Tech Problem Aggregator

# Infected with mstre19.exe and pp10.exe

Q: Infected with mstre19.exe and pp10.exe

I'm getting popups that my computer is infected with instructions to go to the security center to do a full free scan. Something is also trying to access hxxp://goscanwork.com/?uid=13300, but Trend Micro is blocking. Please let me know what other detailed information might be helpful. Thank you in advance for your help. Much appreciated.

DDS (Ver_09-05-14.01) - NTFSx86
Run by Daren Benson at 22:09:48.93 on Mon 06/08/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1170 [GMT -7:00]

AV: Trend Micro Internet Security Pro *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdnserv.exe
C:\WINDOWS\system32\lxdncoms.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Lexmark 2600 Series\lxdnmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 2600 Series\lxdnMsdMon.exe
C:\windows\pp10.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HPQ\shared\hpqwmi.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Documents and Settings\Daren Benson\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Daren Benson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://us.mg1.mail.yahoo.com/dc/launch?action=welcome&YY=1522597151&.rand=fsur96ibq0b96
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: 1 (0x1) - No File
BHO: TSToolbarBHO: {c1656cca-d2ea-4a32-94ae-ae0b180e6449} - c:\program files\trend micro\trendsecure\transactionprotector\TSToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TrendSecure Remote File Lock] c:\program files\trend micro\trendsecure\remotefilelock\FLMain.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [MaxtorOneTouch] c:\program files\maxtor\managerapp\Onetouch.exe
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [lxdnmon.exe] "c:\program files\lexmark 2600 series\lxdnmon.exe"
mRun: [lxdnamon] "c:\program files\lexmark 2600 series\lxdnamon.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [pp] c:\windows\pp10.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: aol.com\free
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186547253750
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darenb~1\applic~1\mozilla\firefox\profiles\0dev75kf.default\
FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?action=welcome&YY=1522597151&.rand=fsur96ibq0b96
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdncoms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R2 lxdnCATSCustConnectService;lxdnCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdnserv.exe [2008-10-5 98984]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-8-3 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-2-16 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-2-16 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2008-8-3 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-8-3 648456]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\drivers\P0630Vid.sys [2008-5-28 91830]

=============== Created Last 30 ================

2009-06-08 18:55 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-06-08 17:43 157 a------- C:\43454354.bat
2009-06-08 07:16 1 ----h--- c:\windows\msmark2.dat
2009-06-08 07:16 29,184 ----h--- c:\windows\mstre19.exe
2009-06-08 07:16 2 ----h--- c:\windows\ro122390.dat
2009-06-07 19:21 <DIR> --d----- c:\windows\system32\sysloc
2009-06-07 19:21 14,336 ----h--- c:\windows\pp10.exe
2009-06-03 19:24 54,156 a---h--- c:\windows\QTFont.qfn
2009-06-03 19:24 1,409 a------- c:\windows\QTFont.for
2009-06-02 14:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThumbnailCache4R
2009-05-26 17:18 90,112 a------- c:\windows\system32\QuickTimeVR.qtx
2009-05-26 17:18 57,344 a------- c:\windows\system32\QuickTime.qts
2009-05-11 10:55 <DIR> --d----- c:\program files\windows media components
2009-05-10 22:52 <DIR> --d----- c:\windows\Cache
2009-05-10 22:52 <DIR> --d----- c:\program files\Coupons

==================== Find3M ====================

2009-04-01 20:15 201,728 a------- c:\windows\system32\PolarClock3.scr
2008-08-03 17:01 0 -c--h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT
2007-10-07 10:42 20 -c--h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT

============= FINISH: 22:11:05.56 ===============

A: Infected with mstre19.exe and pp10.exe

6 more replies

Hello all, went to bed last night with zero problems, woke up with a slew of them. Not only do "they" apparently know I haven't renewed my virus software but they also know when I sleep. Not good.

My problem lies in my internet browser being hijacked. Search results from google are redirected by something called "nonstopwebspeedway.net" as noscript is telling me as it blocks it. I have not tried other search engines, and inputting a url or using a bookmark works just fine.

I have run Malwarebytes, my installed virus software (CA Internet Suite), and Spybot, and have removed everything except whatever is hijacking my browser and something called "mstre19.exe"; a running process. Search results (from another computer) seem to agree this is malware, but it wont go away. mstre19 will not show up in the log below as I terminated the process when I booted the computer up, or maybe it will, not really sure how you guys read this thing =D.

Any help would be appreciated, the Hijackthis log is below. As soon as I know my browser is secure I will renew my antivirus software.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:27 PM, on 6/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe

A:Browser Hijacked and mstre19.exe

I snooped around after making the thread, and noticed that this google virus seems to be a widespread problem, at least here on the boards. The only problem is there doesn't seem to be one way to fix it =[.

Although I can still visit sites fine, the browser has been noticeably slowed down, especially when there are videos involved such as on youtube.

The mstre19.exe is still there on system startup as well, and unless I terminate it I soon find something infected on a malware scan.

2 more replies

I can not get online at all. I had the bavariax.exe according to AVG. The virus seems to be removed?? but I can't get online. Should I just restore my computer?Here is my hijack log:ogfile of Trend Micro HijackThis v2.0.2Scan saved at 5:36:12 PM, on 7/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\sySTEM32\SvchoSt.ExEC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exeC:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\PROGRA~1\AVG\AVG8\avgam.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROG... Read more

A:Bavariax/PP10

Hello bigworm,Sorry about the delay. If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.Thanks,tea

2 more replies

My laptop had a severe case of multiple smss.exe running in my process manager. Both pp10.exe and h36kdzr.exe were also on my computer. i tried removing with HJT but i am new to the program (should have consulted this forum first). Currently my computer will minimize my full screen programs almost randomly, it will play random sound files that are not on my computer overlaping with the currently playing audio and the system seems to slowly crash, losing my ability to open programs until the point when the mouse pad will not work and i have to do a forced shutdown. the one error message that always pops up is that the ihaupd32.exe has crashed, immediately after start-up.

I greatly appreciate all the hard work you fine folks do for the rest of us.
Thank you.

here is the dds.
DDS (Ver_09-06-26.01) - NTFSx86
Run by Thomas at 22:37:23.28 on Mon 07/13/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1247 [GMT -6:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE

A:smss.exe, pp10.exe, and h36kdzr.exe

Hello and welcome to Bleeping Computer.My name is Syler, I will be helping you to solve your Malware issues. Whilst I am helping you, I wouldbe grateful if you would note the following: Please do not run other tools or scans unless I ask you to and follow all the steps I give you, in order.
Copy and paste all logs requested in you reply, Do not attach them unless asked too.
If you don't know or understand something, please don't hesitate to say or ask before you proceed with my instructions.
Please continue to work with me, until I tell you your machine appears to be clean. Absence of symptoms does not mean that everything is clear.

5 more replies

Hello. I have been trying to get rid of these viruses (freddy46.exe, ld09.exe, and mstre19) for a while and neither Ad-Aware, McAfee, Malwarebytes, CCleaner, or HijackThis have been able to get rid of them from my registry. The problem originated when I went on a random website and suddenly my computer started giving me pop-ups saying that my computer was infected and that I needed to run an anti-virus program (one that I did not have). I ran McAfee and Malwarebytes and it deleted all of the viruses and trojans it detected except for the ones I have mentioned that seem to be stuck on my start-up registry.I also was not able to use Windows Live Messenger without Ad-Watch popping up detecting registry modifications and blocked cookies nonstop and I have since deleted the program from my computer (although an old version seems to have remained there?).I guess I should also mention that I am still able to use many major programs and the internet (using Firefox) without any problems, except for Windows Live Messenger.Any help would be much appreciated, thank you!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 2:33:51 PM, on 7/20/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svch... Read more

A:I can't remove freddy46.exe, ld09.exe, mstre19.exe from my registry.

22 more replies

Good day,Recently after running a keygen from some no so legit software, I noticed some strange processes running on my Windows XP machine, they are as follows: SYS32DLL.exe, pp10.exe and Pqarocuvuw yfyqu.exeI have tried running the "Rogers online protection" virus and anti-spyware scan tool which I have installed but it does not detect these processes as being malicious. The steps I have taken so far are:1) Block internet access to SYS32DLL.exe which kills browsing the internet on both IE and firefox2) Download HijackThis and re-name (One of the processes won;t let you run it when it has the original name)That's about it, here is the log file that HijackThis generate, any help would be greatly appreciated.---------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:36:27 AM, on 26/05/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exe... Read more

A:SYS32DLL.exe, pp10.exe and Pqarocuvuw yfyqu.exe

2 more replies

My dad has a computer in his workshop and he's been complaining that his mcafee software keeps popping up that things are trying to access the internet.

I haven't seen this happen myself as I only work Saturday mornings. I have run a Hijack This log and I noticed freddy46.exe which I clicked fix and it seems to have gone. On further investigation I also found id09.exe and mstre19.exe are in the log file and after googling these are apparently infections too. The recent mcafee log also shows romeo15.exe has been trying to access the internet.

After removing the freddy46.exe file I thought I should ask for help on the others as I'm not really sure what I'm doing and after googling it's advised that you don't just delete things!

Please can someone help with how I remove these and other dodgy stuff if there's more than I think. It would be much appreciated.

Thanks,
H
DDS (Ver_09-05-14.01) - NTFSx86
Run by micky at 11:15:05.10 on 20/06/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.49 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe

A:Pls help with removal. freddy46.exe id09.exe mstre19.exe romeo15.exe plus goodness knows what else!

7 more replies

The problem:

-Virus/Trojan/Spyware/Malware (not certain which is the proper term, I'll just call it malware) which redirects my browser (IE) whenever I click on a Google search result link.
-Redirect seems to always take me to: lo-find (dot) com
-When my computer is connected to the internet, windows will open spontaneously, claiming my hard drive is full of trojans/etc., prompting me to run checks from the security center.
-task manager is frequently disabled. (I am unsure as to whether this is caused by the malware, or my computer's response to it...)

Some context and history:

Ever since my norton subscription ran out, I have been protecting my computer - or attempting to - with Spybot S&D alone. (TeaTimer thing running).
It asks me to manually allow or deny registry changes, which I habitually allow when installing updates and deny when browsing the web.
My computer caught this malware when I was simultaneously installing a microsoft-provided IDE for C++ (Microsoft Visual C++ 2008 Express Edition) and browsing the web. When a bunch of registry change requests came up, I assumed they were involved in the installation and allowed them.

Shortly afterwards, the problems began. So I disabled my internet connection and ran spybot. Spybot found two entries (something about "WindowsSecurityCenter") and claimed that it had fixed them.
But whenever I reconnected my internet, the problems would return and spybot would find the sa... Read more

A:Yet another case of the Google redirect - pp10.exe running.

4 more replies

Already did some scans with tdsskiller and hitmanpro and they detected Trojan-Spy.Win32.Zbot, Rootkit.Win32.PMax.gen, and rootkit boot.cidox.b, I'm not sure how this machine got so badly infected. The user may have opened a link or some file by accident.

The infected svchost.exe is causing the most problems, creating multiple various connections and slowing down the internet connection. Explorer.exe would also crash and would create connections as well. Internet explorer would pop up to back-linking websites.

No restore cd for this computer. Although I do have a copy of xp meant for dell machines and this is a dell.

Just need to know how i can stop the svchost.exe from creating connections.

dds attached

dds1.txt   9.67KB

A:Infected with mutliple malware, Cidox,Trojan-Spy.Win32.Zbot,Infected svchost.exe

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

15 more replies

I have a mild adware infection that is affecting every computer that goes through my network. Superantispyware can find and remove ONE file(no active, no registry) that is associated with this attack and the problem is resolved (ie. it does not come back unless i log into this particular network, it's still gone when I restart the computer, etc). The adware does not affect any of my cleaned computers unless I am logged into MY network. A clean load of windows XP with service packs loaded will immediately be infected on my network without so much as going anywhere aside from google.com.

As best I can tell my hijack this log is clean, but here it is for those of you who are far superior at this than I am. This is from the machine I am using which is currently infected.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:43:09 AM, on 12/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe

More replies

DDS (Ver_09-05-14.01) - NTFSx86
Run by Bogdan at 0:21:16,39 on 30.07.2004
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1251.380.1049.18.223.55 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
H:\FIX\dds.scr

============== Pseudo HJT Report ===============

A:Infected by the same flash drive as this http://preview.tinyurl.com/o3l47t one was infected

2 more replies

A:Infected with unknown trojan/malware, has infected pc with rogue:win32/fakerean, VirTool:JS/Obfuscator.CE, and others so far

Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew dds log.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

2 more replies

Hello, I have a gateway desktop computer with Winidows XP SP3, Internet Explorer 8, 2GB RAM, and 600GB Hard Drive.Avira Free Antivirus detected TR/Drop.daws.juu in my recovery partition (D:\) yesterday. MBAM detected PUM.Hijack.StartMenu on my regular partition. I removed these infections and proceeded to backup some files to my eternal hard drive. While doing so, Avira detected TR/Keygen.AQ.19 and TR/Tool.Keygen.517 in the "system volume information" folder on my eternal hard drive. I removed these as well.Lately I've noticed that my computer would behave strangely but more of the behavior is so subtle that it's hard describe it properly. Every now and then a process named mme.exe would show up in the task manager. I did a little bit of digging and everything I found suggested that it is maliciious.I am usually able to resolve stuff like this on my own, but this time I'm getting nowhere. I have never had an infection on anything other than the partitiion that my operating system is installed on. I am need of your help badly. Thank you for your time, here are the logs. -----------------------------------------------------------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by Owner at 5:50:25 on 2012-02-10Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1348 [GMT -6:00].AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}.===... Read more

A:Multiple Infections - Regular Partition infected with "PUM.Hijack.StartMenu" - Recovery Partitiion infected with...

Hi there,

It appears that you are receiving help at another forum: http://forums.majorgeeks.com/showthread.php?t=253464

Having multiple topics open at different forums only serves to confuse matters and waste the volunteers' time. In addition, it seems that you have since reformatted your drive. As such, I will close your topic here.

Regards.

Casey

1 more replies

Hello,

I was contacted by some friends last Sunday who said they received lots of wierd emails from my email account. The emails contained nothing but a link. I did not send any emails over the weekend so I don't know how this happened. This must be a virus, right? I noticed my antivirus (avast!) began (a few days back) blocking a couple of malwares when downloading emails to Outlook 2007 on my laptop. It identified a infection called "Win32-Malware-gen". It now does this everytime I try to download emails and I now have duplicate emails in my Inbox. My antivirus identified the infected emails having subject "DHL Express Delivery" or "FedEx Service Notification" and a document.zip attachment which I think contained document.exe if I'm reading the Avast! log correctly. I did not open any of these emails. The antivirus moved them to chest but it seems the problem wasn't resolved. I then get a microsoft message saying Outlook encountered a problem and cannot exit. It offers me an "End Now" button, but it seems to get into a loop and the whole scenario happens again whereby Outlook reloads and I get the malware messages again.

Another problem I noticed which might be connected is that in IE8, whenever I attempt to login to any site it blocks and reloads webpage with "This tab has been recovered - A problem with this website caused Internet Explorer to close and reopen tab" message. Then it asks me t... Read more

A:Infected with Win32-Malware-gen - Emails (Infected?) spammed from my email account to many recipients without my knowledge etc.

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

13 more replies

A:Keep Getting Warning Message That I Have Been Infected With Zlobtrojan Other Says Infected By Trojan.fakealert, Etc

5 more replies

Hi, everyone... my name is Avi... and I'm running XP service pack II. I thought I was pretty good with computers, since I've been playing with them since the era of Wing Commander and Star Control II, and usually I can solve computer issues on my own. However, 2 days ago I noticed that my background had changed to a blue screen that said "Warning, Spyware detected your computer...", and I repetively get a "Blue screen of death" notice on my computer which indicates that its about to shut down, but... then it just goes back into windows. My system restore seems to have become disabled, and the background and screensaver modes on my display menu are not working. I have Kaspersky AV 7.0 installed, but I never installed the Kaspersky firewall cause i felt it slowed down my PC too much. I am running the windows firewall, though... and I have adaware. Please help me get my PC back to normal!I ran the Deckard's Scan, along with the Hijack This scan, and I have included main.txt and extra.txt in this post. Thanks so much!Deckard's System Scanner v20071014.68Run by Avishek on 2008-06-14 15:19:30Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Failed to create restore point; System Restore is disabled (service is not running).Backed up registry hives.Performed disk cleanup.System Drive C: has 15.3 GiB (less than 15%) free.... Read more

A:Infected With Trojan.win32.pakes.czg/warning Your Computer Has Been Infected...

In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - BotCheck

1 more replies

Here is my log using HijackThis. My contacts in Windows Live Messenger are receiving pop-up message notifications with infected links. Norton is not picking anything up, and computer is running really slow. Malware Bytes did not pick anything up either. Any help would be appreciated ... thanks!-------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:42:41 PM, on 05/07/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exeC:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Prog... Read more

A:Spyware infected, MSN Live Messenger sending out IM with infected links

2 more replies

A:Infected Machine - infected copy of atapi.sys found by Combofix

3 more replies

I was infected with vundo, and I thought I cleaned most of it out using SpyDoctor, Spybot S&D, vundofix, etc. but whenever I log back on, I'm still infected.Please help!Here's my HJT log. Not sure what to do to get rid of this infection. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:15:55 AM, on 10/21/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\WINDOWS\System32\DSentry.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:... Read more

A:Infected with Vitrumonde. Used SpyBot, SpyDoctor, VundoFix, VirtuBGone, still infected

16 more replies

Hi, Our computer has been infected since yesterday with the SMART HDD virus, which has been hiding all programs. I also believe our computer is infected with a TDSS type of rootkit virus in reading thru you website, as we've been having redirects happening in the search results of Google and BING for quite a number of weeks now.

We have a WINDOWS XP Service Pack 3 computer.

The SMART HDD virus had (at first) completely hidden all the programs from me and made them in-accessible. (see below) I was able to "un-hide" the programs, which allowed me access to Internet Explorer, Outlook Express and a few other programs, but not access to the important virus programs such as Malwarebytes and it wouldn't allow me to run the TDSSkiller program (even with re-naming it.), DDS froze up my system twice so I've not tried it again.

What I've done so far:

From a work computer on a whole different network, I was able to read up on your site, good information on what is going on and the steps I needed to take. However, the system is not allowing me to take the necessary steps, so I'll definitely need your help in getting around these roadblocks. I have been running my computer in SAFE MODE and doing that - I was (at first) able to un-hide the programs that are non-accessible, by going to My Computer and following the steps your site says to do. That temporarly enabled me to un-hide the programs, but now, the programs are hidden again. Before the progra... Read more

A:Infected with SMART HDD and also appear to be infected with a rootkit (TDSS type of issue)

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

24 more replies

So at first I had the "Internet Security 2010" bug, but I think I fixed that with rkill. But now I got the green desktop with the "system is infected" message. I have heard of people who have this problem trying to restart only to find their system totally screwed, so I'm scared to turn off/restart. I have run DDS and Root Repeal. I know its Christmas, but please help!!!
DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 3:25:14.42 on Fri 12/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.44 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe

A:Infected, Big Time... Green Desktop with "Your System is Infected" Message

Visit below website. Understand on how to use ComboFix >> download and run the program >> post the log here http://www.bleepingcomputer.com/combofix/how-to-use-combofix

9 more replies

SUPERAntiSpyware has found 5-6 instances of registry keys infected as unclassified.uknownorigin and appears to be unable to delete them despite repeated efforts.

I have run Advance Systemcare 3 in hopes of deleting it to no avail.

Any help would be greatly appreciated!

A:Infected? SUPERAntiSpyware finds infected registry keys

6 more replies

Hi,My Dell Inspirion N400 notebook Running Windows 7 64 bit (Pro), [OS Version: 6.1.7601 ServicePack: 1.0] has become a playground of miscreants from four courners of earth and time is running out. It all started 2 months ago when I opened an email with title that my teenage daughter daughter sex video is on internet. I never would click such a link but it was forwarded by my mother so I was in distress, so I clicked a link in it. It was luckily daughter of someone else and not mine since I never been or had relations with anyone from Nigeria.But from that day slowly everything breaks. My virus killers (Kaspersky then Bit Defender, and Windows Defender and Titanium Trend Micro) get turned off or stop responding. Before I had 36 processes after starting up and now I have 60, and a half hour later over 100 processes that take 100% cpu, 100% of my 8gig memory, and 100% hard drive activity.I reinstalled operating system 3 times on C drive but I have on D drive all my things in storage and in matter of a day after reformatting C and reinstalling, the ghost in machine is back. I have sometimes 10-30 errors in my event logs on a good hour, and 2-3 critical errors every few days. My external monitor port on laptop stopped working, my network cable port (looks like telephone jack) stopped working and I use usb connection to adsl modem. My camera can not be found and is unknown device accepting no drivers but sometimes it turns on and looks at me.Criminal hacker gangs are locked in bat... Read more

A:Infected by 36 Viruses/Trojans/Malware - Infected My Professor

1 more replies

Yesterday while on the computer I suddenly got the Positive Finds popups. I had malwarebytes premium running and it wasn't able to prevent it I guess.

Ran a scan with MBAM and it detected it, I restarted thought it would be fine but Positive Finds is still all over my browser

This is the first virus/spyware/adware I've gotten in years so I would like some assistance from you guys

Thanks

A:Infected with Positive Finds adware, already took some steps but still infected

Never mind all I had to do was reinstall Chrome and it's gone now

2 more replies

computer started out with avg detecting several resident shield viruses. noticed ping.exe was using my entire system resources. Firefox was hijacked and started opening random pages. Shut computer down and rebooted into safe mode. Cannot do system restore, tried several restore points with no sucess. Ran AVG in safe mode, backdoor generic14.cbjj found and supposedly white listed as necessary. Ran spybot s&d couple of harmful intrys found. Ran Malewarebytes in safemode trojan horse c:\windows\sytem32\Drivers\netbt.sys. virus fsquirt.exe found and supposedly deleted. Now are booted into safe mode with no connectivity and still obvious that my computer is sick. Need help with how to get back online and get the tools to help me correct this virus. Got help from BC Advisor Broni as to tools to help get this started. Computer is now booted to regular mode and I have ran the requested tools and am posting results as follows

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Cara Leigh at 15:40:52 on 2011-12-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1547 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs

A:Backdoor.Generic14.cbjj infected netbt.sys infected

21 more replies

Since today, my computer doesn't load the explorer anymore. I can still run it through Windows Task Manager though but running explorer.exe, but after it loads, my background has been changed to a message saying "WARNING! You're in Danger! Your computer is infected with Spyware! All you can do with computer is stored forever in your hard disk."
It also constantly badgers me with faulty anti-virus applications called "System Security."

Thank you very much for any help.

Update: I can't load up any applications or even task manager after explorer has started. An icon in the bottom right continues to state "Warning! Application cannot be executed. The file _______.exe is infected. Please activate your antivirus software."

A:Infected: WARNING! you're in danger! Your computer is infected with Spyware!

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies

Two days ago my computer got infected w/ Internet Security 2010. I did research online and found advice on threads to get rid of it by trying Malwarebytes Anti-Malware and it hasn't worked. I've ran 4 full scan's and each time it pops up with new infections. I have cut off all ties to the internet and have tried performing the "full scan" under safe mode but I still have the blue/green desktop w/ the "Your computer is infected" box in the middle of the desktop and the Internet Security 2010 Icon on the desktop. Now the pop-ups have stopped but how do I get rid of the icon and "box" in the middle of the desktop??? Please help, want to have my laptop back to normal!! :(

A:Infected w/ Internet Security 2010; tried Malwarebytes & still infected

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies

Directrdr has infected my computer. I run Firefox 3.5.3 and I cannot search with Google, Bing, or any other search engine that keep logs of my search history. Each time I use one of these search engines new tabs and/or new windows will open up to pages that I did not open myself. I can see the hxxp://www.directrdr.com . . . in the address bar and then it redirects to some other website that I did not authorize. I can use IXquick with few problems, it does not redirect to other pages, but sometimes new tabs will open anyway. When I run IE and try to navigate away from my homepage-MSN it redirects too. I have run Spybot, AVG, Malwarebytes, SDFix, and various others, tried cleaning in Safe Mode and I cannot get rid of this thing. Please help. Thank you for your time.I do not have a GMER file to attach because it keeps crashing. I tried to run it twice and each time it keeps stopping before it can complete its task, it will scan a few files and then stop. Error Message:gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience. DDS (Ver_10-03-17.01) - NTFSx86 Run by at 18:04:11.65 on Thu 07/01/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.68 [GMT -5:00]AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-5... Read more

A:Infected with directrdr browser hijacker?! Firefox & IE infected.

42 more replies

i was recently infected with a backdoor.trojan which norton anti virus quarantined and i subsequently deleted it in norton anti virus but i do not know if my system is clean or if it still infected. i would be very grateful if someone could take a look at my log below. thankyou.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:49:40, on 17/07/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exec:\APPS\Powercinema\Kernel\TV\CLCapSvc.exeC:&... Read more

A:Recently Infected With A Backdoor.trojan , Help Needed Please To See If Still Infected

Examples of older versions in Add or Remove Programs:
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6 Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.**********************You will need to use Internet Explorer for this scan. Disable your Norton Antiv... Read more

10 more replies

Hi,
I have Dell Inspiron E1405 with Win XP SP3. For last 15 days I am infected with rootkit-agent.sys and tried every malware/antivirus/spyware tool suggested by "am i affected forum". since the rootkit could not be fixed, I was advised to visit HJT forum. need help.
I keep getting rootkit detected message by my AVG.
I am pasting DDS below and also attaching the "attach" file.
regards
g10

**************

DDS (Ver_09-06-26.01) - NTFSx86
Run by first at 22:50:06.40 on Thu 07/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.372 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe

A:infected with rootkit-agent.di ndis.sys file is infected

11 more replies

This is my first post!

It may be me just being paranoid, but around a month ago, I was on a japanese import website looking at cars and it told me to download the latest version of flash player and I thought it was legitimate.

Anyway, I downloaded off a mirror link to find that when I ran it I had a fake police "lockdown" on my machine.

I managed to remove it once, but it reappeared. I then the second time logged off my pc but did not "force log off" and managed to get around the fake "lock down" the virus had made.

I have managed to remove all of the startup entries of the virus programs and all of the original files.

However, now my MSCONFIG thinks that my Norton 360 is disabled on startup, yet it startsup fine?

I had to re-enable all of the services on my PC to make sure everything was working, but now my computer takes minutes to boot up with all programs working, as opposed to before the virus I could load norton instantly.

Any help would be great, I have done scans with Norton 360, Malware-Bytes and SpyBot Search and Destroy 2 since.

Thanks,
Stallzy.

A:Infected by Fake Police virus and removed, still think my PC is infected.

15 more replies

Hi, Rigel has been trying to help me, but has now suggested I post here instead. Unfortunately, he was unable to help me.http://www.bleepingcomputer.com/forums/t/222246/infected-please-help/Log created by WinPatrol version 15.5.2008.0:15.5.2008.0Scan saved at 10:58:02 AM, on 5/18/2009Platform: Windows Vista SP1 Home Edition Service Pack 1 (Build 6001)MSIE: Internet Explorer (7.00.6000.16386)Boot mode: NormalRunning processes:C:\Windows\System32\taskeng.exeC:\Windows\System32\dwm.exeC:\Windows\explorer.exeC:\PROGRAM FILES\WINDOWS DEFENDER\MSASCui.exeC:\PROGRAM FILES\SIS VGA UTILITIES\SiSTray.exeC:\Windows\RtHDVCpl.exeC:\PROGRAM FILES\SPARE MESSAGING\MESSAGINGAPP.EXEC:\Windows\V0380Mon.exeC:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXEC:\PROGRAM FILES\Java\jre6\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\PROGRAM FILES\Creative\SHARED FILES\CTSched.exeC:\Windows\System32\wbem\unsecapp.exeC:\Windows\ehome\ehmsas.exeC:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmpnscfg.exeC:\PROGRAM FILES\INTERNET EXPLORER\ieuser.exeC:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exeC:\Windows\System32\Macromed\Flash\FLASHUTIL9F.EXEC:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exeC:\PROGRAM FILES\WINDOWS LIVE\Contacts\wlcomm.exeC:\PROGRAM FILES\COMMON FILES\Adobe\Updater5\ADOBEUPDATER.EXEC:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL... Read more

A:Infected, unable to identify. Moved from Infected Forum.

48 more replies

Hi there!I'm infected with some very annoying trojan, ive previously ran adaware, spybot search and destroy, avg free antivirus, avast. Some of these picked up the problem, but im still getting the "yourieprotect" homepage when i go on internet explorer.I have ran everything as per this link: http://www.bleepingcomputer.com/forums/t/63896/how-to-remove-virusburst-removal-instructions/This is my smit file: smitRem ? log file version 3.2 by noahdfearMicrosoft Windows XP [Version 5.1.2600]"IE"="6.0000"The current date is: Wed 11/29/2006 The current time is: 14:26:06.57Running fromC:\Documents and Settings\Mourad\Desktop\smitRem~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Pre-run SharedTask Export(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)Copyright? 2006 BleepingComputer.comRegistry Pseudo-Format Mode (Not a valid reg file):[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]@="%SystemRoot%\system32\browseui.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]@="%SystemRoot%\system32\browseui.dll"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Appinitdll check ........ Thank you Grinler!dumphive.exe ?2000-2004 Markus StephanyREG... Read more

A:I Am Also Infected With: Infected With W32/[email protected] A/k/a Zlob Trojan

1 more replies

Hello! I am posting because I have offered to clean up a computer for a coworker, and want to make sure I do a thorough job. So far, I have seen indications of at least 4 separate malware programs. The first was Antivirus 360, which I believe I deleted for the most part via manually removing the files and registry values. I have also seen VirusProtect 3.8 and 3.9, though I had no luck locating the files I was told to delete...so I am not sure if the infection is there or not. His computer already has "Verizon Internet Security" installed, and I used that for an initial scan to see what it found. I deleted what it found, though that was done in safe mode, before I deleted all the files manually for AV360. When I enable Verizon Internet Security, it pops up two warnings, which mention a file by the name of Trojan.Win32.Monderb.xgy, in the C:\WINDOWS\system32\ljJCvSiI.dll. I looked up that file, and saw it was connected with the "Vundo" virus...or something along those lines. His computer is not connected to the internet at the moment. I am using my laptop to access the net, and transferring files via a flash drive to his computer. I have scanned with DDS, and will provide the log. I also have HJT ready to run on his desktop, as well as ComboFix. Here is the DDS log: DDS (Ver_09-01-19.01) - NTFSx86 Run by HP_Administrator at 16:34:39.23 on Mon 01/26/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033... Read more

A:Computer Infected/Possibly Infected With Various Malware

Hi,Your system is severly infected. I can see more malware present than anything else... Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. Actually, this doesn't suprise me at all...From the log I see:AV: Authentium Antivirus *On-access scanning enabled* (Outdated)AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Outdated)FW: Verizon Internet Security Suite Firewall *disabled*What's the point in having a security Suite / Antivirus present if it's outdated and disabled.Most probably the sub... Read more

7 more replies

Hi!

I seem to have been infected with some particularly vicious malware..

I get a red bubble with a white 'x' on my taksbar. The message 'your computer is infected! WIndows has detected a spyware infection! Click here to protect your computer with spyware!'

Anti - Vir is going nuts over it (It keeps on picking up trojans and worms) Malwarebytes' Anti-Malware can't get rid of it, and neither can spybot. It has turned off Windows firewall and won't let me turn it back on.

I use Windows XP, have automatic updates turned on, am running SP2 and update Antivir, Spybot and Malwarebytes' Anti-Malware regularly.

It won't let me run ad-aware or spybot.

If you require any further information, let me know!

Rob

DDS (Ver_09-07-30.01) - NTFSx86
Run by admin at 11:14:16.37 on 02/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.453 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe

13 more replies

Hi all, sent here by Broni for elevated help.  Basically, to summarize, I got a worm possibly through a vulnerability in Flash and from an infected ad (I've only browsed legit websites and I have McAfee SiteAdvisor) and as is typical of people who have the worm, I can't remove it.  Apparently, it's infected my MBR and I was told to run DDS.

Here's DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.21.2
Run by Daniel at 18:10:34 on 2013-05-25
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4093.1324 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe

A:Infected MBR; Infected with MSIL/Necast.D worm

12 more replies

Looking for help to remove this dasterdly thing / Been several days on it.

I.E. icon shows alot of activity in system tray

DDS Log below and Attach.txt, Attach.zip and Ark.txt attached also

DDS (Ver_10-10-21.02) - NTFSx86
Run by Mike at 16:05:53.54 on Sat 10/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.434 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe

A:Infected with TDL4 Rootkit - MBR Possibly Infected

Hi there,I see you've run ComboFix....could you please post the report from it? Also, I see Geek Squad got you...or are you them???? I'd like to know if anything else was done is why I ask.Download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
If Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)Thanks,tea

10 more replies

Posted about my main box and my vista spare part box.. this is to figure out whats up with one of three laptops that were all on a router together... This laptop crashed after getting the infection I recovered via the harddrive acer setup. No optical drive onstalled this is one of two acer netbooks we use in our family. Thoiught i reinstalled everything i believe a rootkit of some sort has ahold of this laptop...settings change on there own cpu usage is about 50% when just sitting idle from user stand point.

Please let me know what logs to provide.. Thanks again to all that have helped thus far and continue to be a great support.

btw: this laptop is an acer aspire one with win xp..

A:My laptop is infected... part of a group of pc's infected

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete tab follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download a... Read more

32 more replies

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:36:36 μμ, on 26/5/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Console Launcher\CTAPR2.exeC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Pr... Read more

A:Infected with a virus that causes NOD32 to remove any .exe that is not infected

2 more replies

hi

A:Steam infected with Adware (Chrome also was infected)

This topic will be closed due to presence of pirated content.

Piracy policy

1 more replies

Here is my DDS log. Right now my desktop is pure white and I can't set a background image. Also I have a red X showing up in the tray saying "Your Computer is Infected - Click Here to Remove"

DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Administrator at 14:46:59.31 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.606 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090210-0] *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe

Forgot to mention when I use google in Firefox, I have to open the link 6 or 7 times before it actually brings me to the link, other times it is redirected to a number of sites.

12 more replies

I am finding increasingly more machines where antivirus can't seem to disinfect a machine, even with the latest definitions.

Is there a solution for this?

What is everyone else doing to cope with this problem?

I used to be able to disinfect an infected machine and really get it out. Now, after disinfection, I frequently see new alerts within just a few minutes for viruses that I know are included in the virus definition file.

Case in Point: I went on a service call today and found a dozen different viruses in over a hundred different files spread over an eight-computer LAN. After two and a quarter hours of defeat after defeat, I loaded up the entire network, router and all, and brought it back to my shop. This is a drastic step; but, I gotta' know for sure that they are clean when they go back and this is the only way I know to do it with certainty.

I have always been told that one should not run two antivirus programs at once. I'm now doubting one program can do it. Maybe two can't either; but, I am seeing situations where I believe two is better than one.

NTFS has only made it more difficult. I frequently have to remove an NTFS drive and connect it to a known-clean machine to remove viruses. But, that leaves all the virus-related lines in the registry of the non-active but suposedly disinfected drive.

Anyone have any suggestions how one can do a sure-clean on an infected NTFS machine without going to such drastic steps?

There's got to be a ... Read more

A:Infected, cleaned, still infected--can antivirus disinfect it any more?

7 more replies

Referred here from: http://www.bleepingcomputer.com/forums/t/218785/i-think-i-have-a-keylogger-problem/ ~ OBHello there. I first posted on "Am I Infected" because I had a keylogger problem. That was solved, but apparently the member working with me said I was still infected which was the reason my computer slowed down in the past couple of weeks. He said he couldnt find the AntiVirusSentry file with all the MAMB and SAS scans I did after getting rid of my other problems, so he sent me here. I know my computer is slow, only have 512 of RAM and some of my drivers and BIOS need updates, but its never been this slow. Sometimes while opening a new window, the internet freezes (quite often lately), and sometimes I have to shut them down by using CTRL+ALT+DEL. Other times an error message about runtime appears and says the window has to be closed. I've read it was a problem with the latest Adobe, but I dunno. I just know its painfully slow at the moment. Please help me.DDS (Ver_09-03-16.01) - FAT32x86 Run by Andr? Caetano at 17:21:17,58 on 18-04-2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Home Edition 5.1.2600.3.1252.351.2070.18.1014.418 [GMT 1:00]AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scan... Read more

A:I'm infected - "am I infected" couldnt solve the problem

Should I post a new log? A member told me after I post a log I shouldnt change anything but I did check the disk for errors and I disfragmented the disk. Not sure if that affects anything?

59 more replies

Hello computer gods,I'm hoping you can fix my problem I've been infected with drsmartload, and I ran smitfraudfix. It said that it cleaned it up but it's still popping up as infected and I'm getting ridiculas adware and project 1 boxes. I will post my "hijack log" and hopefully this is the right forum if not please redirect me. Im looking foward to getting rid of this "Freakin" thing. CheersMSmitFraudFix v2.109Scan done at 20:14:36.00, Tue 10/10/2006Run from C:\Documents and Settings\Magg\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTFix run in safe mode???????????????????????? Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll???????????????????????? Killing process???????????????????????? Generic Renos FixGenericRenosFix by S!Ri???????????????????????? Deleting infected filesC:\drsmartload?.exe DeletedC:\WINDOWS\keyboard1.dat DeletedC:\WINDOWS\newname.dat DeletedC:\WINDOWS\teller2.chk Deleted???????????????????????? Deleting Temp Files???????????????????????? Registry Cleaning Registry Cleaning done. ???????????????????????? After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll???????????????????????? End

A:Infected With Drsmartload Used Smitfraudfix Still Infected

2 more replies

I have a badly infected computer that I would like to make a copy of the whole system to mail to one of the av/am vendors. I think it has some new variants on it.

Can the drive it self become infected so that I may not be able to trust that anything else I create with this drive will not be also infected?

While this drive is not really exspensive I do not really have the finances to casually replace it.

A:Can a USB Cd/rom be infected plugging into a infected system

Hello dannyboy950:

If your computer is badly infected, then backing up the system will just copy the infections to any backup DVDs, which you obviously know.  I don't think you need to worry too much about your external DVD drive being infected, per se.  That would only happen if one or more of the infections could compromise the DVD firmware or the USB driver(s).

You should be aware though that many variants of viruses and malware will disable the Windows Volume Snapshot Service (VSS) which will prevent the creation of backups and system restore points.

My advice would be to follow the directions here and submit an Farbar Recovery and Scan Tool (FRST) log to the trained Bleeping Computer Malware Response Team members in the Virus/Trojan/Spyware and Malware Removal Logs Forum.

You should be aware that the anti-malware response community shares their information with other anti-malware/virus vendors and experts.  If you have been infected with zero-day malware and/or viruses, that information will be shared with those concerned,  Importantly, we need to restore your computer to full functionality, so I do recommend that you get it "disinfected" here.

I hope this is of some help.  Forum rules prohibit the posting of FRST logs in this particular Forum - they are only dealt with in the Forum I mentioned.  I am still in training, so I won't be able to assist you in the other Forum.

Have a great day.

5 more replies

Hi,

My computer is infected with some kind of virus. One of the many, at least it seam like there is. The serious one creates an Internet Gateway at LAN Controller bootup. I cannot disable the Internet Gateway directly but I can disable the LAN Controller (Local Area Connection) then it disapears. The second I enable the LAN Controller the Gateway gets connected again.

Additionally, It seams I have over 70 processes running at any given time, if that helps. Dell tells me the only thing I can do is to reformat. Please Help, I would rather not like to format my system.

I am sure you will find more than just that after reviewing the HijackThis Log file.

===================

Logfile of HijackThis v1.99.1
Scan saved at 10:36:50 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to these items and select "Fix checked":

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O16 - DPF: {B49C4597-8721-4789-9250... Read more

6 more replies

When Windows loads, the "performance monitor" component for the optimizer pro virus calims that 375 items need to be cleaned and potimized. closing it out does not reactivate it. Mcafee also frequently pops up, preventing unwanted software from running. below is a copy paste of frst.txt and atached is the addition.txt file. Thank you.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-08-2015
Ran by teacher (administrator) on RM305-PC (28-08-2015 01:27:23)
Running from E:\
Loaded Profiles: teacher (Available Profiles: Rm305 & teacher)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Nalpeiron Ltd.) C:\Windows\SysWOW64\ASTSRV.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(SMART Technologies) C:\Program Files (x86)\SMART Technologies\Education Software\SMARTHelpe... Read more

A:Infected with Optimizer Pro and pop says I am infected with viruses

0 more replies

I too was recently infected with XP Security Tool 2010 and I used the fix described on BC. I installed Malwarebytes and FixExe.reg. This seemed to get rid of the problem. But very soon after each time I clicked on any link on Google on Firefox or Internet Explorer I am redirected to seemingly random advertisement websites. I also use Avira Antivirus protection and it pops up saying: HTML/Infected.WebPage.Gen in file C:\Documents and Settings\Network Service\...\2[1].php. If I catch the Avira popup and click remove it will Quarantine. However within 2 to 6 hours it returns.Have copied and pasted DDS.txt log, gmer.txt log, OTL,txt log, Systemlook.txt log and TDSKiller.txt log. Also attached the attach.txt file and gmer(ark) txt file. Sorry, did not untick the IAT/EAT box in gmer. Those are the logs myrti requested from toomuchpoison.Hope I didn't overdue it.Thanks,MajazzleDDS.txt log DDS (Ver_10-03-17.01) - NTFSx86 Run by Matt at 16:47:53.63 on Thu 04/29/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.1915.1050 [GMT -4:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\Microsoft.Net\Framework\v3.0\WPF\... Read more

A:Infected with HTML/Infected.WebPage.Gen

26 more replies

Today, I used a pendrive of a friend on my computer, I had auto folder open on. the folder opened and later to find nothing on the pendrive but only a E:\ folder inside the pendrive, then when i clicked hidden items viewable, i saw the pendrive logo I went inside transferred my important document since it needed an immediate printing. My computer has turned very slow following that and there are various hidden documents now on my desktop like $w_microsoft.docx which are of names of files i had deleted long ago and several other files which i had created and used long back but never used in the near history. Please help me fix this , remove the virus and get back to my old computer speed. Thanks alot for help in advance ----FRST LOG------- Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-05-2016 Ran by ASRLAPTOP (administrator) on DEEPAK (05-05-2016 18:57:15) Running from C:\Users\ASRLAPTOP\Downloads Loaded Profiles: ASRLAPTOP & Administrator & Guest (Available Profiles: ASRLAPTOP & Administrator & Guest) Platform: Windows 10 Home Single Language Version 1511 (X64) Language: English (United States) Internet Explorer Version 11 (Default browser: Chrome) Boot Mode: Normal Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/ ==================== Processes (Whitelisted) ================= (If an entr... Read more A:I think i have been infected by a worm from using an infected pendrive, need hel Hello imdeepster I am Marie Curie and will gladly help you with any malware-related problems.Please familiarize yourself with the following ground rules before you start.Read my instructions thoroughly, carry out each step in the given order.Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.If you are unsure about anything or if you encounter any problems, please stop and inform me about it.Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.Back up important files before we start.-------------------------------------------------------------- Please read the following warnings before you proceed. ComboFix Warning------------------------------ I see you have run ComboFix, a powerful first-responder malware removal tool, designed to remove some of the toughest malware; including bootkits, rootkits and backdoors. As stated in the disclaimer, the tool should not be used by someone untrained in its usage. Doing so may cause unforeseen circumstances, and could render your machine unbootable. For more information on why you should not run ComboFix without supervision, please read the following article.Backdoor Warning------------------------------ One or more of the identified malware is known to use a backdoor, that allows attackers to ... Read more 9 more replies Answer Match 24.36% I'm not sure what caused this as I didn't do anything out of the ordinary with my computer yesterday, but when I opened up itunes a message popped up from my anti-virus avg saying there were infected files in itunes by a trojan. I then clicked to heal them and when I tried opening up itunes it wouldn't let me because some files were missing so it wouldn't start. I figured something was wrong so I started scanning my computer to see what I could find. First I used Malwarebytes' anti-malware and that didn't find any infections, then I scanned it with avg and that found over 500 infections, not all of them were serious ones but some of them were trojans with itunes files. This morning I tried uninstalling and then reinstalling itunes thinking that might solve the problem, but it didn't work and itunes still won't start. I hope someone can help me solve this problem as I am not the best when it comes to computers. If you need anymore info please just ask. DDS (Ver_09-06-26.01) - NTFSx86 Run by Zac at 7:40:37.82 on Sat 07/25/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.388 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe... Read more A:Trojan infected itunes may have infected more Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more 2 more replies Answer Match 24.36% Hi I've had a few viruses named HTML/Infected.WebPage.Gen recently and I would normally be able to remove them myself using hijack this. But unfortunately hijack this isn't working for me and is coming up with an error. My anti virus is finding the viruses and I am removing them with the anti virus but they keep coming back.As soon as I click hijack this this message appears:For some reason your system denied write access to the Hosts file.If any hijacked domains are in this file, HijackThis may NOT be able to fix this.If that happens, you need to edit the file yourself. To do this, click Start, Run and type: Notepad ?C:\Windows\System32\drivers\etc\hosts?And press Enter. Find the line(s) HijackThis reports and delete them.Save the file as ?hosts.? (with quotes), and reboot.I have tried to do as it says above but another error message tells me that i am unable to save the file.I then clcik "OK" and then this error message appears:An unexpected error has occurred at procedure:ModMain_CheckOther1Item()Error#75 ? Path/File access errorPlease email me at [email protected], reporting the following:*What you were trying to fix when the error occurred, if applicable*How you can reproduce the error*A complete HijackThis scan log, if possibleIt then produces the Hijack scan, so then I proceeded to fix the files that I think may need fixing which are these files:BHO: thesuperads search enhancer: {b2fe5f61-3eb4-4e22-7c84-f52993635f52} - c:\wi... Read more A:Infected with HTML/Infected.WebPage.Gen Ok after reviewing the DDS log I now have removed the virus lol but I still haven't worked out what's wrong with my hijackThis?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.We ask that once you have posted your log and are waiting, pl... Read more 3 more replies Answer Match 24.36% Logfile of HijackThis v1.99.1Scan saved at 4:53:51 AM, on 01/04/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16414)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\PC Tools AntiVirus\PCTAVSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Opera\Opera.exeC:\Program Files\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [VTTi... Read more A:Was Or Is Infected Infected With Torpig.c.trojan (or The Like) 1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall. 49 more replies Answer Match 24.36% heyy guys, okayy so about a month ago a trojan managed to get onto my netbook and i scanned with malwarebyte antimalware and super antispyware in safe mode which seemed to fix is for the most part, but im still getting some problems and avast, mbam and superantispyware are all coming up clean. the worst thing is my internet just cutting out after about 40 minutes of use, wireless zero configuration turns itself off and will not turn on and one of the svchosts using way too much memory and cpu, but i cant turn it off because that just messes up my netbook. soo yeah some help would be great cuz this is really getting on my nerves. More replies Answer Match 24.36% Every 10 minutes or so, a red pop up box appears saying my computer is infected and asks if I would like to remove - it is called PC Security Guardian. Then a minimized window opens and says "PC Guardian has detected suspicious software - click to remove." There was no data from the GMER scan, so the ARK.txt log will not attach. DDS.txt Log: . DDS (Ver_2011-06-03.01) - NTFSAMD64 Internet Explorer: 8.0.7600.16385 Run by Dunigan at 18:50:36 on 2011-06-08 Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2739 [GMT -5:00] . AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8} FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\nvvsvc.exe C:\Windows\system32\svchost.exe -k RPCSS C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k LocalService C:\Windows\syst... Read more A:Infected with a pop ups saying computer is infected followed by a pig squeel Hello rallysport1992 ,Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application. For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan ... Read more 4 more replies Answer Match 24.36% Hi, I have tried a few different anti virus downloads to try and rid my computuer of the virus to no avial. Even purchased one which I know now was also a fake. Please help. Rick Rootrepeal_report_08_30_09__20_35_13_.txt 5.08KB 2 downloads A:Infected with Fake virus infected pop ups Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more 2 more replies Answer Match 24.36% Let the ol' lady use my PC and ends up getting a 'HTML/Infected.WebPage.Gen notification from AVIRA. Everytime she hits her blogs on IE it ends in bad news. Here is the DDS log. Not sure if I require the Kasperesky scan. I don't have it but will see what you guys say first. Hope this helps. Please advise. Your assistance in this matter is greatly appreciated.DDS (Version 1.1.0) - NTFSx86 Run by ALAN WONG at 21:12:00.89 on Tue 12/23/2008Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.438 [GMT -8:00]AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)FW: Sygate Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Sygate\SPF\smc.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Pr... Read more A:Infected with HTML/Infected.WebPage.Gen Hi,sorry for the delay in getting back to you.If you still needs help, please do next:Click here to download HijackThis.Save HJTInstall.exe to your Desktop.Double click on the HJTInstall.exe icon to start the program.By default it will install to C:\Program Files\Trend Micro\HijackThisAfter the final dialogue box it will launch HijackThis.Click on the scan button. It will scan and then ask you to save the log.Save the log, and post me it in your next reply. 1 more replies Answer Match 24.36% I believe I have an infection. When I open my Internet Explorer and browse the internet, after a bit of time a new IE browser window pops up with various ads, virus protection offers, google things etc. It happens every so often. I have tried Malwarebytes, and it did not find the virus. Other virus removal tools have indicated the following is infected:fsvga.sysThe anti virus tools do say they fix it, but it gets infected again afterwards.I have seen the following message:Infected copy of c:\windows\system32\drivers\fsvga.sys was found and disinfected Restored copy from - Kitty had a snack And it continues to be infected.According to GMER, as im sure you will notice, it does show the following:C:\WINDOWS\system32\DRIVERS\fsvga.sys suspicious modificationC:\WINDOWS\system32\drivers\atapi.sys suspicious modificationI have followed you instructions on posting virus removal help request, and the requested files have been attached. Here is also the DDS as follows. Thank you for your help in advance on this matter:DDS (Ver_10-03-17.01) - NTFSx86 Run by Joel at 14:48:26.03 on Wed 06/09/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1482 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\W... Read more A:Infected With Unknown - Infected fsvga.sys Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,I am thcbytes and I am here to help you!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received and do not proceed if you need clarification.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!Again I would like to remind you to make no further changes to your computer unless ... Read more 11 more replies Answer Match 24.36% Bit of a wierd 1. Turned on my machine today, went to the toilet and came back and Avast was asking to restart my computer and do a full scan from boot up. I said yes but cancelled it because it was taking too long. I go look in virus chest and I noticed that tier0_s.dll from my steam folder is sitting in there, and that it was transfered in there today. But where it says "Virus description", it says "--no virus--" What does this mean? Is it some kind of false positive? Did I screw things up by cancelling the scan? A:Avast says I have an infected file...which isn't infected O.k, bit of research and looking on the Avast forums and it looks like it's a false positive 2 more replies Answer Match 24.36% Hi, My friend brought me her HP laptop a few weeks ago because it had a virus. I saw Security Suite stuff pop up all over, and you couldn't run ANYTHNG, so I used the instructions on this site to get rid of it. I thought it was gone but she brought her computer back to me a couple of weeks ago because she was getting popups again. Btw, she actually paid the security suite site thingy 80$. I'm having her go through the steps to get her money back for that now.
So I rescanned with AVG and malwarebytes and it didn't come up with anything. I kept the computer for a few days and used it like normal but got no popups so I gave it back to her. So about a week ago she gave me back the computer as the IE would not work. So I scanned it again and both malwarebytes and AVG came up with a couple of things and got rid of them.
So now I'd like to see if the computer really is clean.
Also, I'd like to know what she needs on here to keep the computer clean?? She scans with both AVG and malwarebytes but I'm not sure that is enough if she keeps thinking she's getting infected. I know she does a lot of facebook apps.

Also, this computer absolutely refuses to scan gmer. The first time I downloaded and ran it it scanned for about an hour then spontaneiously the computer shut down. I didn't see any messages because I wasn't paying attention to it when it shut down. So the next day (today) I tried to scan again and it stopped very close to the ... Read more

A:Was infected with security suite, re infected?

Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!

19 more replies

A:Infected Wih Html/infected.webpage.gen

Hello Braco and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.If we do not hear back from you within a couple of days we will need to close your topic.Thanks,Johannes

1 more replies

I'm at the end of my rope here. A "friend" gave me her computer to clean up. The thing was so full of malware it was unbeliveable. I've got most of it, but there is this one nasty bit of adware "Cool Web Search" that remains... I've tried running the latest versions of Ad aware, Spybot, and CWShredder. They seem to find and remove the cool web stuff, but when I shut down and start up again, it's back. I've gone to the trend micro site, but I keep getting a .dll error when I start downloading the definition files.

When I shut down, the machine hangs and tells me that it is waitng for a response from "Win Min".

It also occasionally freezes on startup, leaving me with a blue screen and a mouse pointer stuck in the middle. (This seems to be mitigated somewhat if I move the mouse around during startup!)

The log file from this machine is as follows.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:03 PM, on 25/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

A:Infected Windows Me PC Hangs on Shutdown - "Win Min" infected with Cool Web Search

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Download any of the required programs before attempting to start any of the fixes.

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run CWShredder (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to install and run CWShredder

Choose the stand alone version. This is free.
Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP.

15 more replies

Hi
As my title suggests my bro's laptop has this annoying infection.
I have Avira like my logs will say and the infection seems to be in a firefox profile. (Can I reinstall Firefox to fix my problem?)
I use Firefox but my brother IE 8 (and so IE is default).
At random times and when connected to Internet, a popup appears with usually
the X button in corner and it will go for a variable amount of time.
Avira btw cannot get rid of it and in fact does not even find it after scanning with maximum options.
This also happens sometimes much rare tho: A message appears telling I have an infected computer and wants me to press OK and scan using IE. I click X and once it opened IE with scanning screen. I click X ASAP.

One more issue: Firefox sometimes will say "Firefox has stopped working.."
and that it will close. Right away a balloon pops up in tray telling me the browser was closed to protect me from Data Execution Prevention.

Avira sometimes at random times pops up saying Virus or unwanted program was found, right? It asks me what to do with this file.
Move to quarantine
Delete
Overwrite and delete
Rename
Deny access
Ignore

I usually picked delete or deny access
It found the virus in this file:
C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\jfyfitzg.default\Cache\34F11269d01

I understand I have Limewire. My brother uses it... Read more

A:[SOLVED] Infected with HTML/Infected.WebPage.Gen HTML script virus

16 more replies

Here are a few things that may be relevant to the problem:

1) Computer unable to access certain websites. (Ex: yahoo, facebook, etc.)
2) I did a scan and my computer is supposedly infected with "zlob" and "adware.IpWins"
3) My computer is running significantly slower then a few weeks ago.
4) Tons of random pop-ups that I did not have a few weeks ago.
5) Full system Scanned with Lavasoft's Ad-Aware but problem persists.

Here is my HJT log:
--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:18 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG... Read more

A:Computer infected with spyware. Infected with "Zlob"?

11 more replies

Hi I have posted to this site and have recieved great help and I am now suffering some issues again. After I recieved help last time everything was ok and then I started having problems so I just switched hard drives. I am now back on my hard drive and reset it up but now I think my computer is infected again. I have not downloaded any torrents files which was my problem last time. I installed Antivirus and Zone Alarm before going on the Internet and have made sure to only download from CNET as far as I can remember. I don't know what I'm doing wrong to keep getting infected, if in fact I am. So because I had recieved help previously with most of the same issues and with the advice of dell customer service I ran combofix. Here is that log. I have WindowsXP, Dell Dimension 3000, Avast Antivirus, ZoneAlarm. If this is the wrong place to post this could you please point me in the right direction. Thank you so much for your help.ComboFix 10-08-24.0A - Owner 08/25/2010 2:36.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.670 [GMT -7:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\1pdfdec.dllc:\program files\Common Files\Tempc:\program files\Common Files\Temp\Love's Power Mahjong SETUP.... Read more

A:Still Infected/Re-Infected, Combo Log

7 more replies

I think my computer is on a couple different botnets, and i wouldn't be surprised to see other viruses =/Any help your be greatly appreciated.Edit; sorry, i didn't see the rule of what virus i had was supposed to go into the title untill it was too late Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:58:11 PM, on 6/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Digital Media Reader\readericon45G.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Common Files&#... Read more

A:Desktop infected/ Infected with a bot

20 more replies

My laptop got infected and I've slowly been able to clear most of viruses out of the system. Each time I clear something out, something else shows up the minute I try to get online. The last scans I've done haven't picked up anything else but I'm still getting redirected to other sites every time I try to perform a search on the internet. I don't know how to find what's causing it now.
hijackthis.log   11.51KB
0 downloads Help please!!!Tried running scans again, still showing clean but I got this message from norton, "An intrusion attempt by wwww.angrye.in was blocked" After I did the scan I went online to test out to see if I was still getting hijacked, that's how this message popped up. It also said, "The attack was resulted from \DEVICE\HARDDISKVOLUMNE2\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" Help!!!EDIT: Posts merged ~Budapest

A:Infected,Removed and still Infected

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies

hello ,
i was infected by virusburst and i did lots of instructions to solve my problem, I used malwarebytes anti malware and it cleaned all infected files but now my problem is the internet explorer still not working and even starting any more,
and in mycomputer each folder opens in it's own window even in options it's marked to open in the same window
but i don't see any fake alert any more ,
I'm using windows vista and now opera browser,each browser that i marked as default browser stopped working(internet explorer and mozilla ) ,
i dont know which kind of log i should post here so i wait for your requests.
i just wanna know if i'm still infected and what should I do ???
thank you for helping me !!

A:I Was Infected By Virusburst.am I Still Infected ?

1 more replies

I recently replaced my old desktop with a new desktop and when I made the switch the old computer was infected... here was the thread
http://www.bleepingcomputer.com/forums/t/615738/flashplayerexe-virus/

My new desktop attempted to download the flashplayer.exe file but was stopped by chrome. However, there was a file (crownload something or other and malwarebytes did remove this file.

Today on the new desktop, I had a popup that said URGENT CHROME UPDATE.  I immediately hit ALT F4 to close out chrome.  The fact this popped up makes me suspicious that something is still not right or this computer is infected.

Any help is appreciated.

More replies

Hi, this is my first time posting here.

I'm running Windows XP Pro SP2, and my computer has a virus that, at first, was giving me a tool-tip-like message from the system tray saying "Your computer is infected! ..." and something about installing a scam antivirus program. I've done a lot of searching for this issue and have seen many cases of it. Posts on other forums offered specialized programs like "Smitfraudfix.exe" and others that I was unable to get to work.

I've updated my Java (which stopped the annoying "Your computer is infected!" popup), removed my Temporary Internet Files, and run Avast! and Avira every time I restart my computer, but each time there seems to be malware that needs removed. Can someone please help me clean this virus / trojan off of my machine completely?

Thank you for your time, here is a HJT log from the time of this post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:53 PM, on 9/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

A:"Your computer is infected!" Popup message. Computer infected with Trojan

16 more replies

A:Help! I'm Infected!

2 more replies

Hello

there a weird issue with a  machine we have in the office

the folder :

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

is getting filled up  is it normal or it's a sign of virus ^

Thanks

A:Maybe infected

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===It's probably normal. This scan will clean the IE Cache.Temporarily disable your AV program so it does not interfere.Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.Download Zeok tool from hereWhen the download appears, save to the Desktop.On the Desktop, right-click the Zoek.exe file and select: Run as Administrator(Give it a few seconds to appear.)Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...Close any open Browsers.Click the Run script button, and wait. It takes a few minutes to run all the script.When the tool finishes, the zoek-results.log is opened in Notepad.The log is also found on the systemdrive, normally C:\If a reboot is needed, the log is opened after the reboot.Please attach the zoek-results.log in your reply.Also, please provide an update on how the computer is behaving after running the above script.===p.s.The Temporary internet cache can be cleaned when you close the browser.Tools menu > Internet options > Advanced tabUnder the Security paneEnable the "Empty the Temporary Internet Files folder when browser is closed.===

20 more replies

Hi Thanks for the help.Firefox browser keeps getting redirected. Can't go to Anti-Spyware sites. Can't Run Malwarebytes , Ad-aware or Spybot even after renaming.Managed to run Vundofix but it did not find anything.Here is my log...Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:44:57 PM, on 1/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exeC:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Print Server\PTP\PSDiagnostic.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS�... Read more

A:Not sure what I am infected with

10 more replies

Hello, i'm not sure if i'm infected or not, but i'm a bit worried i might be, becose lately i had to turn to the more hostile corners of internet.
First i noticed that one of my virtual machines (VirtualBox) tried to connect to the internet through the Notepad, so i decided to reformat my main machine, cose it needed a reinstall anyway. But today after a week things are a bit strange (i kept the probablly infected virtual machine (i don't move files inbetween them) to see what happens and today my main machine at startup connects to the same ip as the virtual machine's Notepad did), my firewalls (comodo has problems to start up, netlimiter won't notice throughgoing traffic at all(used to with no problem) and rubboted service also sometimes has some stratup issues.) and antivirus (avira acts as it is there, but i don't know about that) act very strange (for years of using them i had no such troubles with them).
I also ran 3 vendor-different rescue CDs, but they did not pick up anything. Atm i'm running the spybot S&D adware to scan, so far (almost finished) it only picked up one registry change of IE (which might not be it).
I might be all wrong in the assumption that i'm infected, cose my pc is kinda older and utill it "heats up" (takes 5 min/5 restarts(restart button)) it crashes (BSOD), and also cose i'm always very careful about all that i do, but still i can't be sure for sure as i usally am and i think i might go... Read more

A:Not sure if infected, HJT log

2 more replies

Well my computer seems a bit slower than a while ago.
Also, a week ago, while reading manga, my browser suddenly changed to some YOUR PC IS INFECTED page. Something about Windows Defender or something along those lines. It hasn't happened again, but I'm still worried.
I used to use ESET antivirus, but it ran out and i got Avast Free in the beginning of March.
Is there any good scan tools i should use to check for viruses/keyloggers?
I'm asking cause I use a credit card now and then, and this is my sole computer. I haven't used a credit card on it for a couple of months, but my private info might be stolen, please help?

A:Not sure if i'm infected?

1 more replies

Hi, I think my computer is quite infected. Firstly when i log on to my user account it takes a long time for the log in music to play and if i try and do anything before the music the computer freezes and has to be turned off at the wall.
System restore will not come up, a message comes up saying that it needs to be done by a computer administrator which is me. Lastly my firefox start will not come up but I can still use other websites off the browser.

Any help would be grately appreciated
Thanks
bob

ETA when system restore is brought up the message reads 'system restore has been turned off by group policy. to turn on system restore contact your domain administrator.

also when I try to go to certain websites, mainly via search engines its redirected to spam pages.

Thanks

More replies

I'm trying to help my mother fix her laptop. Her OS is Windows Vista. When I start up the laptop not only does it take forever to load up, it won't open up any applications when clicked on. It will take several minutes before an application opens. As of recently it has also lost internet connectivity for no reason. I'm on a seperate laptop posting this topic so if I need to download anything please tell me. Thank you in advance

A:I'm infected...but I don't kow with what...

3 more replies

My computer went into safe mode an i can't get it out! what do i do?

A:am infected

Hello

How did it get there ? thru msconfig or using an F8 method.
Is this an XP,Vista etc... machine?

1 more replies

A:Am i infected?

1 more replies

Hello,

When I am browsing in Internet Explorer, I get this annoying page with a red background which advises me that the web site I am trying to access is unsafe, and I should go back to the home page. The sites that I am trying to access are trusted sites e.g microsoft.com.

I have tried to get rid of it by going to the microsoft site and down loading the latest updates, performing full scan etc.

I paid $29.99 to Uniblue for their Registry Booster - but it could not get rid if the red page/screen message. There are many products on the market which provide free scan, but want you to buy their package before they clean the virus. They inform me that my computer is infected and needs to be cleaned up. At this point, I don't mind paying another$30 to get rid of the problem, but I am not sure if any of these packages will be able to solve the problem. How many should I buy or which one, and one which will clear up the problem.

Thank you very much.
nashnn

A:Am I also infected?

Hello, let's do these first.. all free. :step1:First run Download TDSSKiller and save it to your Desktop.Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

1 more replies

hey guys, having a problem on my laptop. running windows xp and whenever i start my computer i get error messages that mcshield is missing pieces of itself. if i hit ok it will continue to pop up unless i delete it from task manager. Then about a minute after those errors pop up my desktop goes into the white screen where it asks to recover your background. My computer runs extremely slow in the first 5-10 minutes. Also any time i put it in hibernate, when the bar for resuming windows goes all the way, the computer shuts off and turns back on and i can't go back and must restart my computer all over again.heres a picture!

More replies

Hello and sorry for my bad english my pc running slowly

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 05.8.2014 г. 05:32:02
System Uptime: 07.1.2015 г. 20:01:52 (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. |  | P5KPL-AM SE
Processor: Intel® Celeron® CPU        E3300  @ 2.50GHz | Socket 775 | 2520/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 55 GiB total, 26,472 GiB free.
D: is FIXED (NTFS) - 49 GiB total, 28,925 GiB free.
E: is FIXED (NTFS) - 15 GiB total, 1,226 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description:
Device ID: ACPI\ATK0110\1010110
Manufacturer:
Name:
PNP Device ID: ACPI\ATK0110\1010110
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN Client Adapter - VPN
Device ID: ROOT\NET\0000
Manufacturer: SoftEther VPN Project
Name: VPN Client Adapter - VPN
PNP Device ID: ROOT\NET\0000
Service: Neo_VPN
.
==== System Restore Points ===================
.
RP80: 17.12.2014 г. 14:54:24 - System Checkpoint
RP81: 19.12.2014 г. 02:29:50 - System Checkpoint
RP82: 20.12.2014 г. 02:43:07 - System Checkpoint
RP83: 28.12.2014 г. 18:21:44 - System Checkpoint

A:I think I am infected

Hey my friend,

my Name is Machiavelli and I will assist you with your problem.    The fixes are specific to your problem and should only be used for the issue on your machine!

I'm in the 'Malware Staff Team' and will provide you with advice:
To remove Malware on a computer can be very complicated. Malware (malicious software) is able to hide and so I may not be able to find it so easily. In order to remove Malware from you Computer, you need to follow my instructions carefully. Don't be worried if you don't know what to do. just ask me! Please stay in contact with me until the problem is fixed.

Below are a few tips Removing Malware is usually very difficult.
We need to search and analyse a lot of files. As this is done in our free time, please be patient especially if I don't answer every day!Please follow these instructions
If you don't follow the instructions your computer may crash. If you fix your PC by yourself, this can be v... Read more

26 more replies

basically the computer takes like 10 min. to open anything and the laptop is only 1 and 1/2 years old..it can not get on the internet as in it wont open it up no problems with the nic card or wireless or firewalls or anything like that..this computer is pretty messed up hoping you guys can help
DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by costco at 1:51:01.18 on Sat 01/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1774 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Documents and Settings\costco\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pa... Read more

A:Infected-not sure what

7 more replies

I think my PC has been infected by Virus as my PC speed has reduced considerably and also some programs aren't running properly. I have original Windows XP SP3 and Norton Antivirus 2009. Recently i took some data from my friend's pen drive which had almost 6-7 virus. Though Norton detected them and removed them i still feel that 1 or 2 viruses might be hiding in my PC. So i request to help me!!!!!

Ravi!!!

A:Am I Infected?

Scan for Spyware/Adware Malwarebytes' Anti-Malware a.k.a. MBAM - Download Free Version - HomepageWhy? Malwarebytes' Anti-Malware is very good at removing the zlob trojan, virtumonde, and most other current infections. This single tool has replaced multiple tools that have been required in the past. 1. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, confirm a check mark is placed next to the following:
Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-Malware2. At the end, confirm a check mark is placed next to the following:3. Then click Finish.4. If an update is found, it will download and install the latest version.5. Once the program has loaded, select Perform quick scan, then click Scan.6. When the scan is complete, click OK, then Show Results to view the results.7. Be sure that everything is checked, and click Remove Selected.8. When completed, a log will open in Notepad. The rogue application should now be gone.Note: Some infections will prevent MBAM from running. If MBAM won't run, try renaming the file mbam-setup.exe to a random name, and then try again.Note:Reinstall MBAM if you installed and ran a scan in safe mode. Doing this is usually not advised as MBAM is designed to be at full power when running in normal mode and loses some effectiveness for detection & removal when used in safe mode. Therefore, after completing a scan it is recommended to uninstall MBAM, then reinstall it in normal mode and perform anothe... Read more

7 more replies

Hello,
My admin password for my Windows 7 account was changed. I travel for work my computer never leaves my side. I used a work around to get past it and reset it back.
However with Malwarebytes I can not find any known virus. I need advanced help on this one not sure if it is a rootkit or not.

Thank you.

A:Am I infected?

Hello, Appears we will need more info and a deeper look. Please follow this Preparation Guide and post in a new topic. Let me know if all went well.

1 more replies

I recently had an issue with Antivirus 2009 and I believe my sister may have reinfected the system.Heres a HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 23:47:19, on 1/2/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\COMODO\COMODO Internet Security\cmdagent.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\CTsvcCDA.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exeC:\Program Files\Common Files\Protexis\License Service\PsiService_2.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exec:\Pro... Read more

A:Re-infected :(.

20 more replies

Saintly Protectors of the Technically Inept,
I've recently moved to a country where internet connections are more or less a bad joke. The internet is very slow and, quite often, going to a web address I know to be good will result one of two messages: 'can't find the server,' consistent with a bad internet connection, or 'connection to server interrupted.' Whatever comes up is always very slow. It dawned on me that I might have a virus when I compared my computer side-by-side with a colleague's, who was on the same connection. Pages on his computer didn't have the same connection problems. Two AVG scans, one regular and one command line in Safe Mode came back with nothing. So I downloaded MBAM and ran a full MBAM scan, which came back with this:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4122

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

5/21/2010 4:25:41 PM
mbam-log-2010-05-21 (16-25-41).txt

Scan type: Full scan (C:\|)
Objects scanned: 266528
Time elapsed: 1 hour(s), 22 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 8
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:

More replies

hi

A:Am I infected?

In order to assist you effectively, we need more specific information. Please read Before you post about a problem, Some simple guidelines and How To Not Get or Give Technical Assistance on Usenet and Web Forums.? What OS (Win 2K, XPsp1, XPsp2, Vista) are you using? ? What issues/symptoms of infection do you have?? What actions (security tools, scans have you taken so far?

1 more replies

A:I am infected

safe mode
thats the only word the "admin" let me say :D

12 more replies

I'm on a fresh install. No more than 2 weeks old. I did an Avira Full Scan today and got this: tr/crypt.xpack.gen in my driver.cab. I have no idea what would have infected me. This is what I have installed:

XP SP3 fully updated
Avira AntiVirus
Firefox
VLC
Winamp
CDBurnerXP
CDex CD Ripper
Hoyle Card Games
MalwareBytes
Spybot
MediaCoder
Handbrake
7-Zip
MP3Tag

Could any of those be the issue? Other than that I'm very confused.

A:What could have infected me?

2 more replies

My virus scan keeps finding a file named called aupd.exe. Can anyone tell me how to get rid of this? I am using Windows Vista and it comes up on my CA anti-virus scan.

A:Infected

For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK ... Read more

1 more replies

Hello,

I am sorry to have to ask this, but I need some help to understand.
My question is very simple: do I need to worry, or not?

These are the strange things happening:
- When I do shutdown, the icon of the last used program blinks twice
- The Hard disk runs for a very long time at startup
- The Media center is sharing something, when I connet to internet.
- Some programmes cannot be unistalled. Right now is Silverlight, for instance. And I do not remember having installed it in the first place, where does it come from?
- I cannot run the onecare safety scan from Windows, or other online scanning tools.
- Even when I am logged in as administrator, some programmes refuse my orders, claiming that I do not have enough previleges.

My fear is that there is some kind of malware on my PC, which keeps installing itself under new versions using different languages. The last one I think I found was with C++, which at some point appeared on the list of installed programmes without me requesting it. Now is with Silverlight, maybe. Or with NVIDIA?

My configuration:
- HP Pavillion Entertainment PC, bought one year ago, very fast.
- The external language of Vista is English, but I think the background is German, because sometimes I get German messages.
- Vista 32 bit installed.
- Antivirus is now Kaspersky, and it runs happily without detecting anything.
- Installed external software: Thunderbird for email, Explorer for Internet. Two printers. i do not install anything else until I ... Read more

More replies