Tech Problem Aggregator

# Infected with atlsystemXXXXXX.exe

Q: Infected with atlsystemXXXXXX.exe

Windows XP Professional system is infected with a virus or malware that makes files that start with atlsystem and end with .exe. In between atlsystem and .exe there are random numbers. MalwareBytes detects and says it removes them, but there is some underlying component that isn't removed. The files come back after reboot.

DDS Log Contents:

DDS (Ver_09-02-01.01) - NTFSx86
Run by nreitter at 18:39:59.64 on 2009-02-23
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1439 [GMT -5:00]

AV: eTrust ITM *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = <local>
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235403139892
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235403130658
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Notification Packages = scecli s t e m 3 2 \ i n o b u . d l

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nreitter\applic~1\mozilla\firefox\profiles\xw51chwf.default\

============= SERVICES / DRIVERS ===============

R2 eq2soft;Service Eset;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
R2 netmantow;Network Connections.;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S2 softyinforwow1;.Freame Micer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-11 14336]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

============== File Associations ===============

=============== Created Last 30 ================

2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem429956.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem663724.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem882754.exe
2009-02-23 17:18 59,904 a------- c:\windows\system32\atlsystem568713.exe
2009-02-23 17:18 131,072 a------- c:\windows\system32\atlsystem66447.exe
2009-02-23 17:18 122,880 a------- c:\windows\system32\atlsystem34844.exe
2009-02-23 17:18 97,792 a------- c:\windows\system32\atlsystem918628.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem461558.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem896885.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem232131.exe
2009-02-23 15:40 59,904 a------- c:\windows\system32\atlsystem9850.exe
2009-02-23 15:40 131,072 a------- c:\windows\system32\atlsystem653661.exe
2009-02-23 15:40 122,880 a------- c:\windows\system32\atlsystem945467.exe
2009-02-23 15:40 97,792 a------- c:\windows\system32\atlsystem805520.exe
2009-02-23 15:36 86,016 a------- c:\windows\system32\u152395931.dll
2009-02-23 15:36 77,824 a------- c:\windows\system32\u1523630.dll
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem488833.exe
2009-02-23 15:36 59,904 a------- c:\windows\system32\atlsystem407560.exe
2009-02-23 14:54 86,016 a------- c:\windows\system32\u142345755.dll
2009-02-23 14:54 77,824 a------- c:\windows\system32\u142395749.dll
2009-02-23 14:12 86,016 a------- c:\windows\system32\u142370424.dll
2009-02-23 14:12 77,824 a------- c:\windows\system32\u142329818.dll
2009-02-23 14:07 <DIR> a-dshr-- C:\cmdcons
2009-02-23 14:06 161,792 a------- c:\windows\SWREG.exe
2009-02-23 14:06 98,816 a------- c:\windows\sed.exe
2009-02-23 13:39 <DIR> --d----- C:\hjt
2009-02-23 12:40 131,072 a------- c:\windows\system32\atlsystem85617.exe
2009-02-23 12:40 122,880 a------- c:\windows\system32\atlsystem71669.exe
2009-02-23 10:33 <DIR> --d----- c:\windows\pss
2009-02-23 10:32 23,576 a------- c:\windows\system32\wuapi.dll.mui
2009-02-23 10:19 86,016 a------- c:\windows\system32\u10233874.dll
2009-02-23 10:18 77,824 a------- c:\windows\system32\u10237459.dll
2009-02-23 08:21 <DIR> --d----- c:\docume~1\nreitter\applic~1\Malwarebytes
2009-02-23 08:21 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-23 08:21 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 08:20 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 08:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-23 08:15 86,016 a------- c:\windows\system32\u82357832.dll
2009-02-23 08:15 77,824 a------- c:\windows\system32\u82312528.dll
2009-02-23 06:57 135,168 a------- c:\windows\system32\atlsystem5738.exe
2009-02-22 17:21 86,016 a------- c:\windows\system32\u172275047.dll
2009-02-22 17:21 77,824 a------- c:\windows\system32\u172265645.dll
2009-02-22 17:15 86,016 a------- c:\windows\system32\u172295311.dll
2009-02-22 17:15 77,824 a------- c:\windows\system32\u17229067.dll
2009-02-22 16:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-22 16:48 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-22 16:48 <DIR> --d----- c:\docume~1\nreitter\applic~1\SUPERAntiSpyware.com
2009-02-22 16:28 86,016 a------- c:\windows\system32\u16221541.dll
2009-02-22 16:28 77,824 a------- c:\windows\system32\u1622040.dll
2009-02-22 15:41 86,016 a------- c:\windows\system32\u152235944.dll
2009-02-22 15:41 77,824 a------- c:\windows\system32\u152248443.dll
2009-02-21 19:06 86,016 a------- c:\windows\system32\u192185922.dll
2009-02-21 19:06 77,824 a------- c:\windows\system32\u192114019.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der5609488.dll
2009-02-21 12:35 65,536 a------- c:\windows\system32\der7119346.dll
2009-02-21 12:33 86,016 a------- c:\windows\system32\u122131225.dll
2009-02-21 12:33 77,824 a------- c:\windows\system32\u122135920.dll
2009-02-21 12:32 65,536 a------- c:\windows\system32\der4559674.dll
2009-02-12 15:56 <DIR> --d----- c:\program files\Citrix
2009-02-12 15:56 60,744 a------- c:\documents and settings\nreitter\g2mdlhlpx.exe
2009-02-05 20:41 <DIR> --d----- c:\program files\MJ4120 SERIES
2009-02-05 20:40 <DIR> --d----- c:\program files\CdrPlayBack_MJPEG
2009-02-05 20:39 548,864 a------- c:\windows\system32\J2K_Decode.dll
2009-02-05 20:39 352,256 a------- c:\windows\system32\ijl15.dll
2009-02-05 20:39 327,680 a------- c:\windows\system32\kdu_v45R.dll
2009-02-04 17:08 <DIR> --d----- C:\fc018016df1fe2817d17cc58ff
2009-02-04 17:08 <DIR> --d----- c:\windows\SxsCaPendDel
2009-01-29 15:03 132 a------- c:\windows\ODBC.INI
2009-01-29 10:10 <DIR> --d----- C:\crystalreportviewers12
2009-01-29 10:09 42,847 a------t c:\windows\system32\ISUSMsg.rtf

==================== Find3M ====================

2009-02-23 08:18 81,556 a------- c:\windows\system32\nvModes.dat
2009-01-21 16:53 249,856 -------- c:\windows\Setup1.exe
2009-01-21 16:53 73,216 a------- c:\windows\ST6UNST.EXE
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2009-01-06 08:38 35,328 a------- c:\windows\system32\drivers\ax88772.sys
2008-12-26 12:25 123,127 a------- c:\windows\HPHins12.dat
2008-12-25 08:13 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-19 04:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 04:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 00:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 00:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 05:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 18:40:17.27 ===============

A: Infected with atlsystemXXXXXX.exe

KillAll::

NetSvc::
softyinforwow1
eq2soft
netmantow

Driver::
softyinforwow1
eq2soft
netmantow

Collect::
c:\windows\system32\atlsystem429956.exe
c:\windows\system32\atlsystem663724.exe
c:\windows\system32\atlsystem882754.exe
c:\windows\system32\atlsystem568713.exe
c:\windows\system32\atlsystem66447.exe
c:\windows\system32\atlsystem34844.exe
c:\windows\system32\atlsystem918628.exe
c:\windows\system32\atlsystem461558.exe
c:\windows\system32\atlsystem896885.exe
c:\windows\system32\atlsystem232131.exe
c:\windows\system32\atlsystem9850.exe
c:\windows\system32\atlsystem653661.exe
c:\windows\system32\atlsystem945467.exe
c:\windows\system32\atlsystem805520.exe
c:\windows\system32\u152395931.dll
c:\windows\system32\u1523630.dll
c:\windows\system32\atlsystem488833.exe
c:\windows\system32\atlsystem407560.exe
c:\windows\system32\u142345755.dll
c:\windows\system32\u142395749.dll
c:\windows\system32\u142370424.dll
c:\windows\system32\u142329818.dll
c:\windows\system32\atlsystem85617.exe
c:\windows\system32\atlsystem71669.exe
c:\windows\system32\u10233874.dll
c:\windows\system32\u10237459.dll
c:\windows\system32\u82357832.dll
c:\windows\system32\u82312528.dll
c:\windows\system32\atlsystem5738.exe
c:\windows\system32\u172275047.dll
c:\windows\system32\u172265645.dll
c:\windows\system32\u172295311.dll
c:\windows\system32\u17229067.dll
c:\windows\system32\u16221541.dll
c:\windows\system32\u1622040.dll
c:\windows\system32\u152235944.dll
c:\windows\system32\u152248443.dll
c:\windows\system32\u192185922.dll
c:\windows\system32\u192114019.dll
c:\windows\system32\der5609488.dll
c:\windows\system32\der7119346.dll
c:\windows\system32\u122131225.dll
c:\windows\system32\u122135920.dll
c:\windows\system32\der4559674.dll

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,003. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.**Note** When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.Ensure you are connected to the internet and click OK on the message box.Simply follow the instructions to copy/paste/send the requested file.

2 more replies

Already did some scans with tdsskiller and hitmanpro and they detected Trojan-Spy.Win32.Zbot, Rootkit.Win32.PMax.gen, and rootkit boot.cidox.b, I'm not sure how this machine got so badly infected. The user may have opened a link or some file by accident.

The infected svchost.exe is causing the most problems, creating multiple various connections and slowing down the internet connection. Explorer.exe would also crash and would create connections as well. Internet explorer would pop up to back-linking websites.

No restore cd for this computer. Although I do have a copy of xp meant for dell machines and this is a dell.

Just need to know how i can stop the svchost.exe from creating connections.

dds attached

dds1.txt   9.67KB

A:Infected with mutliple malware, Cidox,Trojan-Spy.Win32.Zbot,Infected svchost.exe

Hello! Welcome to BleepingComputer Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:
I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
The logs can take some time to research, so please be patient with me.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

Please download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your re... Read more

15 more replies

DDS (Ver_09-05-14.01) - NTFSx86
Run by Bogdan at 0:21:16,39 on 30.07.2004
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1251.380.1049.18.223.55 [GMT 3:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
H:\FIX\dds.scr

============== Pseudo HJT Report ===============

A:Infected by the same flash drive as this http://preview.tinyurl.com/o3l47t one was infected

2 more replies

I have a mild adware infection that is affecting every computer that goes through my network. Superantispyware can find and remove ONE file(no active, no registry) that is associated with this attack and the problem is resolved (ie. it does not come back unless i log into this particular network, it's still gone when I restart the computer, etc). The adware does not affect any of my cleaned computers unless I am logged into MY network. A clean load of windows XP with service packs loaded will immediately be infected on my network without so much as going anywhere aside from google.com.

As best I can tell my hijack this log is clean, but here it is for those of you who are far superior at this than I am. This is from the machine I am using which is currently infected.

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 10:43:09 AM, on 12/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\msiexec.exe

More replies

A:Infected with unknown trojan/malware, has infected pc with rogue:win32/fakerean, VirTool:JS/Obfuscator.CE, and others so far

Remember to re-enable them afterwards.

Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew dds log.A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

2 more replies

Hello, I have a gateway desktop computer with Winidows XP SP3, Internet Explorer 8, 2GB RAM, and 600GB Hard Drive.Avira Free Antivirus detected TR/Drop.daws.juu in my recovery partition (D:\) yesterday. MBAM detected PUM.Hijack.StartMenu on my regular partition. I removed these infections and proceeded to backup some files to my eternal hard drive. While doing so, Avira detected TR/Keygen.AQ.19 and TR/Tool.Keygen.517 in the "system volume information" folder on my eternal hard drive. I removed these as well.Lately I've noticed that my computer would behave strangely but more of the behavior is so subtle that it's hard describe it properly. Every now and then a process named mme.exe would show up in the task manager. I did a little bit of digging and everything I found suggested that it is maliciious.I am usually able to resolve stuff like this on my own, but this time I'm getting nowhere. I have never had an infection on anything other than the partitiion that my operating system is installed on. I am need of your help badly. Thank you for your time, here are the logs. -----------------------------------------------------------------------------------------------------------------.DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702Run by Owner at 5:50:25 on 2012-02-10Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1348 [GMT -6:00].AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}.===... Read more

A:Multiple Infections - Regular Partition infected with "PUM.Hijack.StartMenu" - Recovery Partitiion infected with...

Hi there,

It appears that you are receiving help at another forum: http://forums.majorgeeks.com/showthread.php?t=253464

Having multiple topics open at different forums only serves to confuse matters and waste the volunteers' time. In addition, it seems that you have since reformatted your drive. As such, I will close your topic here.

Regards.

Casey

1 more replies

Hello,

I was contacted by some friends last Sunday who said they received lots of wierd emails from my email account. The emails contained nothing but a link. I did not send any emails over the weekend so I don't know how this happened. This must be a virus, right? I noticed my antivirus (avast!) began (a few days back) blocking a couple of malwares when downloading emails to Outlook 2007 on my laptop. It identified a infection called "Win32-Malware-gen". It now does this everytime I try to download emails and I now have duplicate emails in my Inbox. My antivirus identified the infected emails having subject "DHL Express Delivery" or "FedEx Service Notification" and a document.zip attachment which I think contained document.exe if I'm reading the Avast! log correctly. I did not open any of these emails. The antivirus moved them to chest but it seems the problem wasn't resolved. I then get a microsoft message saying Outlook encountered a problem and cannot exit. It offers me an "End Now" button, but it seems to get into a loop and the whole scenario happens again whereby Outlook reloads and I get the malware messages again.

Another problem I noticed which might be connected is that in IE8, whenever I attempt to login to any site it blocks and reloads webpage with "This tab has been recovered - A problem with this website caused Internet Explorer to close and reopen tab" message. Then it asks me t... Read more

A:Infected with Win32-Malware-gen - Emails (Infected?) spammed from my email account to many recipients without my knowledge etc.

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

13 more replies

Hi, Our computer has been infected since yesterday with the SMART HDD virus, which has been hiding all programs. I also believe our computer is infected with a TDSS type of rootkit virus in reading thru you website, as we've been having redirects happening in the search results of Google and BING for quite a number of weeks now.

We have a WINDOWS XP Service Pack 3 computer.

The SMART HDD virus had (at first) completely hidden all the programs from me and made them in-accessible. (see below) I was able to "un-hide" the programs, which allowed me access to Internet Explorer, Outlook Express and a few other programs, but not access to the important virus programs such as Malwarebytes and it wouldn't allow me to run the TDSSkiller program (even with re-naming it.), DDS froze up my system twice so I've not tried it again.

What I've done so far:

From a work computer on a whole different network, I was able to read up on your site, good information on what is going on and the steps I needed to take. However, the system is not allowing me to take the necessary steps, so I'll definitely need your help in getting around these roadblocks. I have been running my computer in SAFE MODE and doing that - I was (at first) able to un-hide the programs that are non-accessible, by going to My Computer and following the steps your site says to do. That temporarly enabled me to un-hide the programs, but now, the programs are hidden again. Before the progra... Read more

A:Infected with SMART HDD and also appear to be infected with a rootkit (TDSS type of issue)

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

24 more replies

A:Keep Getting Warning Message That I Have Been Infected With Zlobtrojan Other Says Infected By Trojan.fakealert, Etc

5 more replies

Here is my log using HijackThis. My contacts in Windows Live Messenger are receiving pop-up message notifications with infected links. Norton is not picking anything up, and computer is running really slow. Malware Bytes did not pick anything up either. Any help would be appreciated ... thanks!-------------------------------------------------------------------------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:42:41 PM, on 05/07/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16850)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Rogers Online Protection\Rogers Online Protection\Fws.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Rogers Online Protection\Rogers Online Protection\rps.exeC:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Prog... Read more

A:Spyware infected, MSN Live Messenger sending out IM with infected links

2 more replies

I was infected with vundo, and I thought I cleaned most of it out using SpyDoctor, Spybot S&D, vundofix, etc. but whenever I log back on, I'm still infected.Please help!Here's my HJT log. Not sure what to do to get rid of this infection. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:15:55 AM, on 10/21/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Dell\Media Experience\PCMService.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Intel\Modem Event Monitor\IntelMEM.exeC:\WINDOWS\System32\DSentry.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:... Read more

A:Infected with Vitrumonde. Used SpyBot, SpyDoctor, VundoFix, VirtuBGone, still infected

16 more replies

Hi, everyone... my name is Avi... and I'm running XP service pack II. I thought I was pretty good with computers, since I've been playing with them since the era of Wing Commander and Star Control II, and usually I can solve computer issues on my own. However, 2 days ago I noticed that my background had changed to a blue screen that said "Warning, Spyware detected your computer...", and I repetively get a "Blue screen of death" notice on my computer which indicates that its about to shut down, but... then it just goes back into windows. My system restore seems to have become disabled, and the background and screensaver modes on my display menu are not working. I have Kaspersky AV 7.0 installed, but I never installed the Kaspersky firewall cause i felt it slowed down my PC too much. I am running the windows firewall, though... and I have adaware. Please help me get my PC back to normal!I ran the Deckard's Scan, along with the Hijack This scan, and I have included main.txt and extra.txt in this post. Thanks so much!Deckard's System Scanner v20071014.68Run by Avishek on 2008-06-14 15:19:30Computer is in Normal Mode.---------------------------------------------------------------------------------- System Restore --------------------------------------------------------------Failed to create restore point; System Restore is disabled (service is not running).Backed up registry hives.Performed disk cleanup.System Drive C: has 15.3 GiB (less than 15%) free.... Read more

A:Infected With Trojan.win32.pakes.czg/warning Your Computer Has Been Infected...

In the Drivers section click on Non-Microsoft.Under Additional Scans click the checkboxes in front of the following items to select them:Reg - BotCheck

1 more replies

So at first I had the "Internet Security 2010" bug, but I think I fixed that with rkill. But now I got the green desktop with the "system is infected" message. I have heard of people who have this problem trying to restart only to find their system totally screwed, so I'm scared to turn off/restart. I have run DDS and Root Repeal. I know its Christmas, but please help!!!
DDS (Ver_09-12-01.01) - NTFSx86
Run by Michael at 3:25:14.42 on Fri 12/25/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.44 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe

A:Infected, Big Time... Green Desktop with "Your System is Infected" Message

Visit below website. Understand on how to use ComboFix >> download and run the program >> post the log here http://www.bleepingcomputer.com/combofix/how-to-use-combofix

9 more replies

A:Infected Machine - infected copy of atapi.sys found by Combofix

3 more replies

Yesterday while on the computer I suddenly got the Positive Finds popups. I had malwarebytes premium running and it wasn't able to prevent it I guess.

Ran a scan with MBAM and it detected it, I restarted thought it would be fine but Positive Finds is still all over my browser

This is the first virus/spyware/adware I've gotten in years so I would like some assistance from you guys

Thanks

A:Infected with Positive Finds adware, already took some steps but still infected

Never mind all I had to do was reinstall Chrome and it's gone now

2 more replies

Two days ago my computer got infected w/ Internet Security 2010. I did research online and found advice on threads to get rid of it by trying Malwarebytes Anti-Malware and it hasn't worked. I've ran 4 full scan's and each time it pops up with new infections. I have cut off all ties to the internet and have tried performing the "full scan" under safe mode but I still have the blue/green desktop w/ the "Your computer is infected" box in the middle of the desktop and the Internet Security 2010 Icon on the desktop. Now the pop-ups have stopped but how do I get rid of the icon and "box" in the middle of the desktop??? Please help, want to have my laptop back to normal!! :(

A:Infected w/ Internet Security 2010; tried Malwarebytes & still infected

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies

This is my first post!

It may be me just being paranoid, but around a month ago, I was on a japanese import website looking at cars and it told me to download the latest version of flash player and I thought it was legitimate.

Anyway, I downloaded off a mirror link to find that when I ran it I had a fake police "lockdown" on my machine.

I managed to remove it once, but it reappeared. I then the second time logged off my pc but did not "force log off" and managed to get around the fake "lock down" the virus had made.

I have managed to remove all of the startup entries of the virus programs and all of the original files.

However, now my MSCONFIG thinks that my Norton 360 is disabled on startup, yet it startsup fine?

I had to re-enable all of the services on my PC to make sure everything was working, but now my computer takes minutes to boot up with all programs working, as opposed to before the virus I could load norton instantly.

Any help would be great, I have done scans with Norton 360, Malware-Bytes and SpyBot Search and Destroy 2 since.

Thanks,
Stallzy.

A:Infected by Fake Police virus and removed, still think my PC is infected.

15 more replies

Directrdr has infected my computer. I run Firefox 3.5.3 and I cannot search with Google, Bing, or any other search engine that keep logs of my search history. Each time I use one of these search engines new tabs and/or new windows will open up to pages that I did not open myself. I can see the hxxp://www.directrdr.com . . . in the address bar and then it redirects to some other website that I did not authorize. I can use IXquick with few problems, it does not redirect to other pages, but sometimes new tabs will open anyway. When I run IE and try to navigate away from my homepage-MSN it redirects too. I have run Spybot, AVG, Malwarebytes, SDFix, and various others, tried cleaning in Safe Mode and I cannot get rid of this thing. Please help. Thank you for your time.I do not have a GMER file to attach because it keeps crashing. I tried to run it twice and each time it keeps stopping before it can complete its task, it will scan a few files and then stop. Error Message:gmer.exe has encountered a problem and needs to close. We are sorry for the inconvenience. DDS (Ver_10-03-17.01) - NTFSx86 Run by at 18:04:11.65 on Thu 07/01/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.68 [GMT -5:00]AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-5... Read more

A:Infected with directrdr browser hijacker?! Firefox & IE infected.

42 more replies

computer started out with avg detecting several resident shield viruses. noticed ping.exe was using my entire system resources. Firefox was hijacked and started opening random pages. Shut computer down and rebooted into safe mode. Cannot do system restore, tried several restore points with no sucess. Ran AVG in safe mode, backdoor generic14.cbjj found and supposedly white listed as necessary. Ran spybot s&d couple of harmful intrys found. Ran Malewarebytes in safemode trojan horse c:\windows\sytem32\Drivers\netbt.sys. virus fsquirt.exe found and supposedly deleted. Now are booted into safe mode with no connectivity and still obvious that my computer is sick. Need help with how to get back online and get the tools to help me correct this virus. Got help from BC Advisor Broni as to tools to help get this started. Computer is now booted to regular mode and I have ran the requested tools and am posting results as follows

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_26
Run by Cara Leigh at 15:40:52 on 2011-12-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1547 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs

A:Backdoor.Generic14.cbjj infected netbt.sys infected

21 more replies

Hi,
I have Dell Inspiron E1405 with Win XP SP3. For last 15 days I am infected with rootkit-agent.sys and tried every malware/antivirus/spyware tool suggested by "am i affected forum". since the rootkit could not be fixed, I was advised to visit HJT forum. need help.
I keep getting rootkit detected message by my AVG.
I am pasting DDS below and also attaching the "attach" file.
regards
g10

**************

DDS (Ver_09-06-26.01) - NTFSx86
Run by first at 22:50:06.40 on Thu 07/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.372 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe

A:infected with rootkit-agent.di ndis.sys file is infected

11 more replies

Hi,My Dell Inspirion N400 notebook Running Windows 7 64 bit (Pro), [OS Version: 6.1.7601 ServicePack: 1.0] has become a playground of miscreants from four courners of earth and time is running out. It all started 2 months ago when I opened an email with title that my teenage daughter daughter sex video is on internet. I never would click such a link but it was forwarded by my mother so I was in distress, so I clicked a link in it. It was luckily daughter of someone else and not mine since I never been or had relations with anyone from Nigeria.But from that day slowly everything breaks. My virus killers (Kaspersky then Bit Defender, and Windows Defender and Titanium Trend Micro) get turned off or stop responding. Before I had 36 processes after starting up and now I have 60, and a half hour later over 100 processes that take 100% cpu, 100% of my 8gig memory, and 100% hard drive activity.I reinstalled operating system 3 times on C drive but I have on D drive all my things in storage and in matter of a day after reformatting C and reinstalling, the ghost in machine is back. I have sometimes 10-30 errors in my event logs on a good hour, and 2-3 critical errors every few days. My external monitor port on laptop stopped working, my network cable port (looks like telephone jack) stopped working and I use usb connection to adsl modem. My camera can not be found and is unknown device accepting no drivers but sometimes it turns on and looks at me.Criminal hacker gangs are locked in bat... Read more

A:Infected by 36 Viruses/Trojans/Malware - Infected My Professor

1 more replies

Hi, Rigel has been trying to help me, but has now suggested I post here instead. Unfortunately, he was unable to help me.http://www.bleepingcomputer.com/forums/t/222246/infected-please-help/Log created by WinPatrol version 15.5.2008.0:15.5.2008.0Scan saved at 10:58:02 AM, on 5/18/2009Platform: Windows Vista SP1 Home Edition Service Pack 1 (Build 6001)MSIE: Internet Explorer (7.00.6000.16386)Boot mode: NormalRunning processes:C:\Windows\System32\taskeng.exeC:\Windows\System32\dwm.exeC:\Windows\explorer.exeC:\PROGRAM FILES\WINDOWS DEFENDER\MSASCui.exeC:\PROGRAM FILES\SIS VGA UTILITIES\SiSTray.exeC:\Windows\RtHDVCpl.exeC:\PROGRAM FILES\SPARE MESSAGING\MESSAGINGAPP.EXEC:\Windows\V0380Mon.exeC:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXEC:\PROGRAM FILES\Java\jre6\bin\jusched.exeC:\Windows\ehome\ehtray.exeC:\PROGRAM FILES\Creative\SHARED FILES\CTSched.exeC:\Windows\System32\wbem\unsecapp.exeC:\Windows\ehome\ehmsas.exeC:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmpnscfg.exeC:\PROGRAM FILES\INTERNET EXPLORER\ieuser.exeC:\PROGRAM FILES\INTERNET EXPLORER\iexplore.exeC:\Windows\System32\Macromed\Flash\FLASHUTIL9F.EXEC:\PROGRAM FILES\WINDOWS LIVE\MESSENGER\msnmsgr.exeC:\PROGRAM FILES\WINDOWS LIVE\Contacts\wlcomm.exeC:\PROGRAM FILES\COMMON FILES\Adobe\Updater5\ADOBEUPDATER.EXEC:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROLEX.EXER0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL... Read more

A:Infected, unable to identify. Moved from Infected Forum.

48 more replies

Since today, my computer doesn't load the explorer anymore. I can still run it through Windows Task Manager though but running explorer.exe, but after it loads, my background has been changed to a message saying "WARNING! You're in Danger! Your computer is infected with Spyware! All you can do with computer is stored forever in your hard disk."
It also constantly badgers me with faulty anti-virus applications called "System Security."

Thank you very much for any help.

Update: I can't load up any applications or even task manager after explorer has started. An icon in the bottom right continues to state "Warning! Application cannot be executed. The file _______.exe is infected. Please activate your antivirus software."

A:Infected: WARNING! you're in danger! Your computer is infected with Spyware!

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

1 more replies

SUPERAntiSpyware has found 5-6 instances of registry keys infected as unclassified.uknownorigin and appears to be unable to delete them despite repeated efforts.

I have run Advance Systemcare 3 in hopes of deleting it to no avail.

Any help would be greatly appreciated!

A:Infected? SUPERAntiSpyware finds infected registry keys

6 more replies

i was recently infected with a backdoor.trojan which norton anti virus quarantined and i subsequently deleted it in norton anti virus but i do not know if my system is clean or if it still infected. i would be very grateful if someone could take a look at my log below. thankyou.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:49:40, on 17/07/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exec:\APPS\Powercinema\Kernel\TV\CLCapSvc.exeC:&... Read more

A:Recently Infected With A Backdoor.trojan , Help Needed Please To See If Still Infected

Examples of older versions in Add or Remove Programs:
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6 Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.**********************You will need to use Internet Explorer for this scan. Disable your Norton Antiv... Read more

10 more replies

Referred here from: http://www.bleepingcomputer.com/forums/t/218785/i-think-i-have-a-keylogger-problem/ ~ OBHello there. I first posted on "Am I Infected" because I had a keylogger problem. That was solved, but apparently the member working with me said I was still infected which was the reason my computer slowed down in the past couple of weeks. He said he couldnt find the AntiVirusSentry file with all the MAMB and SAS scans I did after getting rid of my other problems, so he sent me here. I know my computer is slow, only have 512 of RAM and some of my drivers and BIOS need updates, but its never been this slow. Sometimes while opening a new window, the internet freezes (quite often lately), and sometimes I have to shut them down by using CTRL+ALT+DEL. Other times an error message about runtime appears and says the window has to be closed. I've read it was a problem with the latest Adobe, but I dunno. I just know its painfully slow at the moment. Please help me.DDS (Ver_09-03-16.01) - FAT32x86 Run by Andr? Caetano at 17:21:17,58 on 18-04-2009Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Home Edition 5.1.2600.3.1252.351.2070.18.1014.418 [GMT 1:00]AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition Classic *On-access scan... Read more

A:I'm infected - "am I infected" couldnt solve the problem

Should I post a new log? A member told me after I post a log I shouldnt change anything but I did check the disk for errors and I disfragmented the disk. Not sure if that affects anything?

59 more replies

Hi there!I'm infected with some very annoying trojan, ive previously ran adaware, spybot search and destroy, avg free antivirus, avast. Some of these picked up the problem, but im still getting the "yourieprotect" homepage when i go on internet explorer.I have ran everything as per this link: http://www.bleepingcomputer.com/forums/t/63896/how-to-remove-virusburst-removal-instructions/This is my smit file: smitRem ? log file version 3.2 by noahdfearMicrosoft Windows XP [Version 5.1.2600]"IE"="6.0000"The current date is: Wed 11/29/2006 The current time is: 14:26:06.57Running fromC:\Documents and Settings\Mourad\Desktop\smitRem~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Pre-run SharedTask Export(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)Copyright? 2006 BleepingComputer.comRegistry Pseudo-Format Mode (Not a valid reg file):[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader""{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]@="%SystemRoot%\system32\browseui.dll"[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]@="%SystemRoot%\system32\browseui.dll"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Appinitdll check ........ Thank you Grinler!dumphive.exe ?2000-2004 Markus StephanyREG... Read more

A:I Am Also Infected With: Infected With W32/[email protected] A/k/a Zlob Trojan

1 more replies

Looking for help to remove this dasterdly thing / Been several days on it.

I.E. icon shows alot of activity in system tray

DDS Log below and Attach.txt, Attach.zip and Ark.txt attached also

DDS (Ver_10-10-21.02) - NTFSx86
Run by Mike at 16:05:53.54 on Sat 10/30/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.767.434 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe

A:Infected with TDL4 Rootkit - MBR Possibly Infected

Hi there,I see you've run ComboFix....could you please post the report from it? Also, I see Geek Squad got you...or are you them???? I'd like to know if anything else was done is why I ask.Download TDSSKiller.zipExtract it to your desktopDouble click TDSSKiller.exePress Start Scan
If Malicious objects are found then ensure Cure is selectedThen click Continue > Reboot nowCopy and paste the log in your next reply
A copy of the log will be saved automatically to the root of the drive (typically C:\)Thanks,tea

10 more replies

Hi all, sent here by Broni for elevated help.  Basically, to summarize, I got a worm possibly through a vulnerability in Flash and from an infected ad (I've only browsed legit websites and I have McAfee SiteAdvisor) and as is typical of people who have the worm, I can't remove it.  Apparently, it's infected my MBR and I was told to run DDS.

Here's DDS.txt

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16483  BrowserJavaVersion: 10.21.2
Run by Daniel at 18:10:34 on 2013-05-25
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.4093.1324 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe

A:Infected MBR; Infected with MSIL/Necast.D worm

12 more replies

Hello! I am posting because I have offered to clean up a computer for a coworker, and want to make sure I do a thorough job. So far, I have seen indications of at least 4 separate malware programs. The first was Antivirus 360, which I believe I deleted for the most part via manually removing the files and registry values. I have also seen VirusProtect 3.8 and 3.9, though I had no luck locating the files I was told to delete...so I am not sure if the infection is there or not. His computer already has "Verizon Internet Security" installed, and I used that for an initial scan to see what it found. I deleted what it found, though that was done in safe mode, before I deleted all the files manually for AV360. When I enable Verizon Internet Security, it pops up two warnings, which mention a file by the name of Trojan.Win32.Monderb.xgy, in the C:\WINDOWS\system32\ljJCvSiI.dll. I looked up that file, and saw it was connected with the "Vundo" virus...or something along those lines. His computer is not connected to the internet at the moment. I am using my laptop to access the net, and transferring files via a flash drive to his computer. I have scanned with DDS, and will provide the log. I also have HJT ready to run on his desktop, as well as ComboFix. Here is the DDS log: DDS (Ver_09-01-19.01) - NTFSx86 Run by HP_Administrator at 16:34:39.23 on Mon 01/26/2009Internet Explorer: 7.0.5730.13Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033... Read more

A:Computer Infected/Possibly Infected With Various Malware

Hi,Your system is severly infected. I can see more malware present than anything else... Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts. Actually, this doesn't suprise me at all...From the log I see:AV: Authentium Antivirus *On-access scanning enabled* (Outdated)AV: Verizon Internet Security Suite Anti-Virus *On-access scanning disabled* (Outdated)FW: Verizon Internet Security Suite Firewall *disabled*What's the point in having a security Suite / Antivirus present if it's outdated and disabled.Most probably the sub... Read more

7 more replies

Here is my DDS log. Right now my desktop is pure white and I can't set a background image. Also I have a red X showing up in the tray saying "Your Computer is Infected - Click Here to Remove"

DDS (Ver_09-02-01.01) - NTFSx86
Run by Compaq_Administrator at 14:46:59.31 on Tue 02/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.606 [GMT -5:00]

AV: avast! antivirus 4.8.1296 [VPS 090210-0] *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe

Forgot to mention when I use google in Firefox, I have to open the link 6 or 7 times before it actually brings me to the link, other times it is redirected to a number of sites.

12 more replies

Posted about my main box and my vista spare part box.. this is to figure out whats up with one of three laptops that were all on a router together... This laptop crashed after getting the infection I recovered via the harddrive acer setup. No optical drive onstalled this is one of two acer netbooks we use in our family. Thoiught i reinstalled everything i believe a rootkit of some sort has ahold of this laptop...settings change on there own cpu usage is about 50% when just sitting idle from user stand point.

Please let me know what logs to provide.. Thanks again to all that have helped thus far and continue to be a great support.

btw: this laptop is an acer aspire one with win xp..

A:My laptop is infected... part of a group of pc's infected

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click on Delete tab follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).

IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download a... Read more

32 more replies

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:36:36 μμ, on 26/5/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Creative\Shared Files\CTAudSvc.exeC:\Program Files\Unlocker\UnlockerAssistant.exeC:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exeC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exeC:\Program Files\Creative\Sound Blaster X-Fi Surround 5.1\Console Launcher\CTAPR2.exeC:\Program Files\Creative\Shared Files\Module Loader\DLLML.exeC:\WINDOWS\system32\RunDll32.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Pr... Read more

A:Infected with a virus that causes NOD32 to remove any .exe that is not infected

2 more replies

hi

A:Steam infected with Adware (Chrome also was infected)

This topic will be closed due to presence of pirated content.

Piracy policy

1 more replies

Hi!

I seem to have been infected with some particularly vicious malware..

I get a red bubble with a white 'x' on my taksbar. The message 'your computer is infected! WIndows has detected a spyware infection! Click here to protect your computer with spyware!'

Anti - Vir is going nuts over it (It keeps on picking up trojans and worms) Malwarebytes' Anti-Malware can't get rid of it, and neither can spybot. It has turned off Windows firewall and won't let me turn it back on.

I use Windows XP, have automatic updates turned on, am running SP2 and update Antivir, Spybot and Malwarebytes' Anti-Malware regularly.

It won't let me run ad-aware or spybot.

If you require any further information, let me know!

Rob

DDS (Ver_09-07-30.01) - NTFSx86
Run by admin at 11:14:16.37 on 02/09/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1023.453 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe

13 more replies

I am finding increasingly more machines where antivirus can't seem to disinfect a machine, even with the latest definitions.

Is there a solution for this?

What is everyone else doing to cope with this problem?

I used to be able to disinfect an infected machine and really get it out. Now, after disinfection, I frequently see new alerts within just a few minutes for viruses that I know are included in the virus definition file.

Case in Point: I went on a service call today and found a dozen different viruses in over a hundred different files spread over an eight-computer LAN. After two and a quarter hours of defeat after defeat, I loaded up the entire network, router and all, and brought it back to my shop. This is a drastic step; but, I gotta' know for sure that they are clean when they go back and this is the only way I know to do it with certainty.

I have always been told that one should not run two antivirus programs at once. I'm now doubting one program can do it. Maybe two can't either; but, I am seeing situations where I believe two is better than one.

NTFS has only made it more difficult. I frequently have to remove an NTFS drive and connect it to a known-clean machine to remove viruses. But, that leaves all the virus-related lines in the registry of the non-active but suposedly disinfected drive.

Anyone have any suggestions how one can do a sure-clean on an infected NTFS machine without going to such drastic steps?

There's got to be a ... Read more

A:Infected, cleaned, still infected--can antivirus disinfect it any more?

7 more replies

Hi,

My computer is infected with some kind of virus. One of the many, at least it seam like there is. The serious one creates an Internet Gateway at LAN Controller bootup. I cannot disable the Internet Gateway directly but I can disable the LAN Controller (Local Area Connection) then it disapears. The second I enable the LAN Controller the Gateway gets connected again.

Additionally, It seams I have over 70 processes running at any given time, if that helps. Dell tells me the only thing I can do is to reformat. Please Help, I would rather not like to format my system.

I am sure you will find more than just that after reviewing the HijackThis Log file.

===================

Logfile of HijackThis v1.99.1
Scan saved at 10:36:50 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

When you reach the final page of the installation process, make sure "Run fixit" is checked.
Follow the on-screen prompts & reboot your computer when instructed to do so.

**Do not be alarmed if your computer takes longer than usual to load.

After you have restarted, wait for HijackThis to launch automatically.
With HiJackThis & place a check next to these items and select "Fix checked":

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O16 - DPF: {B49C4597-8721-4789-9250... Read more

6 more replies

I believe I have an infection. When I open my Internet Explorer and browse the internet, after a bit of time a new IE browser window pops up with various ads, virus protection offers, google things etc. It happens every so often. I have tried Malwarebytes, and it did not find the virus. Other virus removal tools have indicated the following is infected:fsvga.sysThe anti virus tools do say they fix it, but it gets infected again afterwards.I have seen the following message:Infected copy of c:\windows\system32\drivers\fsvga.sys was found and disinfected Restored copy from - Kitty had a snack And it continues to be infected.According to GMER, as im sure you will notice, it does show the following:C:\WINDOWS\system32\DRIVERS\fsvga.sys suspicious modificationC:\WINDOWS\system32\drivers\atapi.sys suspicious modificationI have followed you instructions on posting virus removal help request, and the requested files have been attached. Here is also the DDS as follows. Thank you for your help in advance on this matter:DDS (Ver_10-03-17.01) - NTFSx86 Run by Joel at 14:48:26.03 on Wed 06/09/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1482 [GMT -5:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\W... Read more

A:Infected With Unknown - Infected fsvga.sys

11 more replies

Let the ol' lady use my PC and ends up getting a 'HTML/Infected.WebPage.Gen notification from AVIRA. Everytime she hits her blogs on IE it ends in bad news. Here is the DDS log. Not sure if I require the Kasperesky scan. I don't have it but will see what you guys say first. Hope this helps. Please advise. Your assistance in this matter is greatly appreciated.DDS (Version 1.1.0) - NTFSx86 Run by ALAN WONG at 21:12:00.89 on Tue 12/23/2008Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.438 [GMT -8:00]AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)FW: Sygate Personal Firewall *enabled*============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Sygate\SPF\smc.exesvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\VTTimer.exeC:\WINDOWS\system32\S3trayp.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\CyberLink\PowerDVD\PDVDServ.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Pr... Read more

A:Infected with HTML/Infected.WebPage.Gen

Hi,sorry for the delay in getting back to you.If you still needs help, please do next:Click here to download HijackThis.Save HJTInstall.exe to your Desktop.Double click on the HJTInstall.exe icon to start the program.By default it will install to C:\Program Files\Trend Micro\HijackThisAfter the final dialogue box it will launch HijackThis.Click on the scan button. It will scan and then ask you to save the log.Save the log, and post me it in your next reply.

1 more replies

Hi,
My friend brought me her HP laptop a few weeks ago because it had a virus. I saw Security Suite stuff pop up all over, and you couldn't run ANYTHNG, so I used the instructions on this site to get rid of it. I thought it was gone but she brought her computer back to me a couple of weeks ago because she was getting popups again. Btw, she actually paid the security suite site thingy 80$. I'm having her go through the steps to get her money back for that now. So I rescanned with AVG and malwarebytes and it didn't come up with anything. I kept the computer for a few days and used it like normal but got no popups so I gave it back to her. So about a week ago she gave me back the computer as the IE would not work. So I scanned it again and both malwarebytes and AVG came up with a couple of things and got rid of them. So now I'd like to see if the computer really is clean. Also, I'd like to know what she needs on here to keep the computer clean?? She scans with both AVG and malwarebytes but I'm not sure that is enough if she keeps thinking she's getting infected. I know she does a lot of facebook apps. Also, this computer absolutely refuses to scan gmer. The first time I downloaded and ran it it scanned for about an hour then spontaneiously the computer shut down. I didn't see any messages because I wasn't paying attention to it when it shut down. So the next day (today) I tried to scan again and it stopped very close to the ... Read more A:Was infected with security suite, re infected? Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums. Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer. If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask! In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator! Do not d... Read more 19 more replies Answer Match 24.36% I have a badly infected computer that I would like to make a copy of the whole system to mail to one of the av/am vendors. I think it has some new variants on it. Can the drive it self become infected so that I may not be able to trust that anything else I create with this drive will not be also infected? While this drive is not really exspensive I do not really have the finances to casually replace it. A:Can a USB Cd/rom be infected plugging into a infected system Hello dannyboy950: If your computer is badly infected, then backing up the system will just copy the infections to any backup DVDs, which you obviously know. I don't think you need to worry too much about your external DVD drive being infected, per se. That would only happen if one or more of the infections could compromise the DVD firmware or the USB driver(s). You should be aware though that many variants of viruses and malware will disable the Windows Volume Snapshot Service (VSS) which will prevent the creation of backups and system restore points. My advice would be to follow the directions here and submit an Farbar Recovery and Scan Tool (FRST) log to the trained Bleeping Computer Malware Response Team members in the Virus/Trojan/Spyware and Malware Removal Logs Forum. You should be aware that the anti-malware response community shares their information with other anti-malware/virus vendors and experts. If you have been infected with zero-day malware and/or viruses, that information will be shared with those concerned, Importantly, we need to restore your computer to full functionality, so I do recommend that you get it "disinfected" here. I hope this is of some help. Forum rules prohibit the posting of FRST logs in this particular Forum - they are only dealt with in the Forum I mentioned. I am still in training, so I won't be able to assist you in the other Forum. Have a great day. ... Read more 5 more replies Answer Match 24.36% I'm not sure what caused this as I didn't do anything out of the ordinary with my computer yesterday, but when I opened up itunes a message popped up from my anti-virus avg saying there were infected files in itunes by a trojan. I then clicked to heal them and when I tried opening up itunes it wouldn't let me because some files were missing so it wouldn't start. I figured something was wrong so I started scanning my computer to see what I could find. First I used Malwarebytes' anti-malware and that didn't find any infections, then I scanned it with avg and that found over 500 infections, not all of them were serious ones but some of them were trojans with itunes files. This morning I tried uninstalling and then reinstalling itunes thinking that might solve the problem, but it didn't work and itunes still won't start. I hope someone can help me solve this problem as I am not the best when it comes to computers. If you need anymore info please just ask. DDS (Ver_09-06-26.01) - NTFSx86 Run by Zac at 7:40:37.82 on Sat 07/25/2009 Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.388 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe... Read more A:Trojan infected itunes may have infected more Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more 2 more replies Answer Match 24.36% heyy guys, okayy so about a month ago a trojan managed to get onto my netbook and i scanned with malwarebyte antimalware and super antispyware in safe mode which seemed to fix is for the most part, but im still getting some problems and avast, mbam and superantispyware are all coming up clean. the worst thing is my internet just cutting out after about 40 minutes of use, wireless zero configuration turns itself off and will not turn on and one of the svchosts using way too much memory and cpu, but i cant turn it off because that just messes up my netbook. soo yeah some help would be great cuz this is really getting on my nerves. More replies Answer Match 24.36% Today, I used a pendrive of a friend on my computer, I had auto folder open on. the folder opened and later to find nothing on the pendrive but only a E:\ folder inside the pendrive, then when i clicked hidden items viewable, i saw the pendrive logo I went inside transferred my important document since it needed an immediate printing. My computer has turned very slow following that and there are various hidden documents now on my desktop like$w_microsoft.docx which are of names of files i had deleted long ago and several other files which i had created and used long back but never used in the near history.

Please help me fix this , remove the virus and get back to my old computer speed.

Thanks alot for help in advance

----FRST LOG-------

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:06-05-2016
Ran by ASRLAPTOP (administrator) on DEEPAK (05-05-2016 18:57:15)
Platform: Windows 10 Home Single Language Version 1511 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

A:I think i have been infected by a worm from using an infected pendrive, need hel

9 more replies

I too was recently infected with XP Security Tool 2010 and I used the fix described on BC. I installed Malwarebytes and FixExe.reg. This seemed to get rid of the problem. But very soon after each time I clicked on any link on Google on Firefox or Internet Explorer I am redirected to seemingly random advertisement websites. I also use Avira Antivirus protection and it pops up saying: HTML/Infected.WebPage.Gen in file C:\Documents and Settings\Network Service\...\2[1].php. If I catch the Avira popup and click remove it will Quarantine. However within 2 to 6 hours it returns.Have copied and pasted DDS.txt log, gmer.txt log, OTL,txt log, Systemlook.txt log and TDSKiller.txt log. Also attached the attach.txt file and gmer(ark) txt file. Sorry, did not untick the IAT/EAT box in gmer. Those are the logs myrti requested from toomuchpoison.Hope I didn't overdue it.Thanks,MajazzleDDS.txt log DDS (Ver_10-03-17.01) - NTFSx86 Run by Matt at 16:47:53.63 on Thu 04/29/2010Internet Explorer: 8.0.6001.18904 BrowserJavaVersion: 1.6.0_18Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.1915.1050 [GMT -4:00]SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\Microsoft.Net\Framework\v3.0\WPF\... Read more

A:Infected with HTML/Infected.WebPage.Gen

26 more replies

When Windows loads, the "performance monitor" component for the optimizer pro virus calims that 375 items need to be cleaned and potimized. closing it out does not reactivate it. Mcafee also frequently pops up, preventing unwanted software from running. below is a copy paste of frst.txt and atached is the addition.txt file. Thank you.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:27-08-2015
Ran by teacher (administrator) on RM305-PC (28-08-2015 01:27:23)
Running from E:\
Loaded Profiles: teacher (Available Profiles: Rm305 & teacher)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 9 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Nalpeiron Ltd.) C:\Windows\SysWOW64\ASTSRV.EXE
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Microsoft Corporation) C:\Windows\SysWOW64\rundll32.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
(McAfee, Inc.) C:\Windows\System32\mfevtps.exe
(SMART Technologies) C:\Program Files (x86)\SMART Technologies\Education Software\SMARTHelpe... Read more

A:Infected with Optimizer Pro and pop says I am infected with viruses

0 more replies

Hello computer gods,I'm hoping you can fix my problem I've been infected with drsmartload, and I ran smitfraudfix. It said that it cleaned it up but it's still popping up as infected and I'm getting ridiculas adware and project 1 boxes. I will post my "hijack log" and hopefully this is the right forum if not please redirect me. Im looking foward to getting rid of this "Freakin" thing. CheersMSmitFraudFix v2.109Scan done at 20:14:36.00, Tue 10/10/2006Run from C:\Documents and Settings\Magg\Desktop\SmitfraudFix\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTFix run in safe mode???????????????????????? Before SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll???????????????????????? Killing process???????????????????????? Generic Renos FixGenericRenosFix by S!Ri???????????????????????? Deleting infected filesC:\drsmartload?.exe DeletedC:\WINDOWS\keyboard1.dat DeletedC:\WINDOWS\newname.dat DeletedC:\WINDOWS\teller2.chk Deleted???????????????????????? Deleting Temp Files???????????????????????? Registry Cleaning Registry Cleaning done. ???????????????????????? After SmitFraudFix!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll???????????????????????? End

A:Infected With Drsmartload Used Smitfraudfix Still Infected

2 more replies

Bit of a wierd 1.

Turned on my machine today, went to the toilet and came back and Avast was asking to restart my computer and do a full scan from boot up. I said yes but cancelled it because it was taking too long.

I go look in virus chest and I noticed that tier0_s.dll from my steam folder is sitting in there, and that it was transfered in there today. But where it says "Virus description", it says "--no virus--"

What does this mean? Is it some kind of false positive? Did I screw things up by cancelling the scan?

A:Avast says I have an infected file...which isn't infected

O.k, bit of research and looking on the Avast forums and it looks like it's a false positive

2 more replies

Hi I've had a few viruses named HTML/Infected.WebPage.Gen recently and I would normally be able to remove them myself using hijack this. But unfortunately hijack this isn't working for me and is coming up with an error. My anti virus is finding the viruses and I am removing them with the anti virus but they keep coming back.As soon as I click hijack this this message appears:For some reason your system denied write access to the Hosts file.If any hijacked domains are in this file, HijackThis may NOT be able to fix this.If that happens, you need to edit the file yourself. To do this, click Start, Run and type: Notepad ?C:\Windows\System32\drivers\etc\hosts?And press Enter. Find the line(s) HijackThis reports and delete them.Save the file as ?hosts.? (with quotes), and reboot.I have tried to do as it says above but another error message tells me that i am unable to save the file.I then clcik "OK" and then this error message appears:An unexpected error has occurred at procedure:ModMain_CheckOther1Item()Error#75 ? Path/File access errorPlease email me at [email protected], reporting the following:*What you were trying to fix when the error occurred, if applicable*How you can reproduce the error*A complete HijackThis scan log, if possibleIt then produces the Hijack scan, so then I proceeded to fix the files that I think may need fixing which are these files:BHO: thesuperads search enhancer: {b2fe5f61-3eb4-4e22-7c84-f52993635f52} - c:\wi... Read more

A:Infected with HTML/Infected.WebPage.Gen

Ok after reviewing the DDS log I now have removed the virus lol but I still haven't worked out what's wrong with my hijackThis?===========Hello While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.We ask that once you have posted your log and are waiting, pl... Read more

3 more replies

Every 10 minutes or so, a red pop up box appears saying my computer is infected and asks if I would like to remove - it is called PC Security Guardian. Then a minimized window opens and says "PC Guardian has detected suspicious software - click to remove."

There was no data from the GMER scan, so the ARK.txt log will not attach.
DDS.txt Log:

.
DDS (Ver_2011-06-03.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Dunigan at 18:50:36 on 2011-06-08
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2739 [GMT -5:00]
.
AV: Norton Internet Security *Disabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService

A:Infected with a pop ups saying computer is infected followed by a pig squeel

4 more replies

A:Was Or Is Infected Infected With Torpig.c.trojan (or The Like)

1. Download this file - combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log in your next reply with a new hijackthis log.Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

49 more replies

A:Infected Wih Html/infected.webpage.gen

Hello Braco and welcome to BleepingComputer!Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log. Please also post the problems you are having.If we do not hear back from you within a couple of days we will need to close your topic.Thanks,Johannes

1 more replies

Hi,
I have tried a few different anti virus downloads to try and rid my computuer of the virus to no avial. Even purchased one which I know now was also a fake.

Rick
Rootrepeal_report_08_30_09__20_35_13_.txt   5.08KB

A:Infected with Fake virus infected pop ups

2 more replies

I'm at the end of my rope here. A "friend" gave me her computer to clean up. The thing was so full of malware it was unbeliveable. I've got most of it, but there is this one nasty bit of adware "Cool Web Search" that remains... I've tried running the latest versions of Ad aware, Spybot, and CWShredder. They seem to find and remove the cool web stuff, but when I shut down and start up again, it's back. I've gone to the trend micro site, but I keep getting a .dll error when I start downloading the definition files.

When I shut down, the machine hangs and tells me that it is waitng for a response from "Win Min".

It also occasionally freezes on startup, leaving me with a blue screen and a mouse pointer stuck in the middle. (This seems to be mitigated somewhat if I move the mouse around during startup!)

The log file from this machine is as follows.

Logfile of HijackThis v1.99.1
Scan saved at 10:03:03 PM, on 25/04/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

A:Infected Windows Me PC Hangs on Shutdown - "Win Min" infected with Cool Web Search

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order its listed..These instructions only apply to HJT v1.99.1

Please Keep your browser and all open programs closed (except firewalls and antivirus) when you are carrying out the fixes.

Download any of the required programs before attempting to start any of the fixes.

Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check ?Turn off System Restore?, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.

SHOW HIDDEN FILES AND FOLDERS.
To show hidden files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
------------------------------------------------------------------

Download and run CWShredder (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs.Full instructions below.

How to install and run CWShredder

Choose the stand alone version. This is free.
Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP.

15 more replies

Hi
As my title suggests my bro's laptop has this annoying infection.
I have Avira like my logs will say and the infection seems to be in a firefox profile. (Can I reinstall Firefox to fix my problem?)
I use Firefox but my brother IE 8 (and so IE is default).
At random times and when connected to Internet, a popup appears with usually
the X button in corner and it will go for a variable amount of time.
Avira btw cannot get rid of it and in fact does not even find it after scanning with maximum options.
This also happens sometimes much rare tho: A message appears telling I have an infected computer and wants me to press OK and scan using IE. I click X and once it opened IE with scanning screen. I click X ASAP.

One more issue: Firefox sometimes will say "Firefox has stopped working.."
and that it will close. Right away a balloon pops up in tray telling me the browser was closed to protect me from Data Execution Prevention.

Avira sometimes at random times pops up saying Virus or unwanted program was found, right? It asks me what to do with this file.
Move to quarantine
Delete
Overwrite and delete
Rename
Deny access
Ignore

I usually picked delete or deny access
It found the virus in this file:
C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\jfyfitzg.default\Cache\34F11269d01

I understand I have Limewire. My brother uses it... Read more

A:[SOLVED] Infected with HTML/Infected.WebPage.Gen HTML script virus

16 more replies

Here are a few things that may be relevant to the problem:

1) Computer unable to access certain websites. (Ex: yahoo, facebook, etc.)
2) I did a scan and my computer is supposedly infected with "zlob" and "adware.IpWins"
3) My computer is running significantly slower then a few weeks ago.
4) Tons of random pop-ups that I did not have a few weeks ago.
5) Full system Scanned with Lavasoft's Ad-Aware but problem persists.

Here is my HJT log:
--------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:18 PM, on 9/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG... Read more

A:Computer infected with spyware. Infected with "Zlob"?

11 more replies

hello ,
i was infected by virusburst and i did lots of instructions to solve my problem, I used malwarebytes anti malware and it cleaned all infected files but now my problem is the internet explorer still not working and even starting any more,
and in mycomputer each folder opens in it's own window even in options it's marked to open in the same window
but i don't see any fake alert any more ,
I'm using windows vista and now opera browser,each browser that i marked as default browser stopped working(internet explorer and mozilla ) ,
i dont know which kind of log i should post here so i wait for your requests.
i just wanna know if i'm still infected and what should I do ???
thank you for helping me !!

A:I Was Infected By Virusburst.am I Still Infected ?

1 more replies

I think my computer is on a couple different botnets, and i wouldn't be surprised to see other viruses =/Any help your be greatly appreciated.Edit; sorry, i didn't see the rule of what virus i had was supposed to go into the title untill it was too late Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:58:11 PM, on 6/23/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\LEXPPS.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Digital Media Reader\readericon45G.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\zHotkey.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\acs.exeC:\Program Files\Common Files&#... Read more

A:Desktop infected/ Infected with a bot

20 more replies

I recently replaced my old desktop with a new desktop and when I made the switch the old computer was infected... here was the thread
http://www.bleepingcomputer.com/forums/t/615738/flashplayerexe-virus/

My new desktop attempted to download the flashplayer.exe file but was stopped by chrome. However, there was a file (crownload something or other and malwarebytes did remove this file.

Today on the new desktop, I had a popup that said URGENT CHROME UPDATE.  I immediately hit ALT F4 to close out chrome.  The fact this popped up makes me suspicious that something is still not right or this computer is infected.

Any help is appreciated.

More replies

Hi I have posted to this site and have recieved great help and I am now suffering some issues again. After I recieved help last time everything was ok and then I started having problems so I just switched hard drives. I am now back on my hard drive and reset it up but now I think my computer is infected again. I have not downloaded any torrents files which was my problem last time. I installed Antivirus and Zone Alarm before going on the Internet and have made sure to only download from CNET as far as I can remember. I don't know what I'm doing wrong to keep getting infected, if in fact I am. So because I had recieved help previously with most of the same issues and with the advice of dell customer service I ran combofix. Here is that log. I have WindowsXP, Dell Dimension 3000, Avast Antivirus, ZoneAlarm. If this is the wrong place to post this could you please point me in the right direction. Thank you so much for your help.ComboFix 10-08-24.0A - Owner 08/25/2010 2:36.1.1 - x86Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.670 [GMT -7:00]Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\1pdfdec.dllc:\program files\Common Files\Tempc:\program files\Common Files\Temp\Love's Power Mahjong SETUP.... Read more

A:Still Infected/Re-Infected, Combo Log

7 more replies

My laptop got infected and I've slowly been able to clear most of viruses out of the system. Each time I clear something out, something else shows up the minute I try to get online. The last scans I've done haven't picked up anything else but I'm still getting redirected to other sites every time I try to perform a search on the internet. I don't know how to find what's causing it now.
hijackthis.log   11.51KB
0 downloads Help please!!!Tried running scans again, still showing clean but I got this message from norton, "An intrusion attempt by wwww.angrye.in was blocked" After I did the scan I went online to test out to see if I was still getting hijacked, that's how this message popped up. It also said, "The attack was resulted from \DEVICE\HARDDISKVOLUMNE2\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE" Help!!!EDIT: Posts merged ~Budapest

A:Infected,Removed and still Infected

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

2 more replies

Hi, this is my first time posting here.

I'm running Windows XP Pro SP2, and my computer has a virus that, at first, was giving me a tool-tip-like message from the system tray saying "Your computer is infected! ..." and something about installing a scam antivirus program. I've done a lot of searching for this issue and have seen many cases of it. Posts on other forums offered specialized programs like "Smitfraudfix.exe" and others that I was unable to get to work.

I've updated my Java (which stopped the annoying "Your computer is infected!" popup), removed my Temporary Internet Files, and run Avast! and Avira every time I restart my computer, but each time there seems to be malware that needs removed. Can someone please help me clean this virus / trojan off of my machine completely?

Thank you for your time, here is a HJT log from the time of this post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:53 PM, on 9/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

A:"Your computer is infected!" Popup message. Computer infected with Trojan

16 more replies

Hi,
My daughter uses this computer and I have no idea what she may have gotten in to.
I am running Windows 7 Home Premium.
I have McAfee Total Protection.
McAfee has detected and quarantined or removed various threats.
I have also been using Malwarebytes over the years, but had not run recently.
I recently tried to run malwarebytes and it will not update and then windows gives me an error with a Problem signature:
Problem Event Name:    APPCRASH.
I went to malwarebytes forums to try to figure it out, but it led me back to BleepingComputers, so I figured I would continue here. You folks have helped me several times over the years and for that I am grateful.
Alan

A:Am I infected

34 more replies

Please review my HJT and Avira and let me know if anything looks suspect. My computer has been booting and shutting down extremely slowly. Also Avira has found 2 hidden objects. Thanks for your help in advance XD. Here are my scans:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:16:20 PM, on 7/30/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CheckPoint\ZAForceField\IswSvc.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\Avira\AntiVir Desktop\avshadow.exeC:\WINDOWS\e... Read more

A:Am I Infected?

15 more replies

System is running slow.  Browser startup page keeps going to a search screen titled Tuvaro instead fo yahoo.com.  Malwarebytes suddenly will not run.  Malwarebytes services that are set for auto/start are listed as terminated and will not allow a restart.  Trend Micro finds nothing in its scans.  Eset online found several items (quarantined).  Super-Antispyware found several hundred things(all quarantined).  Yet, the problems sill exist.  Please advise.

A:I think I am infected.

Hello and welcome to BleepingComputer!

I am Elle and I will be helping you out with your problem. Firstly, you should know that we are working with specific tools which are used to identify the possible threats present on your system so I will analyze the results they produce.

As a start we need to have some more up-to-date logs than the ones you have already provided. The current state of the files on your system might have changed so we need to get a clear look on that aspect. DO NOT bring any changes to the system except the ones I tell you to as that may produce more damage than helping us.

If you will encounter a delay of over 2 days from me, please don't hesitate and private message me (link in the signature).
Do not forget to check your topic periodically and subscribe to it so that you can receive notifications regarding my replies.

Thank you very much for your patience.

Regards,

Elle

17 more replies

Hi,
I'm having the same issue that I described in my other thread: http://www.bleepingcomputer.com/forums/t/540642/infected-rundll32-file/
While I'm not experiencing any problems with my computer right now, it still seems that there may be some sort of malware on it, and I would like to get rid of it.

Here is a link to my DDS log: http://pastebin.com/s0f8sFtX

A:Not sure if I'm still infected

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/541834 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

19 more replies

My virus protection keeps finding a bgotrtu0.dll file on restart and removes it. Anyone help me with removing whatever is creating it? I have XP Pro with all service packs up to date. F-prot virus, malwarebites & superantispyware up to date as well.
Pearldiver57

A:Am i still infected?

1 more replies

My machine is suffering from a bug of some sort that won't allow my Zone Alarm Security Suite to run, won't allow regedit to run, won't allow hijackthis to run, etc, etc. The apps start but stop after a brief glimpse of their startup window

I have run Spybot and it revealed a number of potential issues. the ones that seemed to be important were Microsoft.WindowsSecurityCenter_disabled, Microsoft.Windows.RedirectedHosts. these are removed but come back. The internet explorer homepage was also changed

Can anyone help?

A:?? Infected

Hi, Welcome to TSG!!

Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

2 more replies

I'm not sure what happened but... today I downloaded from a P2P service. u_u Yeah, I know but I didn't think anything would happen as always. So the file itself was really big but I didn't install it at all, just extracted it. I was going to install it and block sites using my HOSTS File, etc but then I had to leave. So I turn off my computer for a few hours then come home to a message saying my hard drive has limited space. So I check it and I had about 2MB left on my 48.8GB hard drive which was weird since I'm sure I had upwards of 20 before I left? Don't quote me on it but I know there was a lot of room. So I delete the exe file that I downloaded to free up some space and managed to get 5GB of free space... but that's still not that much.

So I'm not sure if I'm infected with something that filled up my hard drive? Or... I'm not sure but I really just want to check and make sure nothing abnormal is going on.

A:Am I Infected?

Anyone to help? I'd really like to check to see what's going on...

2 more replies

A:Am I still infected?

26 more replies

Can someone analayze my logs

Mod Edit:  Sent "now that you have posted" content in PM - Hamluis.

A:Help i think my pc is infected

20 more replies

Highjack This Log, from the Administrator Account, in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 4:55:19 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
G:\MISC\S&D-esque prograns\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O2 - BHO: ViewSource Class - {85DDD882-701E-401B-8A7D-D51227048214} - C:\Program Files\Internet Spy\iewatcher.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Mes... Read more

A:Am I Infected?

Highjack this log from my actual account, with admin powers. Sorry for delay in posting thing, had a bad storm, and our internet went out!Logfile of HijackThis v1.99.1Scan saved at 8:34:04 AM, on 6/11/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\LightScribe\LSSrvc.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\pctspk.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeC:\Program Files\RRIM\aim.exeC:\Program Files\Yahoo!\Messenger\YahooMessenger.exeC:\WINDOWS\system32\taskmgr.exeG:\MISC\S&D-esque prograns\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eqoa.allakhazam.com/forum.html?forum=18O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1 ... Read more

2 more replies

Hello

I just formated my laptop and repartionned the hdd, I reinstalled Windows 7 Ultimate, but my pc take a several time too boot.

Below my Configuration and time to start windows

Config Speecy

tempsdemarrage.jpg   18.58KB

Thanks a lot

A:Maybe Infected, please can you help me

Plese find Bellow DDS Log and Attach.TXT

attach.txt   8.98KB

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17207  BrowserJavaVersion: 10.65.2
Run by Hicham at 22:27:33 on 2014-07-27
Microsoft Windows 7 Édition Intégrale   6.1.7601.1.1252.33.1036.18.8073.2314 [GMT 0:00]
.
AV: ESET Smart Security 7.0 *Enabled/Updated* {19259FAE-8396-A113-46DB-15B0E7DFA289}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: ESET Smart Security 7.0 *Enabled/Updated* {A2447E4A-A5AC-AE9D-7C6B-2EC29C58E834}
FW: Pare-feu personnel d'ESET *Enabled* {211E1E8B-C9F9-A04B-6D84-BC85190CE5F2}
.
============== Running Processes ===============
.
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\IDT\WDM\STacSV64.exe
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\System32\WUDFHost.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe

13 more replies

Hi,I was infected with something that caused redirects of websites. I was able to (hopefully) removed it with Malwarebytes Anti-Malware (no more redirects). However, I still think I am infected with something because my system is really slow. Also, when I tried running Gmer in Safe Mode (I tried running it in Normal first but it just froze), a blue screen popped up with a message saying something like "ulpqdow.sys" is causing an error or something (it was really really fast) and then the system restarted. Am I infected with something and if so, how do I remove it? Also, did this "thing" came from Azureus ? The Azureus folder was modified this morning but I havent used it in months.Thank you very much for your help in advance. Here are the requested logs:DDS (Ver_10-03-17.01) - NTFSx86 Run by bin at 11:53:02.30 on Fri 08/06/2010Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_17Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.2038.880 [GMT -7:00]SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exeC:\Windows ... Read more

A:Infected with something

Hello bintWelcome to BleepingComputer What are the symptoms that you are having?==========================Download OTL to your desktop.Double click on OTL to run it. When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in boldnetsvcs%SYSTEMDRIVE%\*.*%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav %systemroot%\system32\drivers\*.sys /90%systemroot%\system32\Spool\prtprocs\w32x86\*.dllCheck the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.====================

23 more replies

Hi,I have used various anti viruses (ad aware, bit defender, house call and kaspersky) and now SuperAntiSpyware but I still get reoccurring root viruses when doing scans. I ran McAfee Avert Stinger as well. I also get detected: riskware Mass-mailer software Running process: C:\WINDOWS\Explorer.EXE when doing a scan with Kaspersky Anti Virus.PLEASE HELP. Here is my HiJackThis Log.Logfile of HijackThis v1.99.1Scan saved at 23:11, on 2007-07-04Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\Program Files\Sygate\SPF\smc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exeC:\Program Files\Ahead\InCD\InCD.exeC:\WINDOWS\system32\SHVRTF.EXEC:\Program Files\Logitech\MediaLife\MediaLifeService.exeC:\Program Files\Iomega\DriveIcons\ImgIcon.exeC:\Program Files ... Read more

23 more replies

I been having issues with my computer slowing down terribly when ever i load and stream videos or games. I have done just about everything. I did whole computer scan including locked files and it showed that they were over 100 infected but low risk but AVG wouldn't dispose of the threats because of how low risk they were. I looked into the problem with AVG and they said to redo the scan without including the locked files and that showed that my computer was clean, but it still does not perform as it should. I have use malware programs jrt scannow pc boost software and nothing has helped. If there is anything I can do to help solve this issue is would be greatly appreciated.

A:I Think im infected

http://www.bleepingcomputer.com/forums/t/518596/multiple-com-surragate-slowing-down-computer/
This is where i started

19 more replies

Computer is acting very strange. NOD32 found something, I thought it quarantined it but it doesn't seem to be the case. Here is the log, thank you for checking it.Edit: Forgot to mention. Scans with some spyware software found Virtumonde and supposedly removed it, but doesnt act like it. Computer cant reboot normally, has to go to last good know a couple times before it finally boots.Logfile of HijackThis v1.99.1Scan saved at 9:12:46 AM, on 7/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\ehome\ehtray.exeC:\WINDOWS\Sonysys\VAIO Recovery\reminder.exeC:\Program Files\SONY\sHotKey\sHotKey.exeC:\WINDOWS\System32\ezSP_Px.exeC:\program files\support.com\client\bin\tgcmd.exeC:\WINDOWS\AGRSMMSG.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Windows Media Connect 2\WMCCFG.exeC:\Program Files\Ad... Read more

A:Am I Infected?

Sorry for the delay, it's been pretty busy here lately.
If you still need help, please post a new Hijackthis log, I'd be happy to take a look at it for you.

2 more replies

I left my computer open one night. When I woke up, someone was opening, closing the folder, pictures etc on my computer. I panicked and shut down the computer. Then, I scanned with a bunch of antivirus programs. Some of them found some malwares and some of them didn't. Of course, I couldn't trust it anymore. I formatted just disk C. By the way, I was purchasing online. Is my credit card in danger?
Anyway, I set up Avast and MBAM after recovery and I scan my computer regularly. However, they sometimes detect viruses(the last ones are svchost.exe and audiobg.exe) and deleting or moving to quarantine. I guess the virus cannot be defeated. What should I do? Are the virus located in disk D? If I format the whole computer(both disk C and D), can I trust it? Thanks.

A:Infected

MBAM still found something in svchost.exe. Isn't there anybody who can help?

24 more replies

here is the logs

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17207
Run by jol at 12:22:42 on 2014-07-29
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.358.1033.18.8157.6498 [GMT 3:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
FW: Online Armor Firewall *Enabled* {BD3F5FCA-866B-1E2E-0A68-58900A751EA1}
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Online Armor\OAcat.exe
C:\Program Files (x86)\Online Armor\oasrv.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\windows\system32\nvvsvc.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/542600 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

2 more replies

hi i am not very technical thank you in advance for any help you can offer. this is what is coming up BV:AutoRun-J [Wrm]

i have the logs that u say to keep but it wont let me attach them, oh god i hope i have done this right, please dont shout at me if i havent

regards

PaintedRose

A:Help I am infected

2 more replies

Moderator Elvandil asked me to post my problem here to rule out the possibility of my computer being infected. Please follow the link below to read the XP crashing problems I've been having. I really appreciate your help.

http://forums.techguy.org/windows-nt-2000-xp/618003-progam-crash-windows-xp.html

A:Am I infected???

6 more replies

Hi all,A couple of days ago while on the net I had the following registry change request from Spybot, which I denied.27/05/2011 20:06:31 Denied (based on user decision) value "YI9B2F0F3H9GVYWVTSWQVMO" (new data: "C:\systemhost\systemhost.exe") added in System Startup user entry! This followed Kaspersky (not updated - I know I should have) quarantining x5 'unknownthreat UDS:DangerousObject.Multi.Generic on the 22nd and 23rd of this month.Further google searches on 'systemhost' took me to this site and some worrying reading. Aside from a couple of unsuccessful attempts for me to link with Firefox browser everything so far seems to be running smoothly.Spybot Search & Destroy found nothing untoward.Installed MalwareBytes - ran and nothing found.Installed and ran SUPERAntiSpyware - 5 tracking cookies found and deleted.I've also installed and ran DDS and GMER as recommended elsewhere and logs are saved if necessary.Oh yes I forgot I am using Windows Vista. Anything to worry about?Hope somebody can put my mind at rest,Jensen

A:Infected ?

Anything untoward happening at all?

BTW these requests from Spybot search and destroy should be ok, a very trustworthy program.

4 more replies

not sure if i am infected or not but noticed over a 2 weeks ago that i am losing anywhere from 500mb to 2.5gb of free space on both my internal and external hd's. i have looked through the folders on the external (fewer folders/easier) and could not find anything with that days date on it.
travis.

A:i think i am infected?

5 more replies

I constantly keep having pop ups from mcafee regarding virus protection

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by VMarie at 8:33:39 on 2014-08-15
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3559.1023 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* signature-cached-Wed, 18 May 2016 20:30:52 +00008
SP: Windows Defender *Disabled/Updated* signature-cached-Wed, 18 May 2016 20:30:52 +00007
SP: Microsoft Security Essentials *Enabled/Updated* signature-cached-Wed, 18 May 2016 20:30:52 +00006
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe

A:infected but not sure with what

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.16521
Run by VMarie at 8:33:39 on 2014-08-15
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3559.1023 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* BOTTOM BUTTONS 2
SP: Windows Defender *Disabled/Updated* BOTTOM BUTTONS 1
SP: Microsoft Security Essentials *Enabled/Updated* BOTTOM BUTTONS 0
.
============== Running Processes ===============
.
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k GPSvcGroup
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\7B0A8368-1A6F-48A5-B236-8BD61816B3F9\axsmqwiahk64.exe
C:\Program Files (x86)\Coupons\CouponPrinterService.exe
C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe

13 more replies

http://www.bleepingcomputer.com/forums/topic400297.html/page__p__2267701__fromsearch__1#entry2267701

More replies

Hi , I keep getting this adobe update thing , I had clicked ok then I get a bynch of optimizer/speed up your computer etc stufff, I ran malware and it got rid of it then the adobe thing keeps coming back  screenshot

cant see the screenshot?  how to post it??

A:think I am infected

Hi conanpriority -
Just try these programs first -
Please print or save these instructions so you do not lose them -

* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.Note: If any security program requests permission to access the Internet, allow it to do so.

Next -
Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.
If a log is produced, save it, or post it back here -
Important: Do not reboot your computer until you complete the next step.

* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
* NOW - Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
+ Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

26 more replies

hey friends! i wonder what happen to my com. it change my destop pic to none. eventhough i've set my own destop pic, it change it back to black after awhile. what happen ? T.T

A:am i infected?

Hello! Did you try to change it back via desktop properties?

Is your computer running rather slow, any other weird signs, or a specific action taken by your security program(s)?

3 more replies

Logfile of HijackThis v1.99.1Scan saved at 10:14:35 AM, on 6/2/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\PROGRA~1\Grisoft\AVG7\avgamsvr.exeC:\PROGRA~1\Grisoft\AVG7\avgupsvc.exeC:\PROGRA~1\Grisoft\AVG7\avgemc.exeC:\Program Files\Yahoo!\Antivirus\ISafe.exeC:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYSC:\WINDOWS\System32\snmp.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Yahoo!\Antivirus\VetMsg.exeC:\WINDOWS\Explorer.EXEC:\PROGRA~1\Grisoft\AVG7\avgcc.exeC:\Program Files\QuickTime\qttask.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXEC:\Program... Read more

A:Not Sure If I'm Infected Please Look At Hjt Log And Let Me Know

Hello,First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.So I strongly advise to unzip/extract hijackthis.zip.Read here how to unzip/extract properly:http://metallica.geekstogo.com/xpcompressedexplanation.htmlCreate a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.How do you make a permanent folder:Click My Computer, then C:\ and then on Program Files.In the menu bar, File->New->Folder.That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.I notice from the log that there are running more than one different Anti-Virus programs with Auto-protect enabled. AVG Antivirus and Yahoo Antivirus.Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously! The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time. Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown. So you have to make a decision here and keep the Antivirus you prefer and uninst... Read more

8 more replies

Ok so my bitdefender went down and noone of my shields were active for some reason and i had to reboot to get them back up.. Then eventually i noticed a www.secure.exe running in the background, so im not sure exactly what to do or if anything else is on my maching, of course bd says nothing but ya..Here is my log any help is appreciated.!!

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:56:06 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE

A:Infected?

And i was also trying to figure out what anti spyware to get so thats why yo might see a few, they are trials, and they are uninstalled now. Webroot found two things, but before the scan as done (not that it could remove) my comp rebooted, then i uninstalled, and decided to post here instead...

1 more replies

Logfile of HijackThis v1.99.1Scan saved at 04:47:11 p.m., on 06/06/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\ARCHIV~1\Grisoft\AVG7\avgamsvr.exeC:\ARCHIV~1\Grisoft\AVG7\avgupsvc.exeC:\ARCHIV~1\Grisoft\AVG7\avgemc.exeC:\WINDOWS\system32\slserv.exeC:\Archivos de programa\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\System32\svchost.exeC:\Archivos de programa\MSN Messenger\usnsvc.exeC:\WINDOWS\system32\svchost.exeC:\Archivos de programa\HJT\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ar.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ar.rd.yahoo.com/customize/ie/defaul...earch.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = V?nculosR3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-... Read more

A:Infected Pc! Help