acrobat\CS3\meta_1_1.xml 100 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Bridge 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Bridge\2.0 0 bytesFile C:\Program Files\Common Files\Adobe\Help\hu_HU\Flash 0 bytes---- EOF - GMER 1.0.15 ----

A: Nuwar B / Legacy_tdssserv malware

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HEREWe also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:Why we request you disable CD Emulation when receiving Malware Removal AdviceThen create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:How to create a GMER log

16 more replies
Answer Match 100.8%

Ive tried a few other "fixes" that I found on other forums but it keeps coming back.
Here is my HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:13 PM, on 4/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\DiskeeperServer\DKService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\System32\svcho... Read more

A:Nuwar B legacy_tdssserv ... Help needed!

Sine my first post I ran CA anti virus and found nothing. I then ran CA Anti spyware and found this again. legacy_tdssserv

And it says its in.
hkey_local_machine\system\controlset001\enum\root

But when I go there to delete it its not there.
It also keeps turning off my antispyware.
Any help would be much appreciated
 

2 more replies
Answer Match 61.74%

Suddenly started having issues with popups, and suddenly my anti-virus/anti-spyware programs started picking up offenders, which I then let them take care of. Without fail, though, each day I'd run them again to find all the same stuff back. Suspecting that I had a trojan somewhere that my stuff wasn't picking up (and being computer literate to only a beginner's level), I decided I'd come see if I couldn't find some help here.

Anyway, the DSS logs and Panda Activescan log follow. Any help will be greatly appreciated.

Deckard's System Scanner v20070602.46
Run by eml on 2007-06-03 at 02:35:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
24: 2007-06-03 07:36:22 UTC - RP322 - Deckard's System Scanner Restore Point
23: 2007-06-03 06:54:15 UTC - RP321 - Spybot-S&D Spyware removal
22: 2007-06-03 05:24:53 UTC - RP320 - Spybot-S&D Spyware removal
21: 2007-06-03 05:24:18 UTC - RP319 - Spybot-S&D Spyware removal
20: 2007-06-02 13:44:27 UTC - RP318 - System Checkpoint


-- First Restore Point --
1: 2007-05-18 06:03:00 UTC - RP299 - Removed Star Wars(R) Knights of the Old Republic(R) II: The Sith


Performed disk cleanup.


-- HijackThis (run as eml.exe) -------------------------------------------------

... Read more

A:nuwar.CG.worm/spammer.h/various other malware

Bump.

6 more replies
Answer Match 61.32%

Good afternoon. My computer has been running a bit more slowly than usual lately and checking my anti-virus virus logs indicates that some trojans and viruses have been caught and quarantined/removed in the past and I want to make sure that everything is clean now.

1. I have already subscribed to this thread with instant notification.
2. I am aware that I have two separate anti-virus utilities installed on this computer (Kaspersky and AVG). I do not actively use Kaspersky and it is most-always disabled on this machine since it consumes too many resources. However it needs to remain installed on this machine due to company policy.
3. I am aware that Azureus is installed, and the potential threat it poses should I accidentally download a file(s) that someone has maliciously infected. I exercise caution when using this program and where I find the .torrent files, and I accept the inherent risks involved.



All that being said, on to the logs:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Conference Room at 2008-11-05 13:03:04
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 129 GB (87%) free of 149 GB
Total RAM: 2046 MB (42% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:17 PM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon... Read more

A:Possible Viruses/Trojans/Malware; Vundo? Nuwar?

Update: The forum's underlying system is not letting me edit my post any longer.

19 more replies
Answer Match 45.36%
Q: Nuwar B

My computer appears to be infected with Nuwar B and who knows what else. We've deleted it with Spyware scan (McAfee) and Microsoft Malicious Software Removal but it keeps coming back. The computer is slow (especially at StartUp) and freezes up. The Google searches are messed up and we can't access ANY site that has to do with security. I've had to go to the library to post this message because I can't access anything with our computer. Can someone help?

Here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:13 AM, on 10/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\syste... Read more

A:Nuwar B

Please do not create multiple threads for the same problem!

Continue here: http://forums.techguy.org/malware-removal-hijackthis-logs/762637-please-help-trojen.html#post6222285
 

1 more replies
Answer Match 44.94%

I HaVE a huge problem with this worm can u teell me how can i do something to get it out of my pc without erasing or fortmating my harddrive

A:Need Help W32/nuwar.n!sys Pleaseee

Ohh Hhhh Please Someone Be Caind To Help Me Out Tell Me If Theres A Way That I Can Get It Out Of My Pc Or Just Hold It A Little Bit To Get All My Information Out Please Please I Neeed Help!!!!!!!!!!!!!!!

2 more replies
Answer Match 44.94%

My problem started when Internet Explorer windows kept popping up, about 30 of them. Forced quit IE, ran NOD32. Found the Nuwar Worm, (or a variation). Still getting some pop up windows and when XP loads, gets the error "vowihuvi.dll not found".

Thanks for your help!
DDS (Ver_09-02-01.01) - NTFSx86
Run by ariggins at 15:16:16.03 on Wed 03/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.766.251 [GMT -6:00]

AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system... Read more

A:Nuwar Worm

Hi stardungeon,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.To get an idea about the current condition of you computer download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Set the list of files/folders created to 3 Months and click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

Note 1: If you have difficulty finding the logs, the logs are in this folder: C:\rsit

Note 2: The tool takes not more than one minute to scan the system.If you have changed anything since previous post and how is the current condition of your computer. If you have run other tools post also the logs or attach them if available.You might want to save this page on your favorites, so you can find it again when you return.

3 more replies
Answer Match 44.52%

Hijack This Log File:Logfile of HijackThis v1.99.1Scan saved at 1:37:08 PM, on 5/14/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\savedump.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\AOL\ACS\AOLAcsd.exeC:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\VTtrayp.exeC:\WINDOWS\AGRSMMSG.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Java\jre1.5.0_11\bin\jusched.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files�... Read more

A:Infected With Nuwar.n!sys Virus

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. Please download ComboFix and save it to your desktop.Double click combofix.exe and follow the prompts.When it's done running it will produce a log for you. Please post that log in your next reply.Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

5 more replies
Answer Match 44.52%

A few weeks ago my girlfriend somehow got some viruses on my pc. At the time I was using CA Internet security suite, I did a scan & it detected the Silly Di,,,,,,,or something like that. I tried to go to CA's web site for removaltools & info, but couldn't, I kept getting redirected. Then I tried other antivirus & virus removal web sites, to no avail...kept getting redirected. The virus wouldn't even let me go to bleepingcomputer.com, as I tried to almost immediately because about a year and a half ago I had to come to you for help. Also, I was unable to start in safe mode. Out of desperation/frustration, I tried to manually remove from the registry files that I NEW were bad....etc. Somewhere along the way I was able to get back on to Microsofts security web site and down load a free trial of Windows One Care.........I can now start in Safe mode "with Networking", but not regular Safe mode. Windows One Care is running a scan as I'm typing this to you, but my past experience, what very little I have, tells me that I'm going to need more than what they can offer. Below I've attached the main txt & extra txt from Deckards system scanner with HiJack this. I appreciate anything you could do to help me ou. Thanks for your time.Kyle BrownDeckard's System Scanner v20071014.68Run by Kyle on 2008-07-27 19:30:22Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------... Read more

A:Infected With Vundo.gen!p, Nuwar.gen!lds And Probably More

Hello mowe,

I apologise for the delay, the forum is too busy.

If you still need help post a HijackThis log.

2 more replies
Answer Match 44.52%

Hi there,

First of all, thank you for taking the time to help out people like myself. I'm a first time poster so if I make any mistakes, please bare with me and point them out so that I won't make them again.

First of all, I'm running on Windows XP Pro SP2. I'm unable to connect to the internet and this virus has disabled my firewall and antiviruses. I believe I got the virus when I visited a website that suddenly grinded my computer to a slow snail and it suddenly installed d1.exe, d2.exe, d3.exe, d4.exe to my desktop. I then proceeded to reset my computer before it do anymore damage.

I've done some analysis myself and I believe I have the nuwar.N!sys Virus. My computer restarts every single time I try to run any antivirus software where or visit any site that has any scanning. I was lucky one time and I sent an error report to Microsoft and it said I had the nuwar.N!sys virus.

A couple of times when I restarted, it gave me the blue screen of death with the following info:

Driver_IRQL_not_less_or_equal

STOP 0x000.....

NDIS.sys error


I then preceeded to run in safe mode with networking but upon loading the networking "d347.bus", my computer would restart as well. So I ran in safe mode without networking and skipped the loading of d347.bus and it ran fine. I downloaded the AVG Anti spyware program from another computer and ran the scanner. Here is the log it produced :

--------------------------------------------------------... Read more

A:Driver_IRQL_not_less_or_equal & nuwar.N!sys Virus

Welcome ProfoundX

How did you get here to post ? from another pc i assume ?
Do not start to safe mode with networking unless that is the only alternative.
becouse your antivirus and firewall software woud have to be started manualy....

Can save a tool to a flopy or usb stick then take it to the infected pc ?
If so > Post a combofix log
1. Download this file - combofix.exe
http://www.techsupportforum.com/sect...s/ComboFix.exe
alternate link
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.

Post another New Hijackthis log to.

PS: C:\Cracks\rpftpv90.zip/aaocg_ftpvoyager_crk.exe
If you into cracks you might as well start over, format the pc and install/update windows again..

4 more replies
Answer Match 44.52%

Mcafee finds and quarantines 2 w32/nuwar.sys viruses with tctip.sys files in c/windows/system32/dllcache and 2 in c/windows/system32/drivers. even after this, i have no internet access. i restored to a previous point, which allowed internet access, but a window pops up that says there are windows files that have been replaced with unrecognizable versions. if i leave this window up (as it is now) i have internet access. if i close it, no access. please help me get rid of these infections. Thanks, jack
The following is a hjt logfile.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:06 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
... Read more

More replies
Answer Match 44.52%

Ever since I re-booted as requested by the McAfee autmoated update, I have issues with internet connectivity if the firewall is on, computer suddenly 'bleeps out' and re-boots (sometimes twice in a row), AND this malware >adirka.exe< keeps coming up as trying to connect to the internet.

I have done a malware scan with AVG, a registry clean with Registry Mechanic, a complete scan with McAfee and nothing seems to get better. I was advised to run Hijack and post my log file.

I had paid for tech support from McAfee for a technician to go directly into my machine. So far they have done all kinds of checks, tests, modifications and I still have the same problem. Up to this moment they had suggested that I contact my ISP. When I contacted my ISP they said McAfee should fix my problem. Gheez, this is getting so frustrating!

As far as I can tell, this is a very new variant on the Zhelatin.a (ab, au, o,t,u,v) versions of this virus and I don't think the McAfee service is even set up to find it, let alone fix it.

I have found a little info on the zhelatin.b here: http://www.viruslist.com/en/viruses/...virusid=150219

If you click on the a, au, etc. links you can see how it works, but the methods don't exactly apply to this bu version to fix it.

AVG also recently found Nuwar.p which is said it cleaned and quarantined.

My issues STILL: 1: Computer is sending mass e-mails through the back-side
2: I have to disable McAfee firewall in order for IE or Outlook t... Read more

A:Zhelatin.bu, Nuwar.p Need Help Desperately

Welcome to the Tech Support Forums. Since it has been a few days, please post the two text files, main.txt and extra.txt produced by theDeckard's System Scanner (formerly Comboscan) as instructed in IMPORTANT - Read This Before Posting A Log.

3 more replies
Answer Match 44.52%

Alright, so I'm really not sure what I have on my computer. The virus I listed in the topic title is what the Windows IE said I had when I Reported the Bug. My computer got lots of pop-ups for WinAdware 2007 and Spydoctor ... continually telling me I had adware and spyware and needed to download these prgrams (which I didn't but they continually popped up trying to dwl anyways.) I did pretty much everything listed on this webpage: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/. I didn't seem to have as much of a problem, my computer was much faster, but I still had ranndom pop-ups (not as frequent or as persistent). Then my grandfather checked out my computer, uninstalled some virus scans (McAfee and AVG) and the Lavasoft Adware program I had installed and installed Registry Fix. I know having too many things slows the computer down, but the problem then got bigger. Everything seemed to be fine last night, I was online checking my e-mail and chatting when all of a sudden Spybot went crazy and kept asking me to confirm a registry change (which I constantly denied), but things were being installed anyways ... about 10 - 15 icons appeared on my desktop (I know I should have written them down :/ )... a virus scanner ... titled BS short for B-something Sentry was one of them and it began running and telling me I had malicious spyware and adware that was stealing my information. Whatever it wa... Read more

A:Win 32/nuwar.n!sys ... Lots Of Vicious Pop-ups

Welcome to the BleepingComputer HijackThis Logs and Analysis forum artworks1 My name is Richie and i'll be helping you to fix your problems.Download LSPFix from:http://www.bleepingcomputer.com/files/spyware/lspfix.zipOnce LSP-Fix is downloaded, extract it to your desktop.Close all windows on your computer.Launch/start lspfix. Put a checkmark in the 'I know what I'm doing' checkbox.Now move any instances of "winhealer.dll" into the remove box using the >> button. Press the finish button.Then reboot.*****************************Download SDFix.exe and save it to your desktop:http://downloads.andymanchesta.com/RemovalTools/SDFix.exe* Double click on SDFix on your desktop,and install the fix to C:\ Please then reboot your computer into Safe Mode by doing the following:* Restart your computer* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;* Instead of Windows loading as normal, a menu with options should appear;* Select the first option, to run Windows in Safe Mode, then press "Enter".* Choose your usual account.* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.* Type Y to begin the script.* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.* Press any Key and it will restart the PC.* Your system will take longer that normal to restart as the fixtool will ... Read more

18 more replies
Answer Match 44.52%

My computer has been slowing down and I get random popups. Everything freezes up because it's so slow and I can't barely do anything. I scanned it with CA spyware and it said that it detected Nuwar B and Darksma and I can't seem to quarantine or delete them. I'd really love it if someone would help me getting my computer back to normal.Thanks!Here is my HiJackThis log.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:14:36 PM, on 10/1/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exeC:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exeC:\WINDOWS\system32\netdde.exeC:\WINDOWS\Explorer.EXEC:\... Read more

A:Nuwar B And Darksma Detected! Help Please!

Hello kikki fail,I apologise for the delay, the forum is busy.If you still need help, post a new HijackThis log as per my instructions below.----------------------------------------------RENAME HIJACKTHISUsing Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.Also tell me if you added this in your Hosts File:O1 - Hosts: HP78E9AD HP0017A478E9AD

2 more replies
Answer Match 44.52%

My friends storyop up said I needed a sweep and I clicked 'ok' then it did its sweep. After it wanted credit card number so I Xed out. Now I am bombarded with Critical System Warnings every few seconds.

I have allowed this infected computer on my wireless network while I ran scans. Are my other computers or my privacy at risk?!?

AVG shows Trojan backdoor and download + I-Worm.Nuwar.X --- when I choose to remove AVG warns of possible system problems and possible crash.

I have ran HiJackThis log as well and will attach.

Can someone help me with this PLEASE!
 

A:Trojan and I-Worm Nuwar X

16 more replies
Answer Match 44.52%

Ever since I re-booted as requested by the McAfee automated update, I have issues with internet connectivity if the firewall is on, computer suddenly 'bleeps out' and re-boots (sometimes twice in a row), AND this malware >adirka.exe< keeps coming up as trying to connect to the internet.I have done a malware scan with AVG, a registry clean with Registry Mechanic, a complete scan with McAfee and nothing seems to get better. I was advised to run Hijack and post my log file.I had paid for tech support from McAfee for a technician to go directly into my machine. So far they have done all kinds of checks, tests, modifications and I still have the same problem. Up to this moment they had suggested that I contact my ISP. When I contacted my ISP they said McAfee should fix my problem. Gheez, this is getting so frustrating! AVG had found zhelatin.bu and quarantined, but I think it morphed and still affecting my system. AVG also found and quarantined Nuwar.p just prior to this HijackThis log file. . . don't know how that ever came into the situation.As far as I can tell, this is a very new variant on the Zhelatin.a (ab, au, o,t,u,v) versions of this virus and I don't think the McAfee service is even set up to find it, let alone fix it. I have found a little info on the zhelatin.b here: http://www.viruslist.com/en/viruses/...virusid=150219 If you click on the a, au, etc. links you can see how it works, but the methods don't exactly apply to this bu version to fix it. AVG also ... Read more

A:Zhelatin.bu - Adirka.exe - Nuwar.p

Hello and welcome to BC.Yes, you have do have a nasty infection which probably arrived with an email. Please download ComboFix

Note: It is important that it is saved directly to your desktop.

Close all browsers. Double click combofix.exe & follow the prompts. When finished, it will produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window while it's running. That may cause it to stall. ComboFix will create a folder called QooBox in C: (C:\QooBox). It will contain any folders that were quarantined. When you are done you can delete this folder - QooBox. Please post back the combofix.txt and a fresh HijackThis log, but make sure that the word wrap is turned off(un-ticked) in the Format menu of the Wordpad.

43 more replies
Answer Match 44.1%

Please help. process iexplore.exe keeps loading on its own. Found the I-Worm/Nuwar.AQ and I think I moved it to vault?? Also both Firefox and IE keep crashing. This has never happened before.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:41:04 PM, on 3/14/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\stsystra.exeC:\Program Files\Intel\Wireless\bin\ZCfgSvc.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\WINDOWS\system32\igfxpers.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Progra... Read more

A:I-Worm/Nuwar.AQ and possible browser hijack

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

2 more replies
Answer Match 44.1%

Hi, this is my first time doing this and I'vebeen trying to get rid of some nasty spyware that infected my computer for several days. Ithought I should probably come talk to someone who knows what they're doing. I ran CA and it said that it detected Darksma and Nuwar B and I don't know how to get rid of them, they just don't seem to go away. IT's slowing down my computer and when I'm plugged into the internet I get popups. Please help!

Any help would be very appreciated!!!!
Thanks!!!

Here is my HiJackThis log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:36 PM, on 10/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConne... Read more

A:Help please! My computer was infected w/darksma and nuwar b

Hello and welcome to TSF
Download RSIT by random/random and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

=========
Logs Required
log.txt
info.txt

If there is no response to this post within 72hrs, this thread will be closed.

7 more replies
Answer Match 44.1%

My Compaq Presario Laptop is infected with so many trojans and viruses. A few weeks ago my computer was infected by the Nuwar Virus . I manually removed the virus (it was a email attachment) Neither Adware and Norton (trial version) was able to detect the virus so I unstalled Norton and installed Mcafee. Mcafee was able to identify the virus but did not get rid of it. The Mcafee keeps on catching either the Vundo Trojan (removes it too) and it catches the VBS/PSYME VIRUS. But mcafee catches these viruses at least 7 times everyday. It is becoming annoying, also these viruses are reseting my security level to low and to accept all cookies. Another issue I have is with AIM 6.0 some how I beleve I deleted ports and messed up proxys. What happens is that the sign on screen shows up I type in my screen name and password it signs on but then after the second step in loading it stalls and then it does not load. If someone could help me step by step that would be great lol
 

A:Solved: Vbs/psyme, Vundo, Nuwar, You Name It I Got It Lol

9 more replies
Answer Match 44.1%

My computer became infected with the avsoft virus and started showing a lot of fake virus alerts and randomly loading up porno.com and viagra.com in IE. This is a win XP SP3 computer with free AVG and windows firewall enabled. I ran several programs such as superantispyware, malwarebytes, spybot s&d, which detected and cleaned a few things, but the infection would always come back after reboot. I suspect the virus was downloading a new copy from the internet every time and reinstalling itself. The only way the computer was usable was by unplugging the LAN cable. I copied an updated malwarebytes definition file from another computer by USB and it found a few executable which never showed up on any other scans. After the latest quarantine the computer seems to boot OK. I would like to know if the computer is now safe and clean or if i need to do more. Here are the Malwarebytes and Hijackthis logs: - THANK YOUMalwarebytes' Anti-Malware 1.45www.malwarebytes.orgDatabase version: 3939Windows 5.1.2600 Service Pack 3Internet Explorer 7.0.5730.133/31/2010 8:01:19 PMmbam-log-2010-03-31 (20-01-19).txtScan type: Full scan (C:\|)Objects scanned: 435437Time elapsed: 57 minute(s), 47 second(s)Memory Processes Infected: 2Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 4Registry Data Items Infected: 0Folders Infected: 0Files Infected: 5Memory Processes Infected:C:\WINDOWS\asam.exe (Worm.Nuwar) -> Unloaded process successfully.C:\Doc... Read more

A:Infected by avsoft and Worm.Nuwar

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

2 more replies
Answer Match 44.1%

but, it was found to be a false-positive in general security forum. I did experience problems with everything on my laptop and had to restore and add a new winit.dll file. I would like to be sure there are no other threats, viruses, malware on my laptop.
Panda scan 2.0 found no infection.

Deckard's System Scanner v20071014.68
Run by Adrienne on 2008-04-17 1608
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 5 Restore Point(s) --
13: 2008-04-17 20:48:37 UTC - RP176 - Windows Update
12: 2008-04-17 14:32:44 UTC - RP175 - Windows Update
11: 2008-04-17 14:13:34 UTC - RP174 - Installed HP Update
10: 2008-04-16 22:31:42 UTC - RP173 - Windows Update
9: 2008-04-16 04:13:44 UTC - RP171 - Scheduled Checkpoint


-- First Restore Point --
1: 2008-04-09 21:34:33 UTC - RP162 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Adrienne.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:10:03 PM, on 4/17/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl... Read more

A:Panda AV found nuwar.so worm

****bump*****

5 more replies
Answer Match 43.68%

My Nod32 keeps blocking this dglcxlcfmk.net/ak1.exe from running on my computer numerous times a day. 8 attacks in only a few hours today. I'm only on sites I visit quite often, including this one when it tries to run. . Is this a problem and can I stop it completely from trying to run on my computer? I've ran Nod32 computer scan and malwarbytes scans with no malicious software being found. Can someone please give me some thought on what this is and what I can do about it.

Thanks.

TracyW

A:Possible Win32 Nuwar Worm blocked by Nod32

You have a DDS/HJT log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.To avoid confusion, I am closing this topic.

1 more replies
Answer Match 43.68%

AVG window popped up on my screen and informed me of a virus threat "C:\WINDOWS\system32\msiexec.exe" "virus found SpySheriff", I clicked send to vault and got another win. asking if I want to remove the threat, I clicked "remove threat" then asks me if I want to force remove it and a message saying that if I force remove it that "it may cause my PC to malfunction or even crash". Now I see another virus called "I-worm nuwar". Now I don't know what to do!

This is my 1st experience with anything like this. HELP

Barb
 

A:Solved: Virus found I-worm/nuwar

Solved I guess. I shut down PC last night and this morning I do not see these warnings.

Will mark it solved later today if it stays this way.

Barb

I'm marking this solved but I still have problems. I seem to get a lot of error pop ups on certain web sites and they close my pages. Am starting another thread and sending my hyjack
 

1 more replies
Answer Match 43.68%

I have run my CA spyware program on my pc several times today and I seem to be having a problem removing NUWAR B spyware. When I choose to quarentine it, it looks like it works, but when I restart my computer and run the spyware program again, it's still there. I have also done a complete superantispyware scan on my computer and it's still there. I have done the panda scan and the hijackthis scan. Here is my logfile for the Hijackthis scan...


Logfile of HijackThis v1.99.1
Scan saved at 629 PM, on 9/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program... Read more

A:NUWAR B detected on CA spyware tool, but cannot be removed

Bump please - still looking for help

1 more replies
Answer Match 43.68%

Looking for a little help with this infected PC. Before I read your preparation guide I had already scanned with AVG 8.0, MalwareBytes and SuperAntiSpyware, Each program quarantined or removed infected files. AVG found win32/heur and I-worm/nuwar.S also found several trojan horses - Generic10.BAUZ, Agent.XQX, PSW.Generic6.RCP and Spambot.G - Something is still continuously accessing the internet.Not able to post the AVG log but here's the Malwarebytes and DSS logs.Malwarebytes' Anti-Malware 1.20Database version: 931Windows 5.1.2600 Service Pack 29:42:21 PM 7/7/2008mbam-log-7-7-2008 (21-42-21).txtScan type: Full Scan (C:\|)Objects scanned: 86980Time elapsed: 18 minute(s), 32 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\iexplorer (Trojan.Agent) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOF... Read more

A:Win32/heur And I-worm/nuwar.s And Trojans

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis LogPlease also post the problems you are having.

3 more replies
Answer Match 43.68%

Mcafee finds and quarantines 2 w32/nuwar.sys viruses with tcpip.sys files in c/windows/system32/dllcache and 2 in c/windows/system32/drivers. even after this, i have no internet access. i restored to a previous point but still cannot get on the internet. My wireless network and direct local area connection all say connected but I cannot browse. I've tried updating my McAfee definitions and installing AVG Anti-Spyware (a recommendation I saw in another forum) but still no luck. Any ideas on how I can fix this? I am running Windows XP. I noticed a post similar to this from someone else but did not see a response. Any help would be appreciated.

Thanks!
 

A:w32/nuwar.sys virus preventing internet access

Hi, hrj3

Welcome.

Please restore those files from McAfee Quarantine. They could be legit files and will be the reason you have no connection.

Keep me posted.
 

1 more replies
Answer Match 43.68%

Hello, I'm a new member so I'd like to first thank TSF for...well, existing.

I've run into some severe issues recently and could urgently use some assistance.

Here?s a quick breakdown of my system:

- Window XP Pro Service Pack 2 (Auto-Updates On)
- McAfee Home Edition (current engine and dats)
- Ad-Aware SE Personal
- Windows Live One Care
- MS Outlook

Breakdown of possible symptoms:

- Lost .pst files of which I had to recover
- System Reboots when: Virus / spy-ware scanning, while turning off system restore, and during start up?probably associated with an initial McAfee scan.
- Also I?ve been black flagged by Comcast for spam, thus I can no longer send email.

The following is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:14:14 AM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsh... Read more

A:Possible infection from or variant of Win32/Nuwar.N!sys, please review my

Could sure use some help now. This thing is now crashing my computer almost at random.

Luke

19 more replies
Answer Match 43.26%

Hi, can only run the PC in safe mode. booting normally, nothing appears to run, the usual autostart progs including nod32 antivirus refuse to launch. i can get notepad to open, but most applications - and the important ones - appear to be dead in the water. pc is very slooooow.

initial problems:
nod32 alerted to various files in the directory
C:\Documents and Settings\Robert\Local Settings\Temp
these files were tmp4.tmp, tmp7.tmp, tmpa.tmp etc
at the last count there were 15 files that nod32 complained about, and quarantined.
on rebooting the pc, these files seemed to attempt to launch, though appeared unsuccesful (invalid file reported by OS).

since then: as first paragraph, pc grinds to a halt, cannot launch applications.wwwww

i've followed the 5 steps before posting, and already had xp sp2 fully up to date, and nod32 / microsoft windows defender running.

the panda active scan results are:

Quote:





Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected c:\program files\common files\ahead\lib\nmbgmonitor.exe ... Read more

A:infected pc: dropper.agent.DGO + others incl Nuwar.HR.worm

i've now used the symantec tool from
http://www.symantec.com/security_res...108-99&tabid=3
to get rid of the virtumonde spyware

4 more replies
Answer Match 43.26%

April 12, 2007 (Computerworld) -- A massive spam outbreak that tries to trick recipients into opening a file attachment that can hijack their computers has already broken records, security companies said today.According to researchers at Postini Inc., the spam run is the largest in the last 12 months, and more than three times the volume of the two biggest in recent memory: a pair of blasts in December and January. "We're seeing 50 to 60 times the normal volume of spam," said Adam Swidler, senior manager of solutions marketing at Postini.Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected -- the password is included in the message to further dupe recipients -- actually contains a variant of the "Storm Trojan" worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers.This new version of the Storm worm is out there, as I'm seeing copies as well. Trend has declared MEDIUM RISK and as the Computer World article shares this multi-threaded spam engine is massively emailing copies out there. Nuwar.AOP - MEDIUM RISK for new Storm Worm variant http://www.trendmicro.com/vinfo/virusencyc...M%5FNUWAR%2EAOPMassive spam shot of 'Storm Tro... Read more

More replies
Answer Match 43.26%

A Friend asked me to look at his computer tonight. Has PopUps when it boots up, is very slow and I scanned it with PandaSoft Active scan and HiJackThis.

I would love to help him out and learn something along the way.

With Kind Regards
Opar2

Logfile of HijackThis v1.99.1
Scan saved at 7:58:35 PM, on 6/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HbTools\Bin\4.7.1.0\HbtOEAddOn.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Kodak\KODAK... Read more

A:PopUps, Slow performance and possibly Nuwar.C.worm

You have no active AntiVirus!

Get the free AVG AntiVirus 7.5 install it, check for updates and run a full scan

AVG 7.5 - http://free.grisoft.com/freeweb.php/doc/2/
====================

Download Superantispyware (SAS) free home version

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
· It will ask if you want to update the program definitions, click Yes.
· Under Configuration and Preferences, click the Preferences button.
· Click the Scanning Control tab.
· Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
· On the main screen, under Scan for Harmful Software click Scan your computer.
· On the left check C:\Fixed Drive.
· On the right, under Complete Scan, choose Perform Complete Scan.
· Click Next to start the scan. Please be patient while it scans your computer.
· After the scan is complete a summary box will appear. Click OK.
· Make sure everything in the white box has a check next to it, then click Next.
· It will quarantine what it found and if it asks if you want to reboot, click Yes.
· To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/... Read more

1 more replies
Answer Match 42.84%

I've recently aquired a rather pesky virus on my pc. The main trouble is when I search on Google, then try to click on some of the results found, I am redirected to different website pages than selected. Totally off the wall type websites, like everydayhealth.com when I click on photobucket.com. It was really quite difficult, for me, to find any info or find this website even when nearly every link I hit take me somewhere I don't want to go. Many times I will also get the "Internet Explorer cannot display the webpage" page and my internet seems much slower as well. I've updated and ran MBAM, ComboFix, I have Nod32 antivirus, but it isn't helping. Another thing that has happened is I set my pc up for a static ip, and twice now I've had to re-enter my DNS 1 & 2 because the numbers would just vanish for some reason, I don't know if it's related, but it's just more of the mystery to me. Your help is greatly appreciated.Here is a link to the screen shot of the warning I get from Nod32: http://i415.photobucket.com/albums/pp237/o.../Nod32alert.jpgHere is the DDS log:DDS (Ver_09-03-16.01) - NTFSx86 Run by Wayne A Henry at 9:48:05.85 on Wed 04/22/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.682 [GMT -5:00]AV: Eset NOD32 antivirus system 2.51 *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\Sy... Read more

A:Google Search Virus (a variant of Win32/Nuwar Worm)

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

2 more replies
Answer Match 38.64%

Mod edit: Moved from the XP forum--PKHelp me. My computer restarts all the time. Windows come with this message to me: Virus alert: Microsoft detected the Win32/Nuwar.N!sys virus on your computer.Can someone help me, please. Here is my log: Logfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 17:49:07, on 16-06-2007Platform: Windows XP SP2 (WinNT 5.01.2600)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Programmer\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Programmer\F?lles filer\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\CTHELPER.EXEC:\Programmer\QuickTime\qttask.exeC:\WINDOWS\MXOALDR.EXEC:\Programmer\F?lles filer\Real\Update_OB\realsched.exeC:\Programmer\CyberLink\PowerDVD\PDVDServ.exeC:\WINDOWS\system32\LVCOMSX.EXEC:\Programmer\Logitech\Video\LogiTray.exeC:\WINDOWS\system32\rundll32.exeC:\Programmer\Winamp\winampa.exeC:\Programmer\Java\jre1.6.0_01\bin\jusched.exeC:\PROGRA~1\Nokia\NOKIAP~1\LAUN... Read more

A:Virus Alert: Microsoft Detected The Win32/nuwar.n!sys Virus On Your Computer

Hi Jens B and welcome to Bleeping Computer.I will be handling your log and helping you to get cleaned up.Your current Hjt log is from the new beta version, please use the 1.99.1 version until the new version is out of beta.Please download the self-extracting version of HijackThis from here:HijackThis_sfx downloadSave HijackThis_sfx to your desktop.Double-click the file then click the Unzip button. Then close the Self-Extractor window.Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).Please run the extracted HijackThis.exe from now on. Delete any other copies of HijackThis that you have.Open HijackThis and click Do a system scan and save a log file. Copy the entire contents of that log and post it here by clicking the Add Reply button.Thanks,Starbuck

2 more replies
Answer Match 38.64%

Well, this isn't how I make most of my introductions on forums, but I'm in need of help. It started when my computer restarted one day for no reason and when I logged on to my account, I did an error report. Here were the results:Virus alert: Windows detected the Win32/Nuwar.N!sys virus on your computerThis problem was caused by Win32/Nuwar.N!sys, a known computer virus.Win32/Nuwar.N!sys is also known by the following names:Win32/Vxidl.B Troj/Dorf-Fam Trojan.Peacomm TROJ_SMALL.EDW It suggested that I download Windows Live OneCare to remove the virus, and I did so, but after attempting to install/download the program, it wouldn't work (I think it was because of my unstable Internet connection, but when I made sure the Internet was working properly, the link wouldn't let me download the trial again). I have an older version of Norton AntiVirus, which after selecting from the list of programs takes forever to open. Once it begins scanning (after waiting forever for the scan to begin as well), the computer restarts soon into the scan.I checked Norton AntiVirus Quarantine, and this is what I saw:File Name: UUBkTGowVXlxNVlBQUVod1NkUQ[1].wmf (*Note: I don't know how to find this file on my computer. Yeah, I'm a PC newbie.)Threat Name: Download.TrojanOriginal Location: C:\Documents and Settings\Chris.YOUR-BDED53B550.009\Local Settings\Temporary Internet Files\Content.IE5\LDB6OBU3User: SYSTEMComputer: YOUR-BDED53B550Do... Read more

A:Virus Alert: Windows Detected The Win32/nuwar.n!sys Virus On Your Computer

The best way to get the info needed to diagnose your problem is to post a Hijack This log.Post a Hijack This log in the Hijack This Forum by following the directions in the link below. DO NOT post the log in this forum.http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

15 more replies
Answer Match 38.22%

Here is my HiJackThis log - Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:05:03 PM, on 2/26/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\WINDOWS\system32\spoolsv.exec:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AV... Read more

A:Win32/Heur - I-Worm/Nuwar - Win32/Virut

Hi,I have bad news for you I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.You may want to read this why:Virut and other File infectors - Throwing in the Towel? So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html

14 more replies
Answer Match 38.22%

Hello,

First let me explain that I was on the Internet all of a sudden was hit with this tonight on my main computer. Microsoft Essentials alerted me to the following:

C:\Users\Owner\AppsData\Local\rprrdhuaf\nqwmuqgtssd.exe
C:\Users\Owner\AppData\Local\asam.exe

Quarantined
Trojan:Win32/FakeSpypro
Backdoor:Win32/Nuwar.A

After Essentials quarantined these my computer was restarted and I no longer have any access to the internet on that machine. The two above mention continue to pop up set Essentials again quarantine them. Internet automatically switches to a http:/// I cannot get out to any sites.


How do I go about performing and giving you the initial reports. I am contacting via old machine. Any help would be greatly appreciated.

Sincerely,
John

I was able to get the programs on a disk and run them on the infected computer. I am pasting the DDS.txt but the manage Attachments button will not open when I click on it to attach other files attach and ark . Please let me know how to send them to you.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 3:30:59.51 on Sat 05/29/2010
Internet Explorer: 8.0.6001.18904
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3061.2016 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\W... Read more

A:Trojan:Win32/FakeSpypro and Backdoor:Win32/Nuwar.A

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Due to the restrictions on Vista, all tools should be started by right-click > Run as Administrator

------------------------------------------------------

In IE, go Tools > Internet Options > Connections > LAN Settings and untick 'Use a proxy server for your LAN' or reconfigure the Proxy server again in case it was previously configured, then 'OK' your way out.

You should have internet access now.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have di... Read more

17 more replies
Answer Match 38.22%

I was tricked into clicking on a supposed Greeting Card weblink in an email which downloaded, I think, Greeting Card.exe which had already activated itself. The virus was hijacking the internet connection to do something - a fast broadband connection became slow. AVG Anti-Virus identified Downloader.Tibs, adirss.exe and various game.exe files, but deleting them from the vault only provided temporary respite because they would be re-created.I have followed your instructions to the letter : cleanmgr, CWShredder, AdAware and Spybot in safe mode, Panda Antivirus, McAfee AVERT. In between the last two I also did a full scan with my now-upgraded AVG Internet Security.AdAware found 16 objects which I deleted. Some 10 of these were cookies, but a couple were hacker tools of some sort. Spybot got nothing. The Panda scan produced a report but wanted more money from my to disinfect which I wasn't prepared to spend. The following is the report and in brackets I have described what i did with each item :Potentially unwanted tool:application/altnet Not disinfected C:\Documents and Settings\Administrator\Start Menu\Programs\Altnet(There was no content (hidden or otherwise) in the Altnet folder. I deleted it.) Adware:adware/aureate-radiate Not disinfected c:\program files�... Read more

A:I-worm/stration, I-worm/nuwar, Downloader Infection

Hi Dick Wolff, I am SifuMike and I will be helping you. How is your computer acting now that you have done some scans? Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan". This scan may take a few hours. It all depends on the number of files on your computer. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post the BitDefender log.**************** Download ATF (Atribune Temp File) Cleaner? by Atribune DO NOT run it yet. Download and install AVG Anti-Spyware 7.5 (formerly Ewido) This is a 30 day trial of the program1. After download, double click on the file to launch the install process. 2. Choose a language, click "OK" and then click "Next". 3. Read the "License Agreement" and click "I Agree". 4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install". 5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desk... Read more

4 more replies
Answer Match 26.88%

[topic=253487.html"]Malware byte's Anti Malware software, Malware byte's Anti Malware Not working[/topic]My google requests are being redirected to other sites. As a first step to correcting this, I started to run Malware byte's Anti Malware software. After I updated it, I started the scan when all of a sudden it stopped working. When I tried to reconnect, I got a message"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item"I re-installed the software, updated it, and tried to run it again, and got the same message.Since then, SuperAntispyware, RootRepeal and now DDS will not work. They download okay, but then terminate during the scan, hence I don't have logs I can insert.I've backed up all my data onto an external hard drive.I'm at my wits end, but I'm happy with any assistance I can give you. Hopefully the topic link works.Here is my Win32kDiag.exe log. The next post will by my Rootrepeal drivers log.Log file is located at: C:Documents and SettingsPhilDesktopWin32kDiag.txtWARNING: Could not get backup privileges!Searching 'C:WINDOWS'...Found mount point : C:WINDOWSaddinsaddinsMount point destination : Device__max++>^Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP247.tmpZAP247.tmpMount point destination : Device__max++>^Found mount point : C:WINDOWSassemblyNativeImages_v2.0.50727_32TempZAP453.tmpZAP453.tmpMount point destination : Device__... Read more

A:> Malware byte's Anti Malware software, Malware byte's Anti Malware Not working

Hello smartjock99,You got a Rootkit on this computer. We will need to take this cleanup in phases. You are not clean until I tell you so - even if it appears that everything is running fine!Let's begin....==========Step 1Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here. "%userprofile%\desktop\win32kdiag.exe" -f -r==========Step 2Please do this: Click on the Start button, then click on Run... In the empty "Open:" box provided, type cmd and press EnterThis will launch a Command Prompt window (looks like DOS). Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).

copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\ /y
In the Command Prompt window, paste the copied text by right-clicking and selecting Paste. Press Enter.When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
NOTE[: If you didn't get this message, stop and tell me first. Executing The Avenger script (step #3) won't work if the file copy was not successful. Exit the Command Prompt window.==========Step 3 Warning to others reading this thread!: The Avenger i... Read more

44 more replies
Answer Match 26.46%

these are the instructions I followed:Uninstall itclick on this link ? and then select run.http://www.malwarebytes.org/affiliates/2...INSTALL IT TO YOUR DESKTOP, update it, then run a full scan and remove everything it finds.some viruses will try to disable it so if malwarebytes will not start up then go into the folder it is in and rename the mbam file to XXX then double click on the file you just renamed to start it up.after you have used malwarebytes then do this on-line scan.to make sure you have nothing else hiding away.http://www.bitdefender.com/scan8/ie.htmlpreferably in safe mode with networking.it's important you install it on your desktop so you can easily get into the folder and change the name of the mbam file.and viruses do not always look on the desktop for it.OR you can try the on-line scan first.This seemed to have helped but I still can't run Malware bytes and my computer redirects websites I try to get into sometimes. I installed Norman Malware cleaner is this is what it said:Removed 5 of these ( deleted file:C:/windows\system.32\UACqfqboedxvctjti.dat)in red appeared- To many infections/an unexpected error (Please contact support):C\Windows\system32\UACqfqboedxvctjtit.dat (infected with Text/Td.ss.A)File marked for defered cleaning (reboot required) c:\windows\Temp\UAC314c.tmp(infected with W32\FakeAlert.NEUI clicked quit afer it finished scanning and it prompted me to reboot computer automatically. I ... Read more

A:The computer at work is infested with PAV. I downloaded Malware bytes anti-Malware but it still won't scan

Hello it appears you are heavily infected with rootkits. They are interfereing with removal.You need to run HJT/DDS.Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.Let me know if it went OK.

1 more replies
Answer Match 26.46%

Hi all,My dad has asked me to take a look at his computer after it's been acting odd, and it looks like he's got a doozy of something running on the system. He's been getting some pop ups advertising various programs, the desktop is changed to text reading "Your system is infected! System has been stopped due to a serious malfunction. Spyware activity has been detected" (which is not something any program that should be running would display", Task Manager is blocked from opening and a fake piece of anti-spyware has taken up residence (don't have the name off hand).Looking at the log, I found a couple of things that I'm not a fan of - batmeter16.dll, for starters. There's a couple others I don't recognize, but I am not sure if they are bad or not.Unfortunately, my attempts to fix it have been thwarted - an AVG scan said it cleared it up, but more pop ups came. I tried to run Malware Bytes, but when I download the latest update through the program, I get a nice warning message saying "The database you are using is not supported by this version of Malwarebytes' Anti-Malware. Download the latest version of the program."Additionally, this came about because I tried to start into Safe Mode to get this cleaned up. I couldn't get my keyboard to register keystrokes before Windows started, which kept me from accessing the dialogue allowing Safe Mode to be entered, so I modified boot.ini to force a safe mode boot. Unfortunately, this brought about a blue sc... Read more

A:Malware blocking MalwareBytes (post-update), fake anti-malware program

Hello, my name is fenzodahl512 and welcome to the forum.. Please do the following....Please download The Comedian.exe by Rorschach112 to your desktopPlease disable all of your antivirus/firewall before doing this step. Please visit HERE if you don't know how..Double click the program to run it. It will only take around several minutes to run.It will do a series of tasks and tell you when each one is finished.You will be prompted to press any key after each stepWhen it is done it will close and exit itself automatically.You can delete The_Comedian.exe once it is finishedSTOP! if you can't complete this step.. Tell me more about it..NEXTPlease download OTL by OldTimer and save it to your desktop.Under the Custom Scans/Fixes box paste this innetsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
/md5stop
%systemroot%\*. /mp /s
CREATERESTOREPOINTDon't change any setting... Just click on the Run Scan button.. Let it scan till finish..Then a log will pop-up at your Desktop. Post the content of the log hereNEXTWe need to scan for Rootkits with GMERPlease download GMER from one of the following locations, and save it to your desktop:Main Mirror
This version will download a randomly named file (Recomm... Read more

3 more replies
Answer Match 26.46%

Dear helper,

Am I infected ?? What should I do ?

Window XP, Internet Explorer 6, Sony VGN-SZ18GP laptop bought in 2006.

System crash last night, with rapid lost of hard-disc drive space (from 15 GB down to 100 Mb within 2 hours). Norton security (2006 version) & Internet explorer were busted afterward, was not able to run at all. The build-in system recovery programme was also affected.

Was forced to use back-up system recovery CD to restore the laptop back in its origin shipping state.

However afterward it is still not right. Installed McAfee (from my internet service provider) but the update function is not working - repeatly state that it can now update because I am not connect to the internet, when I'm actually conneted to your website typing this email right this moment. Also internet access to microsoft and all other common antivirus website (Norton, McAfee, AVG, Kaspersky, Avast, etc) are all block. Hence I can't even attempt to find out what happen to my laptop.

What virus have I been infected ? What programme should I use to remove the malware now that I cannot access to any of the antivirus website or microsoft website ?

Thank you

Jason

More replies
Answer Match 26.46%

Hello all! I'm posting here because I'm trying to take care of my brother's laptop. On Friday (Christmas Eve) he let me know that he'd gotten what appeared to be a malware and or virus attack which appeared initially as a fake anti virus scan ("AntiVirusDoctor") -generating numerous pop-ups and so forth. This was an older Dell (running Windows XP) of his that he'd had to switch to as his newer one is out of service for the moment-so the usual security software he uses and such had either not been reinstalled or not updated for a very long time with the exception of AviraAntivirus (it had just updated itself an hour or so before hand). Avira's gaurd seemed to have caught about 20-30 files trying to come in -almost all of these were tojan's. He'd started it's scan and had found 3 or 4 infections but I suggested he stop the scan and reboot into safe mode so he could run it from there. Meanwhile I went back to my computer and downloaded the newest version of Malwarebytes and after running his Avira again in safe mode ran a full-system scan on his computer in Malwarebytes. This found around 250 or so more infections. I saved the log files from the two malwarebytes scans I ran (I'd forgotten to ensure that all the files had been selected for removal the first time round & when I saw this immediately rescanned and then removed them). I&#8217;ve a decent amount of experience in dealing with computers but not so much ... Read more

A:Malware/Virus Infection: AntiVirus Doctor & other possibly dangerous malware/viruses

16 more replies
Answer Match 26.46%

I have a default Yoog Search in my Search Engines, i try to remove it and set it as google but it would again default to Yoog. Next thing is I just cannot run 'sybot search & destroy' and doesnt let me open any anti-malware related sites. I cant download any anti malware apps. I am just stuck. I saw a post " Win 2K hijack issue - unable to run malware apps!". I have exactly the same case on my system.

 

More replies
Answer Match 26.46%

Hi, I recently got suckered into receiving and falling for the 'fake facebook friend request' malware email (hxxttp://www.net-security.org/malware_news.php?id=1813) and am not sure if I have been infected or not. In the email, I clicked on the link and it brought me to facebook but nothing seemed amiss - however I realized immediately after that it was probably some sort of virus and that, wow, I really am guillible to fall for something like that. In researching about the malware I noticed that a prompt was expected to come up and ask me to download the latest version of Macromedia Flash - but it didn't. So I am uncertain if I've contracted something. Anyway, I haven't noticed any major issues with my computer but I will admit that I'm a little green when it comes to these things so I'm unsure of what to look for - if it's something dangerous running in the backround, how would I know, etc.? So I followed the instructions on here and have a few logs. Problem is I don't really understand the language, so to say. What's good or bad. Really I am wondering if someone can take a peek at the logs and tell me if I have a real issue and if it's something I need to address. I'm wary of using this computer in case it's something serious.

Oh, and my computer is running Windows Vista.

Any help is appreciated, thanks.

------------------

DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19048 BrowserJavaVers... Read more

A:Don't know if I have malware/trojan/rootkit problem - fake facebook friend request malware.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429204 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

8 more replies
Answer Match 26.46%

I have read several posts regarding Ucleaner and spyware. I am having similar problems:

-- There are three new icons on my desktop: (1) Error Cleaner (2) Privacy Protector (3) Spyware&Malware Protection. When mousing over these icons, the popup window indicates that they lead to "http://viruswebprotect.com/shandler/php?..."

-- I periodically get pop up icons that say "someone is trying to attack my computer" and there was a message that stated "Win32.netsky worm has infected my computer"

I have completed the five steps listed in the "before you post" thread. The only deviation from that is that I already have Windows XP SP2 installed. Any help would be much appreciated. Thanks.

A:uCleaner Malware / Error Cleaner, Privacy Protector, Spyware&Malware Icons

Bump Bump Bump

1 more replies
Answer Match 26.46%

I have an old laptop (2003 bought and rarely used).
Today i tried to run the RED AND RUN ME FIRST MALWARE REMOVAL GUIDE for it.
The CCleaner run was smooth and get rid of some junk.
HOWEVER when i tried to run the Malware bytes software i got the message :

mbam.exe Application Error
The application failed to initialize properly(0xc000001d). Click on OK to terminate the application.

I suspect that my laptop has a malware that does not let it run the Antimalware software...
Can you please help me?
 

A:Old Laptop. Can't Run Malwarebytes Anti-malware Software. Suspect Malware Inhibits It

Are you able to run ANY of the tools, sakoul?
RogueKiller
Hitman Pro
TDSSKiller
MGTools

 

40 more replies
Answer Match 26.46%

I have been having problems with my labtop since June 2009. My kids have gone on inapropriate sites and some how got viruses. I am no longer recieving most of the unfortunate pop ups dealing with svc host files not working but still the computer is extremely slow. I also have AVG 8.5 and it is detecting two viruses. win32/Heur.

I have run malwarebytes 3 times and once at 9 infections once at 10 infections and once at 11 infections it froze. Each time it froze it froze in C:/windows/system32/config folder. I have to restart the computer each time (takes ten minutes but works). Slow start up and shut downs. Out of 56 Processes I can only see 9 in task manager. And I also see (my web search) like more then 50 times in my start up (Viewing that with Advanced System Care Pro)

This is my system information then AVG report and finaly HJT log Info in order that I just mentioned.

thanks to anyone who can help out!

AWC System Information Report

Computer System
Computer Name EKAPICA-PC
User Name Eka Pica ( Pee )
Organization
Operating System
OS Name Microsoft® Windows Vista™ Home Basic
OS Version 6.0.6002
ServicePack 2.0
Product ID 89572-OEM-7332166-00029
System Uptime 13/09/2009 1:54:47 AM
Internet Explorer Version 8.0.6001.18783
Microsoft DirectX Version 10.0
OpenGL Version 6.0.6000.16386 (vista_rtm.061101-2205)
Free Physical Memory 1872 MB
Free Page File 3075 MB
Free Virtual Memory 4942 MB
Registry
Maximum Size 682MB
Current Size 25MB
Status OK
Center Processor
CPU Name... Read more

A:Malware bytes freezes and AVG Detects Win32/Heur, Malware or Virus (Either way Please

Hello cgordon311,

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
 

1 more replies
Answer Match 26.46%

Yesterday, I had troubles with Windows live messenger where it (still) says:

"Windows Live Communications Platform has encountered a problem and needs to close. We are sorry for the inconvenience. "

although, the problem isnt about MSN. I found out that this problem was caused by having Malware on your computer. Hence, i decided to run a scan using Malwarebytes Anti-Malware (MBAM).

I noticed that my Avast was disabled and if i try enable it, it comes up with a window saying: the operation could not be completed.

My google searches also SOMETIMES get redirected to links that is clearly out of topic.
like if i google search the terms "malware wikipedia" and i click on the wikipedia link but i get redirected to some Myspace/Anz credit card crap.

Then this happened.
MBAM CRASHED after 2 mins of scanning -> tried to re-run MBAM but a window came up saying:
"Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."
I ran several other programs such as:
HJT -> scanned for 2 mins, then crashed (no logs were made)
SUPERAntiSpyware (SAS) -> scanned for 2 mins, then crashed
and same goes for any other programs that searched for any malware.
The only program that worked was TROJANHUNTER and came up with a couple of false positives
I also tried using Avira's Rescue CD (the one where you boot up with it and it does a scan)
A scan using Avira was also successful but failed to... Read more

A:Malware/Anti-virus tools wont run due to a rootkit/trojan/malware

i am having the exact same problem!
i have no clue what to do, any help would be amazing!

2 more replies
Answer Match 26.46%

Please reopen the case:http://www.bleepingcomputer.com/forums/t/278792/infected-by-various-malware-help/ Original message, posted on December 14, 2009:My computer is infected by malwares. Earlier I got help from bleepingcomputer staff under topic malware and has tried to use these software to clean my infected computer but still to no avail. The volunteer who helped me earlier asked me to use hijackthis and paste the logs on this forum.Malwarebytes Anti-Malware (v1.41)TFC by Old TimerKaspersky Virus Removal ToolEset Online Antiivirus Scanner.Kaspersky Online Virus Scanner.Sophos Anti-rootkitNorman Malware CleanerThe problems are:- When I use Internet Explorer or Mozilla, sometimes another window open automatically that mentions google hiring, websurvey, etc- When I use search engine to find something, I could not click the link to bring me to the shown result that I want, instead it brings me to an unfamiliar site. I have to copy and paste the web address to open it. If I click the link, sometimes it brings me to an anti-virus ad that force me to download the software (it would not allow me to close the browser) so I have to end the whole internet session forcefully.----------------------------------------------------------------------------------------------------------------------------------------------LOGFILE IS ATTACHEDLogfile of random's system information tool 1.06 (written by random/random)Run by USER1 at 2010-01-07 19:27:45Microsoft Windows XP Professional Service Pa... Read more

A:Closed TopicStart new topic > Infected by various malware. Help !!, Malware pop ups and could not open link from se...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand cor... Read more

17 more replies
Answer Match 26.46%

New malware detects browser, shows fake malware warning page.

Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before.

-- Tom
 

A:New malware detects browser, shows fake malware warning page

Thanks
 

1 more replies
Answer Match 26.46%

Hi,

I am the IT manager in my company.

I have a co-worker, his computer has search redirect issue. That means most likely it has malware.
Then i installed some major malware removal: Spybot Search & Destroy, SUPERAntiSpyware, Malwarebytes

After i installed them, i cannot launch them(That definitely means it has some kind of malwares)
I needed to rename their .exe files, after i can run them and scan my computer.

SUPERAntiSpyware, Malwarebytes found something, but didn't solve the problem, search redirect and
blocking malware removal software are still there. Now i am running Spybot Search & Destroy will see what happened.

By the way, i run them in safe mode because when i logon window to normal mode, it is slow (like it takes a long time to explore hard drive, etc). I suspect the malware slow down my pc. hopefully not registry corrupted or something, but works smoothly in safe mode.

So you guys have any suggestions? or you need a log file from combofix?

Please advise,
Tommy

A:malware: google yahoo redirect and can't launch malware removal software

Try this:http://www.bleepingcomputer.com/virus-remo...sing-tdsskiller

5 more replies
Answer Match 26.46%

I recently got a new client who needed help with his computer. It was silly of me to think it would be simple. I was up all night working on it.

His initial problem was that windows would hang on "Loading personal preferences" and would only boot in safe mode. It wasn't the page file, or any of the usual things... though I did start to notice that normal Windows functions didn't work properly, from MsPaint to IExplorer. I tried to run Autoruns.exe and Hijackthis and they shutdown as soon as they were opened. IExplorer wouldn't load pages and firefox would pop up and load the pages instead.

I thought I should just repair windows, which I tried to do and accidentally installed a second copy of windows on the same partition... I then deleted the second windows installation (windows.0), but after that windows would boot fine without safe mode. That was only the beginning though. I found the google redirect on there, a bunch of old adware and a mess of a disorganized computer.

The system also booted and gave a tapi.nfo error, I searched for this and got nowhere. So I went to regedit and deleted the line causing it. It doesn't pop up anymore, but that didn't solve anything.

I looked further into the situation and found that many others are having trouble with rootkit malware that shuts down anti-malware software.

I tried loading malwarebytes, etc, and even renaming the files and the extensions. It still all shuts down immediately when its loaded.
... Read more

A:Rootkit, Malware, Tapi.nfo, Google Redirect, Can't open anit-malware

have you tried root repeal? it sounds to me like you've read that post.




Rerun Rootrepeal. After the scan completes, go to the files tab and find this file:

C:\WINDOWS\system32\drivers\UACxpqhxbvttn.sys

Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.

Then run a quick-scan with Malwarebytes. Keep rebooting and running quick-scans with Malwarebytes until it shows zero infections. If after 3 scans it is still not clean post the final log.

this isn't my post so I can't take credit for it but apparently it works
good luck either way. the entire post is called AntiSpy Protector 2009 you should check it out before trying this, good luck

38 more replies
Answer Match 26.46%

I can not do the prework because my browsers are incapacitated, so I can't download anything.The PC indicates that my web connection - DSL - is functioning properly. I don't know if it is safe to insert a flashdrive in order to bring the required programs to my pc, and post the results using my relative's pc. Is there a way to prevent malware from infecting the flashdrive?
 
I am using a relative's desktop PC in order to communicate here. I still have windows XP SP3 on my desktop pc and I finally got a virus despite what I thought was safe surfing, using a limited account. I have Avast free but it did not detect anything. My superantispyware is "locked" and my malwarebytes free stops responding.  So I don't know what infection I have. I use Online Armor firewall, but it did not prompt me about any new program. It is set to always notify me, even when running something I have allowed in the past. Whatever it is, also got passed K-9 web protection which filters all of my PC use. I am putting a lot of disjointed information that may be helpful into this post, simply because of my need to go back and forth between two houses in my particular situation. (About a 5 minute walk). I normally would not put all of this into one initial post. I understand that the system works better when one detail at a time is presented upon your request. Please understand that I won't be able to provide bits of information without returning home for each request!
 
My last action befor... Read more

A:unknown malware disabled my browsers, locked anti-malware programs

DON'T READ MY POST!
system restore worked!
how do I close this thread as solved??

2 more replies
Answer Match 26.46%

I have scanned with AVG with the latest updates. On top of that insidious google redirect I get random pop ups even when I don't already have IE or Firefox running. Also getting sounds in the background like I'm clicking on a link, surfing the net when I'm not. And SYSTEM in task manager is hogging a ton of memory.Logfile of Trend Micro HijackThis v2.0.4Scan saved at 11:52:42 PM, on 8/7/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exeC:\... Read more

A:persistent malware undetected by virus scans and malware removal tools

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.We need to create an OTL report,Please download OT... Read more

2 more replies
Answer Match 26.46%

Privacy Protector, Error Cleaner and Spyware&Malware protection, it pops up a message saying my computer is infected and keeps opening internet windows even when i change the homepage away from the site it wants to go to. it is really slowing my laptop down, and when u attemp to close the pop ups or delete the desktop icons, it frezzes the laptop and the only way to resolve it is to restart but it just comes back no matter what, norton will not pick it up either. it is causing my laptop start up and loading time to be epic and is making it unusable, this topic has been fixed before by RichieUK on: http://www.bleepingcomputer.com/forums/t/105116/privacy-protector-error-cleaner-spyware-malware-protection/ i have the exact same thing. should i just follow those steps or wait for specific advice for my system? Logfile of Trend Micro HijackThis v2.0.2Scan saved at 00:00:05, on 03/09/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\S... Read more

A:Malware, Privacy Protector, Error Cleaner And Spyware&malware Protection

Hello,* Download Combofix to your desktop.Doubleclick combofix.exeFollow the prompts.Don't click on the window while the fix is running, because that will cause your system to hang.When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt. Post the contents of this log in your next reply together with a new hijackthislog.Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

27 more replies
Answer Match 26.46%

Have been using Win 7 Ultimate x64 for quite a while but tonight ran into a small problem. I like to keep the titles for links very short and want to rename "Malwarebytes Anti-Malware" (I am a registered, paid user) to simply "Malwarebytes". I am listed as an Administrator and I used LockHunter to unlock the file but it still does not allow me to shorten the description. When I shorten the name and hit OK I am told "You'll need to provide administrator permission to rename this file" Since I am the administrator on this machine I do not know what to do. Continuing does nothing. Anyone have any suggestions? /* Philip */

A:Changing File Decription for link to Malware Bytes Anti-Malware

Not sure but I think Malwarebytes is trying to protect itself.
That is one of the first things a virus would try to do is change the name/link and get it out of the infection way.

I can change the name of the desktop Icon to MBAM.

9 more replies
Answer Match 26.46%

This showed up when i started up my computer last night (I'm running XP). My desktop background changed to red with biohazard type logo, windows keep popping up trying to sell me protection, etc. when it first showed up some of my desktop icons dispeared and i couldn't get into my c drive, but that seems to have stopped for the moment.I've run my Kasperskys Antivirus, which says it can't delete it, disinfects it, but doesn't seem to change anything.I've also used System Mechanic 5, Spybot Search and Destroy, Smitfraudfix (i saw this suggested to someone else veiwing another forum- and it seems to work and everything looks good for 5 minutes, but then low and behold it comes right back) plus RegClean, RegistryFix, Tracks Eraser Pro, BugDoctor- to try and clean stuff out- some things seem to get rid of it, but then it returns. I've been looking it up on google to see what other people did, and trying these things, but obviously this strategy hasn't worked. its just given me a headache.I'm out of my depth. I really need help! Thankyou in advance for your wisdom.Here are my dss reports:Deckard's System Scanner v20071014.68Run by Aqua Dragon on 2008-06-08 11:54:45Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Successfully created a Deckard's System Scanner Restore Point.-- Last 5 Restore Point(s) --5: 2008-06-08 15:54:53 UTC - RP230 - Deck... Read more

A:I Have An Error Cleaner, Privacy Protector, Spyware And Malware Protection Problem (virus? Malware? Trojan?)

Hi,Please uninstall the following programs since they are known to cause more damage than anything else:RegistryFix v6.2Bug Doctor 3.0.3.8Reboot afterwards.After reboot, * Please visit this webpage for instructions for downloading and running ComboFix:http://www.bleepingcomputer.com/combofix/how-to-use-combofixThis includes installing the Windows XP Recovery Console in case you have not installed it yet.Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

2 more replies
Answer Match 26.46%

I have a Windows XP SP3 PC from a user who was infected with malware, I used Malware Bytes to remove the offending software, and now I am unable to open the Windows Update page. I can browse to other pages but after a few minutes, I get redirected to another random page. I also keep seeing the Just In Time debugger. Tried a Registry edit I found recommended elsewhere, to fix that issue, but that didn't last. At this point, neither SAS nor MBAM see any malware present, but I am stuck with my problem. Existing antimalware package is MS Forefront. All utilities I have used have been updated to the most recent definitions.

A:Malware Bytes cleaned malware, now Windows Update doesn't work, webpages randomly redirected

Hello,Please follow the instructions in ==>This Guide<== starting at Step 6.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to try to resolve them.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Orange Blossom

1 more replies
Answer Match 26.46%

I did a hijackthis scan and here's what I got:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:18:17 PM, on 4/20/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\SYSTEM32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exeC:\WINDOWS\System32\DVDRAMSV.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exeC:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exeC:\WINDOWS\System32\00THotkey.exeC:\WINDOWS\system32\TFNF5.exeC:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exeC:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exeC:\WINDOWS\AGRSMMSG.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynT... Read more

A:Malware Blocking Acess to Spybot, Microsoft Malicious Removal Tool and other anti-malware programs

Hey guys I solved my own problem. I completely reinstalled windows. (It was about that time anyway)

2 more replies
Answer Match 26.46%

I have run into a terrible problem and can no longer use my computer. It started a few days ago when I believe I was infected by malware...I noticed a program running in my task manager...one of those short 3 letter exe programs, so I decided to run malware bytes. Malware bytes succesfully found that program and I think called it a rootkit or something else. I chose to remove the found problems and then it asked me to restart. Following restart, I get a blue screen of death shortly after the windows XP title comes on. When I choose any of the options (Safe Mode, Safe mode with networking, Safe mode with command prompt, or normal windows) I always get the blue screen and cannot log into windows.

The error message reads:
A problem has been detected and windows has been shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen restart your computer. If this screen appears again follow these steps: Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical Information:
STOP: 0x0000007B (0xBA4C7524, 0XC0000034, 0x00000000, 0x00000000)

So at this point I ordered startup/recovery CDs from dell. I am using a dell computer with OEM installed windows XP home edition. I got the recovery CD today, and can now boot from CD.... Read more

A:Blue screen after running malware bytes - infected with malware

Hello, lets see if we can find the cause of this problem. I will move this topic to the malware removal forum.Try this please. You will need a USB drive.Download GETxPUD.exe to the desktop of your clean computerRun GETxPUD.exeA new folder will appear on the desktop.Open the GETxPUD folder and click on the get&burn.batThe program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.Click on Start and follow the prompts to burn the image to a CD.Remove the USB & CD and insert it in the sick computerBoot the Sick computer with the CD you just burnedThe computer must be set to boot from the CDGently tap F12 and choose to boot from the CDFollow the promptsA Welcome to xPUD screen will appearPress FileExpand mntsda1,2...usually corresponds to your HDDsdb1 is likely your USBClick on the folder that represents your USB drive (sdb1 ?)Press Tool at the topChoose Open TerminalType the following and press enter:

dd if=/dev/sda of=mbr.bin bs=512 count=1

Press EnterAfter it has finished a file will be located on your USB drive named mbr.binRemove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

4 more replies
Answer Match 26.46%

I have not had a virus in 10 years, but I got one now. I double clicked on a password icon (STOOPID), and immediatly knew I screwed up. Now when I boot up, a little dialog-box screen pops up with PW: supergirl in it and has an okay button. This is basically letting me know that the malware is running. clicking the "X" to close the box or hitting okay seems to make no difference.
 
Since this started (a few days ago) microsoft essentials is gone, defender is gone, no ani-malware programs will run (even in safe mode). I ran rkill (in both regular and safe mode) and it said 1 process was terminated, but as soon as it says that, the password dialog box thing pops back up immediately letting me know the malare is running again. I ran a dds.com scan and nqij.exe seems to be blocking all antivirus.
 
Any help is greatly appreciated.
 
EDIT: running windows 7 32 bit

A:malware wont let antivirus run. rkill says it works, but malware restarts

Hi chili2 and welcome to BleepingComputer!
 
You said you double click on a password icon, what is that, where it's located?
 
And can you run any programs?
 
Thank you.

10 more replies
Answer Match 26.46%

Good afternoon,
 
  After 2 years of no problems, it seems I may have been infected with Malware.  The hard drive spins constantly, making my laptop nearly worthless.  I rebooted my computer in Safe Mode and ran several programs to try and find/remove the Malware.  Some programs run OK and find nothing, but at least 3 programs run for a short time, then freeze up and the hard drive spins constantly.
 
  Here is what I've tried so far:
- Norton Power Eraser - Finds no problems
- Panda Cloud Cleaner - Did find and quarantine a few issues
- Kaspersky - I ran a through scan on everything - it took several hours and did find 2 infections.  Cleaned or quarantined both
- Malwarebytes - Gets to a certain point, then freezes.   Hard drive spins constantly
- ESET - Gets to a certain point, then freezes.  Hard drive spins constantly
- House Call - Gets to a certain point, then freezes.  Hard drive spins constantly
 
- AdwCleaner - Ran this, log looks clean except for 1 Firefox and 1 Google Chrome file that are listed
- Junkware Removal Tool - Only tried to run in Safe Mode w/ Networking.  Shows a command prompt screen, but nothing happens
- ComboFix - I have run this, can produce the log file if needed.
 
Any help you can give would be greatly appreciated!!

A:Malware Infection - Freezes computer when Anti Malware Program is run

Hello having run ComboFix, you need to repos this with that ComboFix log in this forum...Virus, Trojan, Spyware, and Malware Removal Logs

4 more replies
Answer Match 26.46%

I tried to down load the now version, and the computer won't let me download it.

And there is something wrong with the version of Anti-Malware I have now. Every time I want to use it.
It downloads the setup and then it up dates. And today when I wanted to scan, it stopped and computer ran an error
report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:38 PM, on 10/4/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Secunia\PSI\sua.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\G... Read more

A:Can't download the news version of Malware bytes Anti-Malware

16 more replies
Answer Match 26.46%

Hi

I am a complete newbie so apologies if this is in the wrong place. I have cleaned up some malware / trojans using spyware doctor and malawarebytes. i also have AVG on system. However, a malware or malware clean up has left Flash not working. When i go to install it again a message pops up that if you trust the site click here. At this point the page freezes and I have to shut down IE8. I have windows XP.

I have very limited computer knowledge but should be able to follow any instructions! Any help gratefully received.

Many thanks

A:malware/malware clean-up causing adobe to fail and cannot re-install

Since you posted here, let's make sure you're not still infectedUpdate mbam and run a FULL scanPlease post the results-----------------------Then runATFPlease download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".------------------------------------SAS, may take a long time to scanPlease download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperl... Read more

1 more replies
Answer Match 26.46%

Gud day to everyone,

My computer having some malware activity, i have used adware 2008, spyware removal tool, norton anti-virus and other removal tool, but still those malware cannot be deleted.. My Computer icon could not display its properties, instead it appears like a file when you see its properties. It also disabled TCP/IP that why until now i cannot connect to the internet.. I don't have WindowsXP SP2 cd for repair..

Please help me as soon as possible, because it is a server..

A:Urgent! My XP SP2 have malware activity!.. cannot remove using malware removal tool

Hello frozenfire03, Welcome to TSF!

I recommend that you read this article… "Having problems with spyware and pop-ups? - First Steps"; follow the instructions very carefully; then, post all the requested logs and information; as instructed, in the HiJackThis Log Help Forum.
(Simply, click on the coloured links to be re-directed.)

Please ensure that you create a new thread in the HiJackThis Log Help Forum; not back here in this one.

When carrying out The 5 Steps, if you cannot complete any of them for whatever reason, just continue on with the next one until they are all completed.
However,it is extremely important to make mention of the fact that you could not complete any of the steps in your post to The HJT Help Forum; where an Analyst will assist you with other workarounds.

Once done, please be patient, as the Security Team Analysts are usually very busy; one of them will answer your request as soon as they can.

Good Luck with it.

Kind Regards,

7 more replies
Answer Match 26.46%

I've been seeing here that Emsisoft Anti-Malware is free for 30 days, after 30 days of use will be able to scan and remove malware that it finds?
I do not want to use it with real-time protection, I have ESET for it, I use it as I use Malwarebytes Anti-Malware Free, only for weekly scans!
Thank you
#Translator
 

A:Emsisoft Anti-Malware Free'll be able to scan and delete the malware?

Download emsisoft emergency kit

Emsisoft Free Emergency Kit: Portable malware scanner | Free removal of Viruses, Bots, Spyware, Keyloggers and Trojans

it's scanner without real time, full free
 

3 more replies
Answer Match 26.46%

Hi,
I've already posted a thread about this and was told to post the logs from DDS, so I'm posting them now(The second application said "32 bit systems only" so I didn't run that one since I'm using a 64 bit system, hope I understood it correctly)
I got a bunch of viruses and malicious applications and problems like unable to connect to the internet (Though local network and web browsers work, but Applications like Origin don't) Which could be caused by some Malware.


DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16455
Run by pc at 4:09:28 on 2013-01-02
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.8147.6116 [GMT 1:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Softwa... Read more

A:Virus/malware/network issues(possibly caused by malware)

Hello, and welcome to TSF.

I am currently reviewing your log. I will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please be patient with me during this time.

7 more replies
Answer Match 26.46%

It is so similar to MaxGen's problem that I have used some of his description of what is happening to me(us).I got infected by a nasty malware while surfing the internet. popups were created immediately so I knew right away something was happening. I wasted no time in running Norton AV and Ad-aware. Norton says it had found and removed the problem (Trojan.Vundo and Trojan.Metajuan)and I should restart. But everything got worse after first restart. No programs wanted to work. I even tried to backup personal files to Cd/Dvd and Nero did not recognize my burner. Now my situation is:1. Even in safe mode, I cannot run any anti-spyware software: Spybot and Spyeraser do not show up even though they are seen running in windows task manager. Then the .exe application file will no longer work. When I tried to run them again, it will say "Windows cannot access he specified device, path, or file. You may not have the appropriate permission to access the item."2. Cannot connect to any website, it always shows trying to connect. (The connection itself shows OK). - I downloaded AVG after the first restart and it found and fixed 8 of 12 problems found. I rebooted and was then unable to get on internet and AVG does not work anymore. 3. Worst of all, I can't even post the HijackThis logs. It does not start - telling me I do not have permissionsLike MaxGen there could be other symptoms I have yet to discover. I too have never seen this kind of nasty stuff. Please help!... Read more

A:ME TOO!! Infected by extremley nasty malware, can't even run HJT, please help, Unknown malware, windows XP

If you cannot get DDS to work, please try this instead.Please download RSIT by random/random and save it to your Desktop.Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.Close all applications and windows so that you have nothing open and are at your Desktop.Double-click on RSIT.exe to start the program.If using Windows Vista, be sure to Run As Administrator.Click Continue after reading the disclaimer screen.Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).When the scan is complete, a text file named log.txt will automatically open in Notepad.Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.If RSIT did not work, then reply back here.

6 more replies
Answer Match 26.46%

I have used Malware bytes removal tool, Superantispyware and Hijackthis without any luck. The tools say they remove the malware but it keeps coming back. Help please!! URL I am redirected to is below.[url=http://remove-spyware201.com/scn1/?engine=%blah blah blah] DON'T GO THERE!!!!!!!!!!!!!DDS (Ver_09-12-01.01) - NTFSx86 Run by Helen.Hanson at 21:41:00.07 on Tue 29/12/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.61.1033.18.3063.2270 [GMT 9.5:30]AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}============== Running Processes ===============C:\windows\system32\svchost -k DcomLaunchC:\windows\system32\svchost -k rpcssC:\windows\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\windows\system32\svchost.exe -k NetworkServiceC:\windows\system32\svchost.exe -k LocalServiceC:\windows\system32\spoolsv.exeC:\windows\System32\SCardSvr.exeC:\windows\system32\svchost.exe -k LocalServiceC:\Program Files\Altiris\AClient\AClient.exeC:\Program Files\Altiris\Altiris Agent\aexnsagent.exeC:&#... Read more

A:Malware redirects Google search to bogus Malware site

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions... Read more

2 more replies
Answer Match 26.46%

 
A trojan that's currently doing the rounds in Japan is using Windows itself to try to defeat security software on infected machines.
Trend Micro reports that the BKDR_VAWTRAK malware, which steals credentials used for online banking at some Japanese banks, is using a Windows feature called Software Restriction Policies (SRP) to prevent infected systems from running a wide range of security programs, including anti-virus software from Microsoft, Symantec, and Intel. A total of 53 different programs are blocked by the malware.

http://arstechnica.com/security/2014/06/banking-malware-using-windows-itself-to-block-anti-malware-apps/

A:Banking malware using Windows to block anti-malware apps

TrendLabs: Windows Security Feature Abused, Blocks Security SoftwareEdit: Your Trend Micro link initially did not work for me so I reposted it for the benefit of others. Checking a second time the page finally opened.

3 more replies
Answer Match 26.46%

A Chinese advertising company is responsible for two of the biggest waves of malware for both the Android and iOS ecosystems, a recent Check Point report reveals.

Yingmob, an advertising company based in Chongqing, China, is supposedly the group behind the YiSpecter iOS malware and the HummingBad Android malware.

Both function in the same way, meaning they infect devices to show ads and secretly install other applications, earning their creators money from pay-per-install programs.

Crooks making over $300,000 each month
Check Point estimates that HummingBad alone delivers over 20 million ads per day that achieve a click rate of 12.5 percent, which is the equivalent of 2.5 million clicks per day. Additionally, HummingBad installs over 50,000 fraudulent apps per day.

Putting all these numbers together, Yingmob earns over $3,000 per day from clicks alone and another $7,500 from fraudulent app installs. That's around $300,000 each month, or $3.6 million per year.

Check Point researchers say that HummingBad has managed to infect 85 million devices at the moment, and Yingmob has complete control over these smartphones because it illegally rooted the devices and can push any type of malware or make the devices take any action.

Read more: Chinese Advertiser Behind YiSpectre iOS Malware and HummingBad Android Malware
 

More replies
Answer Match 26.46%

Hi. There is something going on with my computer, can't get on internet and many pop up messages, and I have tried to run MBAm. When I click on "Remove Selected" it starts doing the removal but then a box pops up with "Malwarebytes Anti-Malware has encountered a problem and needs to close." There are three boxes to choose to click on...Debug, Send Error Report, or Don't Send. When I click on Debug I get a new pop up box with "DrWatson Postmortem Debugger has encountered a problem and needs to close". Same three boxes to choose to click. I click on Debug and then get a pop up box with "Microsoft Visual C++ Runtime Library. Runtime error. Program:C:\Windows\System32\svchost.exe.

I have multiple pop up boxes coming up when I just log on:

dsca.exe-Application error

27578134.exe has encountered a problem

Sysfader:IEXPLORE.EXE-application error. Instruction at "0x03a0bdd9" referenced memory at "0x03a0bdd9". The memory could not be written. When I click "OK" to terminate this it came up with multiple other boxes with different numbers...0x0403bdd9,0x03eabdd9,0x0455bdd9,0x053abdd9.

ctfmom.exe Application error

Data Execution Prevention-Microsoft Windows...to help protect your computer Windows has closed this program: Internet Explorer.

I am unable to get on the internet from my computer and am currently using my husbands laptop to post.

I would appreciate anyones advise or help.... Read more

A:Malwarebytes Anti-Malware unable to remove selected malware

I would try logging in to safemode with networking and then run the scanfrom there. To log in to safemode gently tap the F8 key as the computer reboots and then select safemode with networking from the list. If you are able to run the scan in safemode then there's probably some infection that was preventing it from runnig in the regular Windows mode. If not then there may be a problem with the Malwarebytes. I have had a similar problem and I had to un-install it and then re-install it. I emailed their tech support and was told it was possibly a conflict between it and AVG free though I'd never had that problem before... EVER.

I suspected it was something buggy with the update that had come through.

4 more replies
Answer Match 26.46%

Hi, I been trying to remove the searchinterneat-a.akamaihd.net malware for months. I looked over at least 10 different guides on how to remove the malware. I tried multiple antimalware programs to HitmanPro to Anti-Malware and it seems like none of them can detect the malware. Looking for help!

More replies
Answer Match 26.46%

Hi all!
Recently while searching for new Anti-Malware tools to try subsequently in order to clean my computer for malware, I came across EMCO Malware Destroyer.
And hence, now I am wondering;What is your opinion on the Anti-Malware tool EMCO Malware Destroyer?
Thank you very much in advance!
Regards,
midimusicman79

A:What is your opinion on the Anti-Malware tool EMCO Malware Destroyer?

I have seen it advertised on Major Geeks and other third-party hosting sites but write ups and reviews never impressed me.EMCO Malware Destroyer by Softpedia...To start with, you should note that it does not provide active protection, heuristic scans or an active shield of some sort. This utility will only search for baddies currently loaded in the memory or running processes that are infected...Malware Destroyer is designed for manual virus checks and the fast scans recommend it, but bear in mind that it is mainly aimed at non-techy users and will only provide an occasional supplemental layer of protection.

0 more replies
Answer Match 26.46%

Hi, A suspicious SVCHOST.exe just popped into my startup list. I bet it's not the only one causing my sudden computer slowdwon. I attached my HijackThis log and I hope someone gets to help me. Thanks!

A:Malware. Unable to Update any Anti Virus/Malware Program

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies
Answer Match 26.46%

Hi, I'm suddenly having a lot of trouble with malware. My computer seemed to be running okay but I ran Malwarebytes as I occasionally do, and it picked up a fair amount of malware on my system. I deleted it and rebooted, but that's when my problems really began. Upon restarting, my internet connection has become almost unusable. It's extremely slow and generally I can't even open a page that I want after trying to refresh several times. Oddly though, google is working perfectly and a few other sites seem to work too, including this one. I've tried running MBAM again and again, each time it picks up more malware and I remove it, then reboot and the cycle renews. I can't seem to get rid of all of it, every time I scan my system there's just more of it. I've tried ComboFix but it doesn't seem to have done anything. One persistent thing seems to be photo_id.exe, I've got a few messages from MBAM saying it can't be removed and I need to reboot. Also, I've noticed that if I'm trying to reach a webpage, although it won't load there seems to be some redirecting, for example I just tried to reach a wikipedia page and it says &quot;The server at topsearchfeed.com is taking too long to respond&quot; For some reason I can't bloody format this properly no matter how hard I try, so here's an attached HJT log:
 

A:Malware removal attempt led to unusable internet, still can't remove all malware

problem has become more serious, now my mother has told me that the internet on her laptop is also extremely slow and essentially unusable, I'm worried that something from my computer has got on to hers via the wireless network we're both connected to. Somebody please help me
 

2 more replies
Answer Match 26.46%

My PC at home has suddenly been attacked. I had been using CA Anti-trust successfully for a few years, but it appears it was overpowered. I did some research on a laptop to try to narrow the list of suspects and it looks like Conficker or Downadup are suspects, but using some online removal tools, the scans are showing up negative. I still think I'm on the right track, though. I purchased Panda Internet Security 2009, but couldn't get it to update the definitions via the update wizrd, getting an error message that I needed an open internet connection and that the server was unavailable (error msg 12007). Online Panda support attributes that to Conficker and says to go to Start/Settings/Network Connections/Properties, scroll to TCP/IP and click the "Obtain DNS settings automatically", which I've done without any success. I saw a post on this forum that a virus called DNS_Changer may impact on this. I purchased PCTools Spyware Doctor with virus protection with the intention of getting my Panda purchase refunded due to lousy support. I disable Panda, installed PCTools Spyware Doctor, updated the definitions without a problem and ran the scanner. It picked up 90 infections, mostly cookies, but 10 medium threat trojans, including DNS_Changer. I selected the remove all and re-ran the scanner (I overlooked the re-boot, accidentally) and left for work (where I remain now) and am anxious to see what progress I find on my return home.

Your forum, by far, seems... Read more

A:Malware sites redirected, no spyware/malware updates - Recycler

16 more replies
Answer Match 26.46%

New here so um Hello...With that said, got a slight issue but I'll get the important stuff over first.

I am using Vista SP1 and have what I believe to be a malware issue. I currently have McAfee installed but will be deleting it once I find something I feel comfortable with. I refuse to use AVG as it allowed me to get several issues previously and I uninstalled it and swore never to use it again and most of the free programs I just don't trust.

Anyway, The main issue I am having is that the task manager is disabled when I log on. I have used RRT to remove restrictions several times after running Spybot and Mcafee scans that supposedly found issues but not the one I needed to remove.

This is the problem signature:
Problem signature:
Problem Event Name: APPCRASH
Application Name: TskMan.exe
Application Version: 3.2.0.8
Application Timestamp: 46d4a362
Fault Module Name: TskMan.exe
Fault Module Version: 3.2.0.8
Fault Module Timestamp: 46d4a362
Exception Code: c0000005
Exception Offset: 00006855
[COLOR=blue ! important][COLOR=blue ! important]OS [COLOR=blue ! important]Version[/COLOR][/COLOR][/COLOR]: 6.0.6001.2.1.0.768.3
Locale ID: 3081
Additional Information 1: 0a48
Additional Information 2: 34e5d017764bf976bf7edf77752074ae
Additional Information 3: 4086
Additional Information 4: 3283ef3488b4654c1e2d8ca7e3ee01ad

Since reading this I have downloaded Malwarebyte's Anti-Malware and it found Malware by the name of Password stealer. I have since removed it and... Read more

A:Task Manager failure + Malware issue (Have deleted the Malware I believe)

Hi Devilpope,

May be the issue of the task manager was also caused by the malware, if "yes" and then you may need to do a system restore to the condition it was before malwares infected your system.

Do this if you think it got this problem during the malware infections.
 

3 more replies
Answer Match 26.46%

A couple days ago I was looking at the weather online on my Toshiba laptop (XP Media, SP3) when I got a report from Avast stating it had blocked a connection to a malware site, just like this, which popped up when I was typing.

Infection Details

Process:file://C:\WINDOWS\System32\svchost.exe Infection:url:Mal
Obviously I scanned and it did pick up some things, and I thought I had gotten the problem. Obviously I didn't, and I got Malwarebytes which I scanned with and again thought I might be good. MWB just started constantly reporting outgoing connections being blocked. I did some digging, a lot more scanning (all turned up clean), and I noticed a couple things.

1. I'm getting issues with SVChost where it is sometimes taking up nearly my entire CPU. I replaced it with a different version of SVChost (in all windows folder locations) and whatever is using it to do the bad stuff isn't the file itself because it resumed causing trouble.

2. I tried to get rid of all unwanted processes & services, & I came upon one which I couldn't get rid of- groovemonitor, associated with Microsoft Office. I'm suspicious because I've tried deleting it, manually and automatically, and whenever I try to delete the entire Microsoft Office folder this one set of files (the groovemonitor dll's) will not let me delete the folder. I've tried disabling this whenever possible.

I'm still getting constant url blocks no matter what I have done, all sca... Read more

A:Avast & Malware Bytes Constantly Blocking Malware Connections

Just wanted to provide a bump.
 

1 more replies
Answer Match 26.04%

This is my first malware analysis and writeup... hope you enjoy!

Thanks to Billy69 for the sample.


Code:

Filename: 0ff1ceval1dKey00.exe
Approx. file size: 1.7 MB
MD5: 597029dcb2738c17be6d79814cdaf229
SHA-1: 4a99520e5e2070d02883cdba89ecf188b3b39add
VirusTotal: https://www.virustotal.com/en/file/b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd/analysis/
HybridAnalysis: https://www.hybrid-analysis.com/sample/b1221bb12788f188e4259305e1d37e91cac7ca2810d0211c45600a23697882bd?environmentId=1
Analysis was performed in a Windows XP VirtualBox.
Host machine was Xubuntu 14.04 LTS.

Section 1: Dynamic Analysis
Upon execution, the malware drops some files to the user's AppData folder. Here are the interesting parts of the Regshot log:


Code:

Regshot 1.9.0 x86 Unicode
Comments: Filename is 0ff1ceval1dKey00.exe
Datetime: 2015/8/30 07:15:14 , 2015/8/30 07:17:31
Computer: XPLAB , XPLAB
Username: [REDACTED] , [REDACTED]

----------------------------------
Keys added
----------------------------------
HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\9hGVNkAaKZH

----------------------------------
Values added
----------------------------------
HKU\S-1-5-21-790525478-854245398-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Znggurj Lbhat\Qrfxgbc\Fnzcyrf\0ss1priny1qXrl00.rkr: 02 00 00 00 06 00 00 00 D0 19 09 B4 F3 E2 D0 01

HKU\S-1-5-21... Read more

A:Malware Writeup: Complete AutoIt Malware Analysis

@TheSteampunkHedgehog

You said that you're relatively new to malware analysis but this thread proves the exact opposite.

Great work !
 

1 more replies
Answer Match 26.04%

 Hi all,
 
 I am Pousoidis and I would like to thank you for the services you provide. I am pretty sure that I have a virus in my laptop. My system is an Ideapad U410 with Intel® core ™ i5-3317u 1.70ghz, 8gb ram memory, 64 operating, with windows 7.
 
 At some point I could not click on my start menu button without windows explorer notifying me that it had stopped working and that it was checking for a solution to the problem. I went online trying to read about what I could do. Eventually, I restarted my pc with the option of cheking for disk errors and that seemed to fix the start menu problem; now the windows explorer does not crash. But after that I noticed that I could not open certain programs such as skype and picasa 3 (and μtorrent which since then it has been uninstalled from my pc).
 
 It is then that I became more suspicious and decided to download and run anti-malware programs such as mabm and spybot. None of these can install itself on my pc, always some error message such as "privileged instruction". Was not sure how to proceed from that, so i searched online and came across your site. Thank you again for your help. I apologize in advance, I am not really well versed in the ways of technology. I did run 1 system restore before I visited this site.
 
so I am copy pasting my dds files: 
 
Run by Pousoidis at 13:46:22 on 2014-02-20
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.8053.5... Read more

A:Infected with some malware. Not allowed to install and run anti-malware.

Hello Pousoidis I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same... Read more

16 more replies
Answer Match 26.04%

hi, so my laptop has been a bit slow the last week.  I had downloaded bluestacks android emulator, I'm not sure if thlab at has caused the problem. (have removed it now)
 
I ran malwarebytes a few days ago and found this:
 
PUP.Optional.ASK, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Scheduled Update for Ask Toolbar, Quarantined, [739b9ba283169b9b7c0656e46e96a35d], 
 
ask seems to crop up every couple of months on one scan or another.  I also ran Sophos virus removal tool the same day, but it didn't detect anything.
 
Today I ran 9lab and it picked up two malware, here is the log
 

 
Windows Vista Service Pack 2 (Version 6.0, Build 6002, 32-bit Edition)
Internet Explorer 9.0.8112.16421
lisa :: LISA-PC
 
31/01/2016 12:29:56
9lab-log-2016-01-31 (12-29-56).txt
 
Scan type: Full
Objects scanned: 41420
Time Elapsed: 1 h 34 m
 
Files detected: 2
[032004C70123AF9D65354C6D2D901A29] Malware.MPL.Heur.vb [C:\Users\lisa\AppData\Local\Temp\unpinFromTaskBar.vbs]
[3077EFB1E39B891E16B34BFE7C439578] Malware.Win32.Gen.1F4A.sm!ff [C:\Program Files\OpenOffice.org 3\program\libtextcat.dll]

 
do I need to run any additional scans or would 9lab have removed everything?
 
Thanks in advance for any help.

A:Malware.MPL.Heur.vb and Malware.Win32.Gen.1F4A.sm!ff detected.

Download Security Check from here or here and save it to your Desktop. Double-click SecurityCheck.exe Follow the onscreen instructions inside of the black box. A Notepad document should open automatically called checkup.txt; please post the contents of that document.NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.Make sure the following options are checked:
Internet ServicesWindows FirewallSystem RestoreSecurity Center/Action CenterWindows UpdateWindows DefenderOther ServicesPress "Scan".It will create a log (FSS.txt) in the same directory the tool is run.Please copy and paste the log to your reply. Please download MiniToolBox and run it.Checkmark following boxes:Report IE Proxy SettingsReport FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Devices (do NOT change any settings here)List Users, Partitions and Memory sizeList Restore PointsClick Go and post the result. Please download Malwarebytes Anti-Malware (MBAM) to your desktop.NOTE. If you already have MBAM 2.0 installed scroll down.Double-click ... Read more

10 more replies
Answer Match 26.04%

This is a follow up to my posting in the "Am I infected? What do I do?" section.Thank you extremeboy for answering my plea for help. Below is a paste from the infected computer's HijackThis log file:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:02:33 PM, on 1/8/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:H:\WINDOWS\System32\smss.exeH:\WINDOWS\system32\winlogon.exeH:\WINDOWS\system32\services.exeH:\WINDOWS\system32\lsass.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\System32\svchost.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\system32\spoolsv.exeH:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeH:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeH:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeH:\WINDOWS\System32\svchost.exeH:\Program Files\Java\jre6\bin\jqs.exeH:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeH:\WINDOWS\system32\nvsvc32.exeH:\WINDOWS\system32\svchost.exeH:\WINDOWS\Explorer.EXEH:\Program Files\Java\jre6\bin\jusched.exeH:\WINDOWS\RTHDCPL.EXEH:\Program Files\QuickTime&... Read more

A:Malware Won't Let Anti-Malware Run, and Redirects to Malicious Websites

Title was: Browser Redirect - wdmaud? ~ OBTried to get help posting hijackthis file last week...no takers, so I started to do a little homework.My browser redirects to bogus websites (most of the time), and redirects to bogus websites when trying to go to anit-malware sites all of the time.Was able to get Avira AntiVir loaded, but doesn't detect the virus. Able to get a HijackThis log. McAfee won't launch, Malwarebytes won't launch, Spybot won't launch, etc.Reading up on the subject of recent browser redirection, there is a lot of people having trouble with the wdmaud file in their Windows/System32 directory. I tried to rename it and reboot, but it just came back. Tried to delete it, and it wouldn't let me. Then I loaded the Gibbon Gipo program, that forces the file to be deleted upon reboot. That works with every file except wdmaud! It keeps reappearing after reboot.This may or may not be the infected file...might be chasing a ghost here, but any help or suggestions would be appreciated.Thanks!

4 more replies
Answer Match 26.04%

Hello members (: Thanks in advance for helping me.
 
So, the first time I realised something was amiss was when searches in the Chrome Omnibar were redirecting to Yahoo. If I went to google.com to conduct a search, the ads at the top of the results page would flicker, and then seemed to change (font, size etc.).
 
I uninstalled and reinstalled Chrome, I signed out, I removed all my addons and extensions before reintroducing each one. I couldn't get to the root of the problem. After a quick search, it was suggested to use SpyHunter or Malwarebytes to resolve the problem. 
SpyHunter dropped a massive list of threats after scanning only 1%. When it finally finished, there were many Red Threats, but there was the stinger: I would have to pay for the advanced version, or a license, or whatever it wanted, before removing these threats. As a poor student, I turned to an alternative. That's where Malwarebytes came in. I did a scan, it found some problems and asked me to proceed, which I did, and it claimed the problem was fixed.
Certainly, Chrome doesn't redirect at the minute, but I managed to stop it redirecting it before now; only for it to start again. I ran another SpyHunter scan, and it found all the same threats as before, which, it would seem, Malwarebytes had missed. Now, I haven't bequest any windfall since yesterday, and still can't afford SpuHunter's ransom.
So far (6%), SpyHunter has found 216 threats including Blekko (192 infections), searchinternet-a.aka... Read more

A:Infected with Malware which redirects from omnibar, plus other found malware

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the LogFile button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleanerCx.txt (x is a number).===Download the version of this tool for your operating system.Farbar Recovery Scan Tool (64 bit)Farbar Recovery Scan Tool (32 bit)and save it to a folder on your computer's Desktop.Double-click to run it. When the tool opens click Yes to disclaimer.Press Scan button.It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.The first ti... Read more

2 more replies
Answer Match 26.04%

I have managed to receive some sort of virus named virtuemonde and Malware Trace. I have tried SB S&D, Kaspersky, Malwarebytes, and Spysweeper. Malware bytes seems to find it everytime but they always return. I am getting the annoying pop ups every few minutes. Below is my HJT log file. Any help would be appreciatedLogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:50:56 PM, on 11/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\brss01a.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\bmwebcfg.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\system32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper... Read more

A:Virus /Malware Issue Virtuemonde, Malware Trace HELP!

Hello and welcome to BC

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. We aim to provide the valuable service known to come from BC to every member we can, but sometimes it takes just a little longer to get to every request for help.

If you are still having a problem, and want us to analyze your information, please reply to this topic stating that you still need help and I will work with you on resolving your computer problems. If your problem has been resolved, please post a reply letting us know so we can close your topic.

Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, feel free to create a new one.

Once again, I apologize for the delay in responding to this topic.

Regards

2 more replies
Answer Match 26.04%

I'm about to pull my hair out here! I've been working this problem for 2 days now, and have Googled every which way to find out what's on this PC with WinXP Home + SP3.... there is some kind of trojan virus on it, that prevents anything from scanning the hard drives (ergo, I can install anti-malware software inclucing HiJackThis, Malwarebyte's anti-malware app, and even Microsoft's MRT.exe but as soon as ANY of them begin a scan of the system they are terminated and their exe file has it's permissions reset to Everyone ONLY (and apparently this thing has set the policy for the Everyone Group to NOBODY). Once this occurs, I can't run the program again as I no longer have permission to do so.... in Safe mode, I can reset the executable permissions back to Administrators Full Control and run the anti-malware exe again, only to have it terminated and it's permissions again reset... this thing's killing me!

I tried RKill to no effect either, whatever this thing is the most current RKill doesn't recognize it apparently.

I've read on these forms of others who've experienced similar problems, so I know I'm not alone... what nobody else on the internet seems to have figured out though is WHY their anti-malware app goes "Poof!" seconds after it starts scanning the system for malware. There is something, some virus in memory which I cannot locate, which is changing the security permissions of any program that ... Read more

A:Malware setting anti-malware app file permissions to nothing!

Well, I went and sat and thought about it for a few minutes... then came back to the PC, started up Safe mode with Command Prompt, and used the command window to manually launch System Restore and restored the computer back to a checkpoint it had made earlier today BEFORE the desktop went Poof!

To my immense relief, System Restore apparently tracks changes to file permissions as well and it reset the explorer.exe file permissions back and upon restarting the PC I had a desktop with all the trimmings again finally.

However, the virus or whatever it is still remains of course (there are no restore points beyond today, as the virus or 1 of it's many friends I already removed from this PC today had disabled System Restore and deleted all the restore points it might have had already).

I don't know where to go from this point with this PC... perhaps it's a dead horse and just needs to be reformatted, idk.

- Michael

15 more replies
Answer Match 26.04%

Hello,

I have malware that prevents me from running anti-malware programs (unless their names are changed to aliases). It also makes its presence known when I am NOT connected to the Internet. In that instance, a message box informs me that "Generic Host Process for Win32 Services" is not working, and gives me the option of sending or not sending the relevant information.

I attach to this thread the "Attach" output from DDS and the .log file from GMER. Unfortunately, I was unable to save the Scan results from GMER in any format other than .log, and when I tried to use the "Copy" function within GMER, my machine froze.

I have also run (in safe mode) MBAM, SpybotSD, SUPERAntiSpyware and the Windows kb890830 malware-detection apps. The first three DID find infected files, which I removed/quarantined in each of the respective apps. Perhaps not surprisingly, the Windows malware detection scan did not pick up anything.

I apologise for the dreadful formatting of the GMER output; the .log file is (I hope) uploaded.

Kind regards,
Adam

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 22:58:53, on 04/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Safe mode

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINNT\Explo... Read more

A:Infected w/Malware that doesn't let you run anti-malware apps etc.

16 more replies
Answer Match 26.04%

Hi! I accidentally installed an unknown .exe file few days back which didn't seem suspicious though I think it infected my computer with malware that has hijacked my Chrome. I looked for it in the Control Panel and uninstalled anything that seemed suspicious. I even downloaded and installed various malware removal tools, include Malwarebytes and IObit malware fighter. But none of these were able to get rid of it completely as after a few days my homepage changed again.
What keeps on happening is that new malware keeps on showing up. In the beginning my homepage got changed to "indiatimes.xyz". I looked up online and uninstalled the unknown software from Control Panel and also reset my Chrome settings. After a few days, it came back in the form of Snap.Do and then again I tried to remove it and it went away. But now it's back and again my homepage has changed. BUT this time I keep on getting ads from "Safe Finder" . After trying again for a malware search and restarting my computer it seems to have gone away but I don't think that the problem is gone. 
Also, it also seemed to have taken over my ESET NOD32 and forced it to block websites that were safe. Among the websites that my ESET was blocking was the official ESET website, so I got rid of ESET as well.
I don't know what to do. I've tried a lot but nothing seems to help. Please I need help!! Please respond as soon as possible. 
Thank you so much. 
My operating system is Windows 10.
 
UPDATE : It is back.... Read more

A:Help! Unable to remove malware and new malware showing up daily!!

Welcome.. Please try thisPlease download Rkill by Grinler and save it to your desktop.Link 1Link 2Double-click on the Rkill desktop icon to run the tool.If using Vista/Windows7, right-click on it and Run As Administrator.A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.If not, delete the file, then download and use the one provided in Link 2.If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.If the tool does not run from any of the links provided, please let me know.Do not reboot the computer, you will need to run the application again.......MiniToolBoxPlease download MiniToolBox, save it to your desktop and run it.Checkmark the following checkboxes:Flush DNSReport IE Proxy SettingsReset IE Proxy SettingsReport FF Proxy SettingsReset FF Proxy SettingsList content of HostsList IP configurationList Winsock EntriesList last 10 Event Viewer logList Installed ProgramsList Users, Partitions and Memory size.Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.AdwCleanerPlease download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time ... Read more

1 more replies
Answer Match 26.04%

Hi, i got infected because i was triying to run malwarebytes and it skip the part of analising the files, it ended in arount 1 minute in a full scan, and i tried to download dr web cure it, and it dont allow me, the computer seems fine, but those things are very strange, and when i was running the scan i was in safe mode...
 
thanks for the help

A:Malware infected, malware removal tools useless

Greetings samidelcueva and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.My name is Oh My! and I am here to help you! Now that we are "friends" please call me Gary.If you would allow me to call you by your first name I would prefer to do that.===================================================Ground Rules:First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter pro... Read more

0 more replies
Answer Match 26.04%

Ok this is weird. I run Ntl netguard, and Spyware Doctor. A few days ago, SpyDoc refused to auto update. Nothing strange thought I, site must be down.

Well its been four days now. Then I noticed I couldn't connect to Microsoft to do updates either. On further investigation, I found I can't connect to ANY legit malware sites. I have run Spybot, Ntl netguard, Malware Byte's anti malware, and Norton AV, none found anything wrong.

However, I tried setting up a proxy within Firefox, and CAN connect to the sites I couldn't otherwise. (albeit incredibly slowly).

As things stand, I can't update any malware software, and assume my poor PC must have caught something new and nasty.

Please help

Hi jack this follows:-

Code:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:10:08, on 19/01/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterSer... Read more

A:Help Pls! Can't update Malware Protect or Visit Any Malware Sites

sorry, bump
 

2 more replies
Answer Match 26.04%

I am pulling my hair out. Please help. I have followed the instructions in your excellent forum at http://www.bleepingcomputer.com/virus-remo...-antivirus-plus but still no luck. Everytime Malware Bytes starts to run it dies. I have also been unable to get the RootRepeal Report. Same problem - it starts then apparently is killed by Antivirus Plus. I also had difficulty getting the DDS Tool to generate the log files but it finally worked. Here are the two files. At least it's a start. Can you tell me what I should do next? Thank You

A:Antivirus Plus Kills Malware Bytes Anti-Malware

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

2 more replies
Answer Match 26.04%

DDS will not run on my computer.. I think it's due to my version of Windows? Is there any other program I can use and post to get help?

A:Very slow computer and malware bytes picking up malware

Hello Heathr6913,

Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  I will be analyzing your log. I will get back to you with instructions.  1.Please download AdwCleaner by Xplode and save to your Desktop.Double click on AdwCleaner.exe to run the tool .Click on the Scan button.AdwCleaner will begin to scan your computer.After the scan has finished...Click on the Clean button.Press OK when ask... Read more

4 more replies