Over 1 million tech questions and answers.

Infected with HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE

Q: Infected with HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE

Desktop Sony Vaio, Windows XP + SP3, 1GB RAM.These four infections - HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE periodically try to execute and Norton Security Suite BLOCKS them all. Along with these four, about 16 files are also blocked, all associated - fpq52.tmp (TROJAN HORSE), fpq4b.tmp (HACKTOOL.ROOTKIT), fpq4c.tmp (TROJAN HORSE), fpq4a.tmp (TROJAN.PANDEX), fpq4f.tmp (TROJAN HORSE), fpq4e.tmp (TROJAN.VUNDO), etc.I am presently running Norton Security Suite 4, F-PROT Antivirus, IObit Security 360, SpyBot-SD Resident, SuperAntiSpyware, Malwarebytes and Secunia PSI. These will not eliminate the infections.This PC is a neighbor's which originally had the Windows firewall OFF and greyed out, Firefox Google Hijack and the following infections, which are all now repaired -- HIJACK.WINDOWSUPDATE, Hiloti.B.gen!Eldorado, Trojan2.HZYZ, WORM.BDQA, TROJAN.AGENT.APHZ, ROGUE.AGENT/GEN-NULLO(dll), WORM.BLAH. (I mention these to provid a little background info). There were about 50 Windows Updates that were blocked but now installed.Thanks in advance for your assistance.DDS (Ver_10-03-17.01) - NTFSx86 Run by Leah at 13:31:16.40 on Thu 06/03/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.992.95 [GMT -5:00]AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated) {3F8BAFFE-D251-4DC6-ACF9-81FDF61FB9C9}FW: Norton Security Suite *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\System32\svchost.exe -k NetworkServiceC:\WINDOWS\System32\svchost.exe -k LocalServiceC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Sony\HotKey Utility\HKserv.exeC:\Program Files\Wireless Desktop\LgWDskTp.exeC:\WINDOWS\System32\ezSP_Px.exeC:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exeC:\Program Files\sony\vaio media integrated server\Platform\VMConsole.exeC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\IObit\IObit Security 360\IS360tray.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Messenger\MSMSGS.EXEC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\WINDOWS\System32\svchost.exe -k LocalServiceC:\Program Files\sony\usbsircs\usbsircs.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEC:\Program Files\Sony\Giga Pocket\ReserveModule.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Secunia\PSI\psi.exeC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Sony\Giga Pocket\shwserv.exeC:\Program Files\Sony\Giga Pocket\gps.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\Yahoo!\Widgets\YahooWidgets.exeC:\Program Files\IObit\IObit Security 360\IS360srv.exeC:\Program Files\Google\Update\GoogleUpdate.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exeC:\Program Files\Sony\vaio media integrated server\VMISrv.exeC:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exeC:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exeC:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exeC:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exeC:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exeC:\Program Files\Norton Security Suite\Engine\4.2.0.12\ccSvcHst.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Sony\Giga Pocket\RM_SV.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Sony\HotKey Utility\HKWnd.exeC:\Program Files\IObit\IObit Security 360\is360.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\System32\dllhost.exeC:\WINDOWS\System32\msdtc.exeC:\downloads\dds.scrC:\WINDOWS\system32\wbem\wmiprvse.exe============== Pseudo HJT Report ===============uStart Page = hxxp://www.comcast.net/uSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/ieuSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeopleuInternet Settings,ProxyOverride = *.localuSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dllBHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dllBHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\4.2.0.12\coIEPlg.dllBHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\4.2.0.12\IPSBHO.DLLBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllc:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00c:\documents and settings\leah\local settings\temp\19bf.tmp\temp00StartupFolder: c:\docume~1\leah\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exeStartupFolder: c:\docume~1\leah\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\program files\quicken\bagent.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\remoco~1.lnk - c:\program files\sony\usbsircs\usbsircs.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\symant~1.lnk - c:\program files\microsoft office\office\1033\OLFSNT40.EXEStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\timerr~1.lnk - c:\program files\sony\giga pocket\ReserveModule.exeIE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.htmlIE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dllDPF: {02CF1781-EA91-4FA5-A200-646E8241987C} - hxxp://esupport.sony.com/VaioInfo.CABDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dllDPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cabDPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cabDPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cabDPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273979781500DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1274060348203DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cabDPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cabDPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38209.634537037DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLLSEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dllSecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dllLSA: Notification Packages = scecli scecli meutwdri.dll scecliHosts: 127.0.0.1 www.spywareinfo.com================= FIREFOX ===================FF - ProfilePath - FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox+\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}---- FIREFOX POLICIES ----c:\program files\mozilla firefox+\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox+\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox+\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox+\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox+\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox+\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox+\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox+\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox+\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox+\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox+\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox+\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox+\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox+\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox+\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox+\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox+\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox+\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox+\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2007-11-14 682840]R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-1 28552]R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0402000.00c\symds.sys [2010-6-1 328752]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0402000.00c\symefa.sys [2010-6-1 173104]R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-5-26 537136]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0402000.00c\cchpx86.sys [2010-6-1 501888]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 67656]R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0402000.00c\ironx86.sys [2010-6-1 116784]R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2009-8-27 75424]R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-5-16 311568]R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\4.2.0.12\ccsvchst.exe [2010-6-1 126392]R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;c:\program files\common files\sony shared\vaio entertainment\vzcdb\VzFw.exe [2006-11-29 86098]R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]R3 HSFHWSIS;HSFHWSIS;c:\windows\system32\drivers\HSFHWSIS.sys [2004-3-8 175744]R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100603.005\NAVENG.SYS [2010-6-3 85552]R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\virusdefs\20100603.005\NAVEX15.SYS [2010-6-3 1347504]R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-5-28 14896]R3 SMSCMS;SMSC LPC Memory Stick Host Controller;c:\windows\system32\drivers\SMSCMS.SYS [2004-3-8 58624]S1 3096cc5c;3096cc5c;c:\windows\system32\drivers\3096cc5c.sys --> c:\windows\system32\drivers\3096cc5c.sys [?]S1 7f5dbf6;7f5dbf6;c:\windows\system32\drivers\7f5dbf6.sys [2009-5-14 0]S1 f123f1fd;f123f1fd;c:\windows\system32\drivers\f123f1fd.sys --> c:\windows\system32\drivers\f123f1fd.sys [?]S2 EventSystemProtectedStorage;COM+ Event System EventSystemProtectedStorage;c:\windows\system32\'e.exe srv --> c:\windows\system32\'e.exe srv [?]S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-15 135664]S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;c:\program files\common files\sony shared\vaio entertainment\vcsw\vcsw.exe -runbyscm --> c:\program files\common files\sony shared\vaio entertainment\vcsw\VCSW.exe -RunBySCM [?]=============== Created Last 30 ================2010-06-03 17:41:50 0 ----a-w- c:\documents and settings\leah\defogger_reenable2010-06-03 05:28:27 0 d-----w- c:\program files\Runtime Software2010-06-03 05:14:33 49574 ----a-w- c:\windows\system32\ntbackup.chw2010-06-02 15:11:00 0 d-----w- c:\program files\XrayMyPC2010-06-02 01:59:57 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys2010-06-02 01:59:15 0 d-----w- c:\program files\Panda Security2010-06-02 01:54:33 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-06-02 01:54:29 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-06-02 01:05:48 0 d-----w- c:\windows\system32\Adobe2010-06-02 01:01:07 0 d-----w- c:\program files\Bonjour Print Services2010-06-02 00:59:48 0 d-----w- c:\program files\Bonjour2010-06-01 22:39:35 0 d-----w- c:\program files\Secunia2010-05-29 19:33:03 1355 ----a-w- c:\windows\imsins.BAK2010-05-29 16:34:39 0 d-----w- C:\VundoFix Backups2010-05-28 11:04:52 14896 ----a-w- c:\windows\system32\drivers\psi_mf.sys2010-05-27 01:54:46 0 d-----w- c:\program files\Mozilla Firefox+2010-05-26 23:06:24 0 d-sh--w- c:\documents and settings\leah\IECompatCache2010-05-26 14:44:15 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF2010-05-26 14:44:15 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT2010-05-26 14:44:15 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL2010-05-26 14:44:15 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS2010-05-26 14:38:49 0 d-----w- c:\windows\system32\drivers\N3602010-05-26 14:38:44 0 d-----w- c:\program files\Norton Security Suite2010-05-26 14:37:56 0 d-----w- c:\program files\NortonInstaller2010-05-26 01:50:07 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller2010-05-26 01:41:33 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton2010-05-26 00:01:42 0 d-----w- c:\windows\system32\Registry Patrol2010-05-24 23:32:56 0 d-----w- c:\windows\Internet Logs2010-05-24 16:08:10 0 d-----w- C:\inventory2010-05-24 12:03:54 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat2010-05-24 03:05:59 0 d-sh--w- c:\documents and settings\leah\PrivacIE2010-05-24 01:29:54 0 d-sh--w- c:\documents and settings\leah\IETldCache2010-05-24 01:06:29 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll2010-05-24 01:06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll2010-05-24 01:03:07 0 d-----w- c:\windows\ie8updates2010-05-24 00:57:17 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll2010-05-24 00:44:05 0 dc-h--w- c:\windows\ie82010-05-23 23:48:54 0 d-----w- c:\windows\system32\XPSViewer2010-05-23 23:44:24 117760 ------w- c:\windows\system32\prntvpt.dll2010-05-23 23:44:23 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll2010-05-23 23:44:23 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe2010-05-23 23:44:23 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll2010-05-23 23:44:23 575488 ------w- c:\windows\system32\xpsshhdr.dll2010-05-23 23:44:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll2010-05-23 23:44:22 1676288 ------w- c:\windows\system32\xpssvcs.dll2010-05-23 23:44:19 0 d-----w- C:\e7db089497e30d0476eea99ce339f6772010-05-23 16:14:54 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll2010-05-23 16:14:04 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll2010-05-23 16:14:04 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll2010-05-23 16:13:49 153088 -c----w- c:\windows\system32\dllcache\triedit.dll2010-05-23 16:13:47 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe2010-05-23 16:13:20 128512 -c----w- c:\windows\system32\dllcache\dhtmled.ocx2010-05-23 16:03:32 15064 ----a-w- c:\windows\system32\wuapi.dll.mui2010-05-22 00:12:07 221568 ------w- c:\windows\system32\MpSigStub.exe2010-05-20 11:58:56 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2010-05-20 11:56:09 0 d-----w- c:\program files\SUPERAntiSpyware2010-05-20 11:56:08 0 d-----w- c:\docume~1\leah\applic~1\SUPERAntiSpyware.com2010-05-20 11:50:36 0 d-----w- c:\program files\common files\Wise Installation Wizard2010-05-19 22:10:48 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys2010-05-19 22:04:55 0 d-----w- c:\program files\Lavasoft2010-05-19 05:24:01 0 d-----w- c:\docume~1\leah\applic~1\CheckPoint2010-05-19 05:22:32 0 d-----w- c:\program files\Conduit2010-05-19 05:22:06 0 d-----w- c:\program files\CheckPoint2010-05-19 05:21:45 4212 ---ha-w- c:\windows\system32\zllictbl.dat2010-05-19 04:35:49 0 d-----w- c:\windows\system32\NtmsData2010-05-19 02:52:02 0 d-----w- c:\program files\VS Revo Group2010-05-17 05:17:18 0 d-----w- c:\docume~1\leah\applic~1\Uniblue2010-05-17 04:53:24 0 d-----w- c:\program files\ACW2010-05-17 00:43:13 0 d-----w- c:\docume~1\alluse~1\applic~1\IObit2010-05-16 13:44:26 0 d-----w- c:\program files\CCleaner2010-05-16 02:55:32 0 d-----w- C:\Google2010-05-16 02:35:10 0 d-----w- c:\docume~1\leah\applic~1\Malwarebytes2010-05-16 02:34:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-05-16 02:34:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-05-16 02:34:52 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes2010-05-16 02:34:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-05-16 01:04:06 0 d-----w- C:\downloads==================== Find3M ====================2010-05-16 01:03:40 4791 ----a-w- c:\windows\Bdawadava.dat2010-03-25 01:14:00 91424 ----a-w- c:\windows\system32\dnssd.dll2010-03-25 01:14:00 197920 ----a-w- c:\windows\system32\dnssdX.dll2010-03-25 01:14:00 107808 ----a-w- c:\windows\system32\dns-sd.exe2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll1998-12-09 02:53:54 99840 -c--a-w- c:\program files\common files\IRAABOUT.DLL1998-12-09 02:53:54 70144 -c--a-w- c:\program files\common files\IRAMDMTR.DLL1998-12-09 02:53:54 48640 -c--a-w- c:\program files\common files\IRALPTTR.DLL1998-12-09 02:53:54 31744 -c--a-w- c:\program files\common files\IRAWEBTR.DLL1998-12-09 02:53:54 186368 -c--a-w- c:\program files\common files\IRAREG.DLL1998-12-09 02:53:54 17920 -c--a-w- c:\program files\common files\IRASRIAL.DLL2009-04-23 17:04:50 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009042320090424\index.dat============= FINISH: 13:33:07.87 ===============

RELEVANCY SCORE 200
Preferred Solution: Infected with HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Infected with HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HEREPlease download GMER from one of the following locations and save it to your desktop:Main MirrorThis version will download a randomly named file (Recommended)Zipped MirrorThis version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.Disconnect from the Internet and close all running programs.Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.Now click the Scan button. If you see a rootkit warning window, click OK.When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.Click the Copy button and paste the results into your next reply.Exit GMER and re-enable all active protection when done.-- If you encounter any problems, try running GMER in Safe Mode.

Read other 47 answers
RELEVANCY SCORE 142.8

I don't think that the performance of my computer is being affected much, if at all by this problem, but I would like to nip it in the bud before it can become an issue. I have Symantec AntiVirus and it pops up every hour or so with two things: one is a Hacktool.Rootkit located somewhere within my systems2/drivers location and is always something different ending in .sys, and the other is a Trojan Horse found in the TEMP folder with a varying name like BNxxx.tmp. The BNxxx.tmp files I can delete manually, but they keep getting created and the .sys files are deleted by Symantec AntiVirus but another one with a different name comes along with each new scan. I think that is about all there is to this problem so far, but if you have any questions feel free to contact me and I'll answer them to the best of my ability.

DDS (Ver_09-03-16.01) - NTFSx86
Run by peardh8 at 11:28:07.41 on Wed 03/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_06
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2014.943 [GMT -4:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec\Symantec Endpoint P... Read more

A:Infected with Hacktool.Rootkit and Trojan Horse

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructio... Read more

Read other 3 answers
RELEVANCY SCORE 142.8

Hi. I've been infected with the Hacktool.rootkit and a Trojan Horse. Every 5 minutes or so, Norton Antivirus comes up with a box saying thats it's detected these two problems. It then says that its deleted them but the message appears about 5 minutes later. I can only assume its replicating itself somehow?
Please could you tell me how to remove it. I'm at a loss.
DDS (Ver_09-03-16.01) - NTFSx86
Run by Lee Bell at 17:23:23.23 on 03/04/2009
Internet Explorer: 8.0.6001.18372
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.3071.2194 [GMT 1:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Updated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.... Read more

A:Infected with Hacktool.rootkit and Trojan horse

hi,

sorry for delay, no shortage of posters. If you still need help post back.

Read other 7 answers
RELEVANCY SCORE 128.4

My avg and avast has picked up these trojans trojan horse bho.eiz , trojan horse vund.t and win31/heur. I have tried the panda site but it wouldnt scan for me so then I came to this site to see if someone could help me. I have followed all the steps on the preparation page. When I did step 5 it didnt find anything and wouldnt let me copy a log to paste to you.MAIN.TXTDeckard's System Scanner v20071014.68Run by AuSSie` on 2008-06-15 07:48:19Computer is in Normal Mode.---------------------------------------------------------------------------------- Last 5 Restore Point(s) --11: 2008-06-14 16:17:42 UTC - RP145 - Windows Update10: 2008-06-14 09:57:20 UTC - RP144 - Windows Update9: 2008-06-14 09:43:37 UTC - RP143 - Restore Operation8: 2008-06-14 09:31:30 UTC - RP142 - Restore Operation7: 2008-06-14 06:26:17 UTC - RP141 - Windows Update-- First Restore Point -- 1: 2008-06-10 06:01:26 UTC - RP134 - Scheduled CheckpointBacked up registry hives.Performed disk cleanup.-- HijackThis (run as AuSSie`.exe) ---------------------------------------------Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:51:34 AM, on 15/06/2008Platform: Windows Vista SP1 (WinNT 6.00.1905)MSIE: Internet Explorer v7.00 (7.00.6001.18000)Boot mode: NormalRunning processes:C:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Windows\system32\taskeng.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Motorola\SMSERIAL&#... Read more

A:Infected With Trojan Horse Bho.eiz Trojan Horse Vundo.t Win32/heur

HiFirst ... you should NOT be running 2 anti-virus programs, they will conflict ... choose between AVG8 & Avast ... keep one & uninstall the other ...Second ... with the malware showing in your log, I find it hard to believe that the Kaspersky Online Scan found nothing if set to scan My Computer ... If it was not set to scan My Computer, please run it again...THEN ...Please Download Malwarebytes' Anti-Malware from Here :-http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.htmlor here :-http://www.besttechie.net/tools/mbam-setup.exeDouble Click mbam-setup.exe to install the application.* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.* If an update is found, it will download and install the latest version.* Once the program has loaded, select "Perform Quick Scan", then click Scan.* The scan may take some time to finish,so please be patient.* When the scan is complete, click OK, then Show Results to view the results.* Make sure that everything is checked, and click Remove Selected.* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.* Copy and Paste the entire report in your next reply.THEN ...Please follow these directions to run Combofix & post a log.http://www.bleepingcomputer.com/combofix/how-to-use-combofixsteamEDIT ... What are th... Read more

Read other 2 answers
RELEVANCY SCORE 128

Well oh well. my sister computer got infected by Hacktool.Rootkit, dunno what the hell she downloaded but its kinda a pain in the *** to remove it.

It kinda infecting each file i think, so do you guys know a software that actually removes it? I tried Norton, updating virus definition and etc and it couldn't erase it..

This stupid virus is irritating me..

Wonder if Firewall help? Or any other program that helps to delete this ugly disturbing trojan?

- Looking forward an answer
Thx!
 

Read other answers
RELEVANCY SCORE 128

Well oh well. my sister computer got infected by Hacktool.Rootkit, dunno what the hell she downloaded but its kinda a pain in the ass to remove it.

It kinda infecting each file i think, so do you guys know a software that actually removes it? I tried Norton, updating virus definition and etc and it couldn't erase it..

This stupid virus is irritating me..

Wonder if Firewall help? Or any other program that helps to delete this ugly disturbing trojan?

- Looking forward an answer
Thx!

A:Hacktool.rootkit Trojan Horse

http://www.symantec.com/security_response/...-011710-0057-99Hacktool.Rootkit comprises a set of programs and scripts that work together to allow attackers to break into a system. If Hacktool.Rootkit is detected on a system, it is very likely that an attacker has gained complete control of that system. All files that are detected as Hacktool.Rootkit should be deleted. Infected systems may need to be restored from backups or patched to restore security.The presence of Hacktool.Rootkit implies that the security of the system has been compromised. The system should be restored from known clean backup copies or patched to restore security.--------------------------------------------------------------------------------If you would like another opinion, post a Hijack this log in the Hijack This Forum. NOT IN THIS FORUM.http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Read other 4 answers
RELEVANCY SCORE 128

Here i ran the hijack thing and the result belowLogfile of HijackThis v1.99.1Scan saved at 8:13:00 PM, on 5/20/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Symantec AntiVirus\DefWatch.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINDOWS\explorer.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Symantec AntiVirus\Rtvscan.exeC:\WINDOWS\System32\wdfmgr.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\Program Files\Common Files&#... Read more

A:Hacktool.rootkit Trojan Horse

Go to Start > My ComputerGo to Tools > Folder OptionsClick on the View tabUntick the following:Hide extensions for known file typesHide protected operating system files (Recommended)You will get a message warning you about showing protected operating system files, click YesMake sure this option is selected:Show hidden files and foldersClick Apply and then click OKThen please upload this file:C:\WINPENJR\win32\custom.exeTo either jotti or virustotalDownload GMER by GMER from hereUnzip it to a folder on your desktopDouble click on gmer.exe to launch GMERIf asked, allow the gmer.sys driver loadIf it warns you about rootkit activity and asks if you want to run scan, click OKIf you don't get a warning thenClick the rootkit tabClick ScanOnce the scan has finished, click copyPaste the log into notepad using Ctrl+VSave it to your desktop as gmerrk.txtClick on the >>> tabThis will open up the rest of the tabs for youClick on the Autostart tabClick on ScanOnce the scan has finished, click copyPaste the log into notepad using Ctrl+VSave it to your desktop as gmerautos.txtCopy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topicPost back with the jotti/virustotal result, the gmer logs and a new HijackThis log

Read other 13 answers
RELEVANCY SCORE 125.6

Hi, I suddenly have a big problem.

For the five months I've had this computer (Windows XP Professional), I've been running Symantec Antivirus, frequently updating, and it very rarely told me there was anything wrong.

Now, all of a sudden:

- Whenever I boot up, Symantec's Autoprotect says it's detected and deleted a piece of malware, usually Trojan.Vundo or Hacktool.Rootkit. And at other times it tells me it's detected either 1, 3, 149, or 151 such files. So, I think I acquired both of these at once somehow.

- Also, sometimes it goes through these periods of telling me every 10, 20, 30 minutes or so that it has found and deleted another Trojan.Vundo.

- The time it takes to boot up has been getting slower and slower...but today it was very fast again.

- Firefox windows pop up frequently, advertising stupid things. And it changed my Firefox homepage to google.

- In the tray, a red circle with an X pops up a balloon telling me "Self-restoring Trojan virus that can lead to total system crash has been detected on your PC. Click here to install latest Antivirus Protection Software and remove all viruses on your PC."

- This has been going on for about a week. Two days ago, I started getting IE popups too, so I used the Control Panel Add/Remove to remove IE, since I never use it anyway....but I continue to get IE popups.

So, the only thing I have so far done is to run HijackThis, though I have also downloaded Malwarebytes' Anti-Malware... Read more

A:Trojan.Vundo and Hacktool.Rootkit

Read other 14 answers
RELEVANCY SCORE 124.8

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

Read other 12 answers
RELEVANCY SCORE 122.8

Lately my computer has been exceptionally slow. Blue screens a time or two. Ive recognized a few other suspicious things such as 'Service Distribution Software 3.0' trying to install at 3 am for the past 2 weeks. I also looked at my ReportingEvents.log and noticed that even though Microsoft updates were downloading successfully they were not installing since 6-10-2010 (i went ahead and attached a copy of that as well). Also, Firefox was acting really funny. Taking a huge amount of time to load. I also found that even if I shut Firefox down, it was always running. Even if I went to Task Manager to kill firefox.exe, it was very difficult to get it to finally stop running.I even saw a post here saying: ------------------------------------------------------------------------QUOTELets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 localhost, you may have to fix it.Lets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 local... Read more

A:Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Hi deetheis,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.STEP 1 - MBAMOpen Malwarebyte's Anti-Malware.Under the Updates tab, click Check for Updates. Let the updates install (if any).After that, under the Scanner tab, click Perform Quick Scan and then Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Exit MBA... Read more

Read other 2 answers
RELEVANCY SCORE 122.8

Hello guys, Thanks for the help with this.
I get a Norton AV window that pops up all the time with file names like $055C6D52.t$m for example. When I look in the quarantine folder I find Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader.Lop,Bloodhound.Overpacked, Infostealer.Wowcraft, Backdoor.Graybird as files in quarantine. I would like to eliminate whatever it is that keeps attempting to re-infect my machine.

I'm running Norton and AVG, Spybot, and Windows Defender.
I appreciate any help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:45 PM, on 3/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\... Read more

A:Hacktool, Trojan Horse, w32.Spybot.Worm, Trojan.Startpage, Downloader., Multiple Infe

Hello and welcome to TSF.

Sorry for the delayed response. If you have not received help elsewhere and still need help please follow the instructions in IMPORTANT - Read This Before Posting A Log and post the two text files, main.txt and extra.txt produced by the Deckard's System Scanner, as it has been a while since you posted.

Read other 10 answers
RELEVANCY SCORE 117.6

I used to think that I knew quite a bit about how to properly maintain a healthy computer. But that was until my laptop became infested with these trojans and whatever else they are. It started out with a couple notifications from my AVG and this was not out of the ordinary. My internet started acting up and booting me offline every 30 minutes or so. Then the websites that I was trying to look at were "redirected" to http://bts.scour.com/index.html?3. I thought I'd be smart and block bts.scour.com in my Internet Options but it simply chose another route. So I blocked that site. Then it sent in another reroute site. These sites remind me of popups or those annoying "scan your computer for faster service" sites. Y'know the ones that would entice you to scan your computer and make you believe there was something wrong with your computer, but there wasn't.(that is until you scanned with their program and it would take control of your computer at the worst of times.) The Trojan Horse Back Door Generic 15 made its entrance right after the "bt.scour" did. AVG 's only option was to ignore it, but I still wasnt worried.Everytime I blocked at redirect, the more intense the attack on my computer became. I gradually lost control of my computer. When I thought I should check Windows firewall, it was to late for any security measures. It was turned off and when I tried to turn it back on, it would give me an error(0x8000ffff). It wou... Read more

A:HELP!! UNINVITED GUESTS: Lune.Sirefef.A,Trojan horse Patched_C.LYU, Trojan horse Generic_r,Trojan horse Back Door Gener...

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 13 answers
RELEVANCY SCORE 117.6

I have tried, unsuccessfully to remove this infection.

My Norton internet security reports a blocked attempt every few seconds
and even after requesting to restart in order to remove the
infected file "desktop.ini" and "[email protected]" they reappear on start-up
and incur a blocked report from Norton.

I have already tried full system scans with Norton, Kaspersky Rescue Disk
and Malwarebytes.They have been unable to permanently remove my problem.

I have also utilised Rootkit removal tools in an attempt to clean my laptop.

I hope you are able to help me with this infection.

----------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 10.3.0
Run by Ulrich Meffert at 8:02:40 on 2012-05-29
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.61.1033.18.12279.7552 [GMT 8:00]
.
AV: Norton Internet Security *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:�... Read more

A:Infected with: Trojan.Gen.2 ; Hacktool.Rootkit & Trogen.Zeroaccess

Hello and Welcome to Bleeping Computer!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE:... Read more

Read other 3 answers
RELEVANCY SCORE 115.6

Hello! I am so new to all of these! I already searched for the removal of these viruses and read in a lot of forums. All of these forums have logs, etc. involving the precious system files. I don't even understand the logs and I have read instruction on how to remove these but they do not guarantee anything. I am afraid that the PC might malfunction and be sent to the Repair Shop again. (It just got sent 4 days ago) I ran Malwarebyte's Anti-Malware and scanned my computer and found 46 infections. It shows the option that removes the selected files but I'm afraid because these files are categorized as 'Registry Keys, Registry Values, Memory Modules, and Registry Datas'. Should I delete them anyway?

And so, I want a professional, expert, etc. in all of these since I am such a sucker to all of these virus removal stuff.. I want that pro to walk with me through all of these. From the very first step to the very last and that is when the virus will be wiped out.. Please help..

A:Infected With Trojan.vundo, Trojan.bho, Trojan.agent, Malware.trace

Please copy/paste the MBam scn log for us to review.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".Click OK to close the message box and continue with the removal process.Back at the main Scanner... Read more

Read other 10 answers
RELEVANCY SCORE 114

Please help, I'm running AVG 2012 Free Edition on Windows 7 and I have been infected with Trojan horse Dropper.Generic_c.MMI, which is in services.exe, I don't even know where to begin!

EDIT: I've resolved the Backdoor trojan, still need help with Dropper.Generic_c.MMI

A:Infected with Trojan horse Dropper.Generic_c.MMI and Trojan Horse Backdoor.Generic15.BHGZ

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.Orange Blossom

Read other 3 answers
RELEVANCY SCORE 113.6

Avast first alerted me to an infection, which I quarantined, called Win32:malware.gen. I followed some forum info after quarantining the malware which suggested I download Malwarebytes and run a scan. I have done this several times and Malwarebytes continues to find infected .dll files described as TROJAN.HILOTI.GEN, TROJAN.AGENT, and TROJAN.VUNDO.I followed all the prescribed methods from this website from here:http://www.bleepingcomputer.com/virus-remo...undo-virtumondeNeither Vundo Fix or VirtumundoBegone found anything. Malwarebytes keeps finding .dll files every time I run it.Note: I had to rename the mbam.exe file in order to run it. I could download it, but it wouldn't run unless it was named something else.I am now following the instructions from here:http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/Note: I can not run GMER without my machine crashing so I can not attach the required ark.txt log. Finally, once when running MBAM my Avast kicked up a warning that it had stopped malware from executing and gave the reason that Malwarebytes had triggered it.I would appreciate any help on this. I'm at the end of my rope. I've been trying to eradicate this for 3 days now. All my important files have been burned on a CD-R so I am willing to nuke the whole drive/OS if that is required.Thanks in advance and I hope to hear from someone soon.So I will now post the DDS.txt report as requested a... Read more

A:Infected with TROJAN.HILOTI.GEN, TROJAN AGENT, TROJAN VUNDO

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you... Read more

Read other 4 answers
RELEVANCY SCORE 112.8

I have probably been infected by trojan horse dialer for over a month so I cannot remember exactly how I got infected but I think it is because I was using IE but now I have permanently switched to Firefox. I have scanned my computer with Spybot search and destroy, adaware, avg antivirus, and vundo both in normal and safe mode. It seems as though I have gotten rid of trojan horse dialer with the vundo tool but then I became infected with trojan horse Lop.as. Everytime I do scan my computer with an antivirus tool the viruses and trojans usually show up in the internet cache or temporary internet files. That is probably why I cannot remove these viruses permanently. I regularly get those popups from AVG saying that they have detected the threat of trojan horse Lop.AS. I am running on Windows XP with SP2. The security tools that I run are the teatimer of Spybot, AVG real-time antivirus, and Zonealarm firewall. Now that I think I have gotten rid of Trojan horse dialer.COH my computer seems to be running at the previous speed before becoming infected. However, I still want to get rid of the Trojan Horse Lop.AS since the popup notice from AVG is so annoying. In conclusion, I have come to BC for a permanent solution.

A:I Am Infected With Trojan Horse Dialer.coh; Trojan Horse Lop.as; And Some Other Annoying Cookies And Viruses

http://www.bleepingcomputer.com/securityblog/2006/10/Unfortunately, though, this October when the latest batch of renewals and new awardees were admitted we found a new MVP who leaves a bad taste in our mouths. This awardee is Cyril Paciullo, otherwise known as Patchou, and is well know as the creator of Messenger Plus. As a program, Messenger Plus actually has some slick features, but our problem is that this program also comes with a known adware and Trojan called LOP.What is funny is when Microsoft Security MVP Derek Knight scanned the main executable for Messenger Plus, at the free scanning site VirusTotal, Microsoft was the only vendor that stated that the installer was a threat. --------------------------------------------------------------------------------Uninstall instructions in link below:http://www.bigblueball.com/forums/msn-mess...senger-6-a.html

Read other 4 answers
RELEVANCY SCORE 112.8

My son's Windows 7 computer has two trojan horse infections that were detected by AVG, but AVG was unable to quarantine or remove them
 Trojan 1.PNG   72.1KB
  8 downloads
 Trojan 2.PNG   55.63KB
  8 downloads. He has known about the infection for some time, but has continued to use the computer. I first became aware of the situation when he asked for help when, on boot up, he got a message "missing operating system." We were able to boot from the recovery disk, but now the infection remains and the system runs extremely slowly. We were able to download and run DDS; however, it does not create the dds.txt file, but only the attach.txt file. We ran it several times, and sometimes it creates the attach.txt file (version attached called attach2.txt
 Attach2.txt   811bytes
  4 downloads) and a couple of times it created a version which includes restore points (version attached called attach3.txt
 Attach3.txt   1.02KB
  3 downloads).
 
Internet connection on the computer has been intermittent. It was connected earlier this morning, long enough to download and run DDS and email the attach.txt files to me (I'm doing this post from my uninfected computer). Right now the infected computer is "not connected - no connection available." It should connect to the same wireless network in our home that my uninfected computer is connected to.  ****UPDATE**** The internet connecti... Read more

A:Infected with Trojan horse TDSS.CA and Trojan horse Dropper.Generic8.AXHI

Here are some more files that might help you. They are AVG Resident Shield results.
 AVG Resident Shield results 1.png   812.84KB
  3 downloads There are three more screen shots to this report, but it won't let me upload any more.

Read other 47 answers
RELEVANCY SCORE 112.4

I followed the instructions on the hijack this prep and below is the file. I am very concerned that I can't seem to get rid of some unusual files in my msconfig startup and running processes. Unidentified items in msconfig. startup are Zeno is under C:\WINDOWS\system 32\pwinqsap.exe CORN001, Z_Start C:\WINDOWS\system32\dwdsregt.exe CORN001, Then under SOFTWARE\Microsoft\Windows\CurrentVersion\Run are : 9339047 C:\PROGRA~\9339047\9339047.exe; sd "C:\PROGRA~1\AUTOST~1\sd.exe" --checkOnly; mhnn "C:\Program Files\Obla\mhnn.exe" -vt ndrv The mhnn is also in the task manager as a running process. I cannot find any of these listed in windows explorer or my registry. Logfile of HijackThis v1.99.1Scan saved at 6:35:30 PM, on 1/4/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared... Read more

A:Backdoor.dsnx, Hacktool, Trojan.cmapp, Download Trojan, Trojan.downloader.gen,

Sorry for the delay. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic:Preparation Guide For Use Before Posting A Hijackthis Log

Read other 3 answers
RELEVANCY SCORE 112.4

Please help!!!! I don't know which to keep and which to destroy. What should I do next?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:13:58 PM, on 4/15/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\netdde.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\system32\clipsrv.exeC:\WINDOWS\SYSTEM32\imapi.exeC:\WINDOWS\System32\snmp.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\wltrysvc.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\System32\M-AudioTaskBarIcon.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\DellSuppor... Read more

A:Trojan Horse Vundo. GC & Trojan Downloadergeneric8.AFPS dropper

I can still get on the internet, but my Antivirus AVG won't distroy or delete so it keeps running up my processers. Sooner than later the virus will take over my entire system and I'll have to reinstall everything if I don't figure this out.

Read other 3 answers
RELEVANCY SCORE 112.4

picked up these bad boys when i was stupid and launched an .exe that i wasn't too sure of in the first place. anyway, nothing i have is getting rid of them. the following is my HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 7:48:19 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alias\Maya6.0\docs\Wrapper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Alias\Maya6.0\docs\jre\bin\java.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Windo... Read more

A:Solved: trojan.vundo/trojan horse/downloader virus help.

Read other 14 answers
RELEVANCY SCORE 112.4

Okay, for the past few days I've been having issues with these viruses. I have seen posts here before asking about how to get rid of the same things but since I have those 3 I don't know if there is a better way to do this.

I keep getting random pop ups. I tried downloading VundoFix but it keeps coming back of course. I ran Spybot Search & destroy and the same thing happens.

The Anti-Virus I'm using is Norton AntiVirus Corporate Edition Full version 7.60.926 if thats even necessary. It is up to date and the description it gives me for each one is..

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Downloader
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1\valera[1]
Location: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\07RJ2CT1
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Sep 19 23:37:08 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\Documents and Settings\starrs crap\Local Settings\Temporary Internet Files\Content.IE5\CHER4DUR\lkjh[1]
Location: Quarantine
Computer: STARRSCOMPUTER
User: starrs crap
Action taken: Clean failed : Quarantine succeeded : Access denied
Date found: Wed Sep 19 23:37:10 2007

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan Horse
File: C:\Documents and Settings\s... Read more

A:Virus issues, Downloader, Trojan.Vundo, Trojan Horse

oh god..okay i should probably mention that right now, my antivirus notification is at 89 notifications and counting the same message over

"Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Vundo
File: C:\WINDOWS\system32\byxxutr.dll
Location: C:\WINDOWS\system32
Computer: STARRSCOMPUTER
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Thu Sep 20 00:15:34 2007"

by the time im done with this message its up to 99 notifications total and still counting.
103 now

im trying to delete it but it says the file is busy and im trying to disable anti virus but i cant figure out how
 

Read other 3 answers
RELEVANCY SCORE 112

When using Google in Firefox, links to pages i've searched for do not go to the correct page.malwarebytes found this:Files Infected:C:\Program Files\Falco GIF Animator\FalcowareAcPro.exe (Adware.PredictAd) -> Quarantined and deleted successfully.F:\torrents dls\Myspace.friend.blaster.pro8.4\friendblasterpro.-patch.exe (Trojan.Hacktool) -> Quarantined and deleted successfully.DDS (Ver_10-03-17.01) - NTFSx86 Run by Spike at 8:43:00.21 on 24/03/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1526.339 [GMT 0:00]AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exesvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Lavasoft\Ad-Aware\AAWService.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\rundll32.exeC:\Program F... Read more

A:Trojan removal help - infected with Trojan.Hacktool

Problem solved using combofix so please close my topic and thank you.

Read other 2 answers
RELEVANCY SCORE 112

Must have got these a week ago. Noticed after my google search results links would bring me to adsites half the time.

A:"Trojan horse BackDoor.Generic11.IZW" "Trojan horse SHeur2.ADCY" "Trojan horse PSW.Agent.ZSP"

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explanation about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_Sca... Read more

Read other 2 answers
RELEVANCY SCORE 111.6

Hello,My AVG scanner says that I have the Vundo.KA trojan horse. I ran MalwareBytes and it still shows up. I have attached logs from the DDS program, but I could not attach the GMER log because my computer always bluescreens in the middle of the scan. Please help! Thanks! Here is the HijackThis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:49:19 PM, on 2/7/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\PROGRA~1\Dantz\RETROS~1\retrorun.exeC:\Program Files\Google\Update\1... Read more

A:Infected with Trojan Horse Vundo.KA

Hello, mtcscomputer.My name is aommaster and I will be helping you with your log.I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.ThanksWe need to run RSITDownload random's system information tool (RSIT) by random/random and save it to your desktop.Double click on RSIT.exe.Click Continue at the disclaimer screen.Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)In your next reply, please include the following:Log.txtinfo.txt

Read other 3 answers
RELEVANCY SCORE 111.6

I have been experiencing some problems with my computer. My internet browser is constantly being redirected to another site. I also receive pop-up adsfrom different sites occasionally. I ran a full system scan with AVG Internet Security and it said that I have 12 infections of the Trojan Horse Vundo.KA virus. Heres my DDS log and HiJack this log. I tried to run a scan with gmer.exe but the scan won't complete!Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:38:24 AM, on 2/11/2010Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exeC:\WINDOWS\Explorer.EXEC:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exeC:\Program Files\Java\jre1.5.0_06\bin\jusched.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\HP\QuickPlay\QPService.e... Read more

A:Infected with Trojan Horse Vundo.KA

Hello! My name is Sam and I will be helping you. In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.Please download ComboFix from one of these locations:Link 1Link 2Link 3Important!You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Make sure that you save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our toolsDouble click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malwa... Read more

Read other 10 answers
RELEVANCY SCORE 111.6

I use Windows XP SP3, Media Center Edition 2005.I've had this issue for about a month now. I got a virus that redirected me to different sites whenever I search, and opens up tabs and popups to sites, too. Luckily, it hasn't redirected me to pornography, but this is really bothering me.When I first got it, it affected Chrome. So I uninstalled it. I also found it redirected in IE and Firefox as well, so I uninstalled Firefox but not IE, because it is such a hassle to re-install.Then I got a notification from AVG, saying "Multiple Threat Detection" at the top. I have an Exploit Search engine hijack and an Exploit Rogue Scanner (type 1006). However, AVG didn't recognize the virus, as I scanned twice and it detected nothing. It says the process name was C:\Program Files\Mozilla Firefox\firefox.exe.The infection files were from forums.khinsider.com and foryouscann.com.Now to recent days.AVG has recently detected Trojan Horse Vundo.KA viruses. Let me show you a recent log."Scan ""Scheduled scan"" was finished.""Infections";"8";"8";"0""Folders selected for scanning:";"Scan whole computer""Scan started:";"Friday, February 12, 2010, 12:39:25 PM""Scan finished:";"Friday, February 12, 2010, 2:43:13 PM (2 hour(s) 3 minute(s) 47 second(s))""Total object scanned:";"527438""User who launched th... Read more

A:Infected with three Trojan Horse Vundo.KA

Did I not put enough info on here? I put as much as I could without posting a Hijackthis log.

Read other 1 answers
RELEVANCY SCORE 111.6

Hey , I've had this virus for a week already and haven't found a way to remove it. I visited the AVG forums and they been helping me almost the whole week but to no avail since my system is still infected..here's the link to the topic: http://forum.avira.com/thread.php?threadid=32733The guy that was helping told me to re-install Windows but that's something I can't do right now. I wish I had found this forum much earlier!!

A:My Pc Is Infected With The Trojan Horse Tr/vundo.dwk

Hmm seems that my hijackthis is outdatedEDIT: I've updated ithere's the resultsLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:01:14 PM, on 1/26/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\a-squared Anti-Malware\a2service.exeC:\Program Files\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\system32\xoprdnnm.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exeC:\WINDOWS\system32\MsPMSPSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\RunDLL32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\AntiVir Personal... Read more

Read other 8 answers
RELEVANCY SCORE 111.6

Hi, I have the Vundo.JD trojan on my laptop. Both Malwarebytes Anti Malware and Super Antispyware dont pick it up but AVG 9 does finding these two infections:

C:\Program Files\AVG\AVG9\avgcsrvx.exe (1752):\memory_00260000;"Trojan horse Vundo.JD
C:\Program Files\AVG\AVG9\avgcsrvx.exe (1752);"Trojan horse Vundo.JD

No matter how many times AVG finds and "deals" with these, they always appear when I do a scan.

I would like to back up my data but am afraid that I will just be transferring the infection. Is that possible?
Any help would be appreciated.
Thankyou
DDS (Ver_09-12-01.01) - NTFSx86
Run by User at 18:23:32.01 on Sun 20/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2932 [GMT 13:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files ... Read more

A:Infected with Vundo.JD trojan horse

Hi,My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if youwould let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Under the Custom Scans/Fixes box at the bottom, paste in the following bold text.
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
/md5stop
CREATERESTOREPOINT
Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedThen please post back here with the following logs: OTL.txt Extra.txtThanks

Read other 2 answers
RELEVANCY SCORE 111.6

Greeting and first thank you for a great site and help. Around December 6th or 7th I was pushed a copy of Google Desktop from a site I was visiting and thought, well why not and installed Google Desktop (I have since Uninstalled it). Since that time, people on my yahoo contact list have been getting emails from me with blank subject lines and links to bogus sites. One sent the email back to me and it tried to load 123greetings.com card and asked to download a newer version of flash which I tried that hung my computer. These rogue emails were even going out with time stamps when I had the computer turned completely off. A few days later I would be idle on a web page (like my yahoo mail account) when a new window wold pop with advertisement something like dgr???? I re-installed AVG who found the "Trojan horse Vundo.JD" in c:windowssystem32csrss.exe(704)mem_00200270000?? and c:windowssystem32csrss.exe(704). I tried rebooting as AVG suggested and rescanning and the virus was still there. I then tried in this sequence ccleaner->avg->Advanced SystemCare -> IObit Security 360 -> Malwarebytes Anti Malware -> Housecall; I tried McAfee striker, and from Bleeping Computer.com topic How to Remove WinFixer/Vitumonde/MSevents/Trojan.vundo - in sequence rkill ->malwarebytes -> avg => which at this point the virus was gone but Firefox, IE were all very slow and the pop up ads continued. Upon reboot and running of AVG the "Trojan horse Vundo.JD&... Read more

A:Infected with "Trojan horse Vundo.JD"

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 22 answers
RELEVANCY SCORE 111.6

Howdy all....im infected with "Trojan Horse Vundo JU" and have tried all types of different malware, spyware and anitvirus programs to remove it with no luck. When I reboot it takes forever to do so....and keep getting small pop-up windows saying "i.e. startup files name" - Bad Image "The application or DLL c:\windows\system32\zokelika.dll is not a valid Windows image. Please check this against your installation diskette.I tried to run D.D.S. report, but it seems that the infection keeps getting in the way. Was able to get Root Repeal done. (attached)Any help is greatly appreciated,Thanks JohnDDS (Ver_09-12-01.01) - NTFSx86 Run by Mr. John at 1:59:40.34 on Sat 01/16/2010Internet Explorer: 7.0.5730.11============== Running Processes ============================= Pseudo HJT Report ===============uStart Page = hxxp://www.yahoo.com/mStart Page = hxxp://www.yahoo.com/mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.htmlBHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dllBHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: Spybot-S&D IE Protecti... Read more

A:I'm infected with "Trojan Horse Vundo JU" HELP!!!!!

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 15 answers
RELEVANCY SCORE 110.8

I know someone below me has my problem, and I read that topic, but I don't want to follow those steps because they are specific to his computer. Today my AVG popped up with a warning stating that Rootkit-Pakes.U has infected my Atapi.Sys 3 times, and that it is white listed. It found it in Explorer.exe. Here are my HijackThis logs:

Code:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:08, on 17/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\DOCUME~1\Nathan\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files... Read more

A:Trojan Horse Rootkit-Pakes.U Trojan on my Atapi.sys

Please guys I really need help. I think it's masking other viruses, today my "My Computer" folder's name was changed to 2543e. Something is happening to my computer! Please help!
Bump.
 

Read other 1 answers
RELEVANCY SCORE 110.8

Hi, thanks for taking a look, AVG Says I'm infected with Trojan Horse Back .Agent.IQL / Trojan Horse Generic5.GUH I have no idea how dangerous these are I think they have been on my laptop for a week or so.
How do I remove them?
Many Thanks
MrP
 

A:AVG Says I'm infected with Trojan Horse Back .Agent.IQL / Trojan Horse Generic5.GUH

bump
 

Read other 1 answers
RELEVANCY SCORE 110.8

I have 2 trojans Trojan horse Generic5.GUH,Trojan horse BackDoor.Agent.IQL would like to remove I have external hard drive.could not run the online scans except stinger, house call made a load bleeping noise?Laptop used for sensetive stuff banking etc. will change passwords on other machine.Thank youLogfile of Trend Micro HijackThis v2.0.2Scan saved at 11:54:43 PM, on 24/07/2007Platform: Windows Vista (WinNT 6.00.1904)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\Windows\system32\taskeng.exeC:\Windows\system32\Dwm.exeC:\Windows\Explorer.EXEC:\Program Files\Windows Defender\MSASCui.exeC:\Windows\AGRSMMSG.exeC:\Program Files\Grisoft\AVG7\avgcc.exeC:\Program Files\LogMeIn\LogMeInSystray.exeC:\Program Files\Google\Google Desktop Search\GoogleDesktop.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Picasa2\PicasaMediaDetector.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Microsoft Office\Office12\GrooveMonitor.exeC:\Windows\ehome\ehtray.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Windows Sidebar\sidebar.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Windows\ehome\eh... Read more

A:Infected With Trojan Horse Generic5.guh,trojan Horse Backdoor.agent.iql

Hi mrpugowski,

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience.

Read other 3 answers
RELEVANCY SCORE 110.8

HELLO, this is my first time posting at your site but has has follow your responses to other while reseaching software and problems on the google search page. Your answers and instructions has been of geat use and help to me.Recently my computer started to run slow and I started seeing pop ups and messages saying my computer was infected. I checked my Avg Anti Virus and found seven items in the quarantine folder. The items were listed as Trojan Horse Generic 4.BO and a Trojan Horse Downloader Zlob.mcq. I ran Ad Aware and it found sever items mostly cookies and Zango, which was removed. I then ran another scan and it came up clean. I ran a Panda Active scan and it found more infections.I have included the report with my HiJack log. I had a problem running a panda scan until I notice a registry cleaner was blocking me from loading active x program needed by Panda. I was able to uninstall the program. I installed Spybot and and it found even more infections such as Hot box, freeze.com and a registry change. At this point I now know I have a serious problem. Thank you in advance for any help you can provide me and my computer. Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:54:23 PM, on 8/5/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\... Read more

A:Infected With Trojan Horse Generic 4.bo And Trojan Horse Downloader Zlob.mcq

Hello deb_girl, I am SifuMike and I will be helping you. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u2. Scroll down to where it says "Java Runtime Environment (JRE) 6u2". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Examples of older versions in Add or Remove Programs:
Java 2 Runtime Environment, SE v1.4.2
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6 Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.****************** We are going to dig deeper, and that will require us to run some additional scans.You will need to use Internet Explorer for this scan. D... Read more

Read other 5 answers
RELEVANCY SCORE 110.4

Hiya, I've just had an awful couple of days removing these viruses, I'm surprised my computer still works!I'm sure there are still some infected files on my computer or possibly complete viruses because google chrome has ceased to work (even after reinstalling) and I am getting pop-ups in firefox which avast has to keep blocking.I've also reinstalled java.If anyone could help me that would be great. Thank you.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:29:29, on 09/04/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe ... Read more

A:Recovering from XP Antimalware 2010 + Trojan.Vundo + Trojan.BHO.H + Rootkit.TDSS + more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

Read other 25 answers
RELEVANCY SCORE 110

Edited to add information from another topic that will be shortly deleted. ~ OBI had a quick question before I start backingup all my personal/doc/data/photo files.I have an external HD for backup, connected by USB. I haven't turned it on or backed anything up for a couple months (I know lazy), so hopefully its hasn't had a chance to have any infected files on it yet. If i turn it on while its still connected to infected computer what is chance the virus/trojan will transfer to external hard drive?and along the same concept, if i start copying over photos and other personal files to the external hard drive how do I know i'm not copying over the virus/trojan with it?End of added information. ~ OBMy computer is an HP,AMD Athlon 64x2, 1.0GB RAM, WIN XPsp2 desktop that was infected with lots of virus/Trojan/adware/malware. Its mainly for home personal use (our only computer) but I also telecompute for work sometimes. I haven't been able to backup all our personal files, so I'm trying to avoid rebuilding the whole machine if possible.I've already run, cleaned infected files and run again and received clean slate now from Avast!, MBAM (quickscan) and SuperAntiSpyWare (complete scan).here's my original post in the "Am I infected forum?"http://www.bleepingcomputer.com/forums/t/192399/win32monder-gbtrj-win32trojan-genother-adwarepopcap-trojanvundo-trojanagent-and-more/The computer seems stable now. I can load up the computer without a problem. But after reading this forum and the ... Read more

A:Seneka Rootkit, Monder-GB, Trojan.Vundo, Adware.PopCap, Trojan.Agent, Malware.Trace

Hello, Lex H to BleepingComputer.comMy name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)Please give me some time to look over your computer's log(s).Please take note of the following:In the meantime, please refrain from making any changes to your computer.Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.Finally, please reply using the button in the lower left hand corner of your screen.We need to scan for Rootkits with GMERPlease download GMER from one of the following mirrors:This is the Primary mirrorThis is a Secondary mirrorThis is a Secondary mirrorClose any and all open programs, as this process may crash your computer.Unzip the downloaded file to your desktop.Double click on your desktop.Allow the gmer.sys driver to load if asked.You may see this window. If you do, click No.
Click on and wait for the scan to finish.If you see a rootkit warning window, click OK.Push and save the logfile to your desktop.Copy and Paste the contents of that file in your next post.In your next reply, please include the follow... Read more

Read other 13 answers
RELEVANCY SCORE 110

My PC is infected with this trojan that I can't seem to get rid of. I had AVG Free 8.5 installed and the following message would pop up:

"C:\WINDOWS\system32\drivers\ntfs.sys";"Trojan horse Rootkit-Pakes.M";"Object is white-listed (critical/system file that should not be removed)"

It wouldn't let me remove or heal it. I tried SuperAntiSpyware and it couldn't remove it either.

This morning my computer screen was displaying a fake antivirus warning screen and I couldn't open AVG or SAS to try to find the problem. I also couldn't CTRL/ALT/DELETE to stop any goofy applications. I restarted the computer and went to safe mode with F8 and rebooted with an older date. This still didn't get rid of the trojan. At least I was able to use the computer to find help from this site.

I am running Windows XP with SP3. Please help!!!! I already backed up all files. I also uninstalled AVG 8.5 and left SAS installed.


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 20:51:59.42 on Fri 08/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.251 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C... Read more

A:infected with: Trojan horse Rootkit-Pakes.M

hi.

I need to get another rootkit scan before we start disinfecting your computer.

Download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.Click on the Report tab, and then click on: Scan
A window opens asking what to include in the scan.
Check the following boxes then click OK:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Shadow SSDT You will then be asked which drive to scan.
Check C: (or the drive your operating system is installed on, if not C)
Click OK once again.
The tool will begin scanning and may take a while to complete, so please be patient.
When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.
--------------------------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code:
:filefind
ntfs.sys

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

Mark

Read other 19 answers
RELEVANCY SCORE 110

Please could you help me eliminate Trojan horse Rootkit-Pakes.U infected from my windows\systeme32\drivers\atapi.sys on a windows XP .

Tahnk you

A:Trojan horse Rootkit-Pakes.U infected

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 110

Hi all. I believe my computer is infected with Trojan Horse Rootkit-Agent.EF. It first appeared in an AVG scan and looked like this : (File)C:\system32\drivers\atapi.sys (Infection) Trojan horse Rootkit-Agent.EF(Result) Object is white-listed (critical/system file that should not be removed)It continues to reappear on subsequent AVG scans and Resident Shield alerts.Scans using Malwarebytes, SUPERAntiSpyware and ThreatFire are all negative for any infections.In prepartation for posting here, I've run DeFogger. I've run and created logs for DDS which are posted below and attached. I have created a GMER log, which is also attached, but I don't know if it's complete. Numerous attempts at running GMER resulted in midscan reboots, freezeups and blue screens. The lone completed scan froze the program upon completion, preventing a saved log. But a subsequent scan was stopped early, and a saved log was created which appeared to match the completed scan based on number of objects.Thanks in advance for any help.DDS (Ver_09-12-01.01) - NTFSx86 Run by Compaq_Administrator at 9:12:33.54 on Tue 02/16/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.156 [GMT -5:00]AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k Dcom... Read more

A:Infected with Trojan Horse Rootkit-Agent.EF

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 30 answers
RELEVANCY SCORE 110

At this point, I'm getting AVG popping up every 10 minutes warning me that the NTFS.sys is messing this up and infecting other things. It won't even boot normally anymore, not even in safe mode. Blue screen of death if I try that. Can anyone help?

Here are the logs that were required in the sticky'd thread

(Edit: I just got an error from Cobian, a program suggested by this site to back things up.
8/13/2009 7:22:54 PM Changing the backup type for "Backup 1" to Full (First backup)
8/13/2009 7:22:54 PM Creating or updating the archive "H:\Backup of Everything\C 2009-08-13 19;22;54.zip"
ERR 8/13/2009 7:41:55 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\parent.lock": Cannot open file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\parent.lock" - Native error: 00033
ERR 8/13/2009 7:41:55 PM Error while compressing the file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\places.sqlite-journal": Cannot open file "\\?\C:\Documents and Settings\Danny N\Application Data\Mozilla\Firefox\Profiles\zz7rek70.default\pla... Read more

A:Infected with Trojan Horse rootkit-Pakes.m

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 20 answers
RELEVANCY SCORE 110

My PC is infected with this trojan that I can't seem to get rid of. I had AVG Free 8.5 installed and the following message would pop up:

"C:\WINDOWS\system32\drivers\ntfs.sys";"Trojan horse Rootkit-Pakes.M";"Object is white-listed (critical/system file that should not be removed)"

It wouldn't let me remove or heal it. I tried SuperAntiSpyware and it couldn't remove it either.

This morning my computer screen was displaying a fake antivirus warning screen and I couldn't open AVG or SAS to try to find the problem. I also couldn't CTRL/ALT/DELETE to stop any goofy applications. I restarted the computer and went to safe mode with F8 and rebooted with an older date. This still didn't get rid of the trojan. At least I was able to use the computer to find help from this site.

I am running Windows XP with SP3. Please help!!!! I already backed up all files. I also uninstalled AVG 8.5 and left SAS installed.

Thanks!

A:infected with: Trojan horse Rootkit-Pakes.M

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 110

Please could you help me eliminate Trojan horse Rootkit-Pakes.U that infected from my windows\systeme32\drivers\atapi.sys on a windows XP .

Thank you
 

A:Trojan horse Rootkit-Pakes.U infected

Please do not create multiple threads for the same problem.
Continue here: http://forums.techguy.org/malware-removal-hijackthis-logs/897368-trojan-horse-rootkit-pakes-u.html
 

Read other 1 answers
RELEVANCY SCORE 110

I have AVG anti-virus software and it will not remove the virus, it says it has been "white listed" and cannot be removed. There haven't been any problems that I have noticed thus far from the virus, I just continually get a pop up warning window from AVG saying that the virus is on my computer (trojan horse rootkit-pakes.U).

DDS (Ver_09-10-26.01) - NTFSx86
Run by timmy at 23:58:19.87 on Sun 11/15/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1045 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

H:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
H:\WINDOWS\System32\svchost.exe -k netsvcs
H:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
H:\Program Files\AVG\AVG9\avgrsx.exe
H:\Program Files\AVG\AVG9\avgcsrvx.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\WINDOWS\SkyTel.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\Java\jre6\bin\jusched.exe
H:�... Read more

A:Infected with trojan horse rootkit-pakes.U

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

Read other 2 answers
RELEVANCY SCORE 110

Trojan horse Rootkit-Pakes.U infected Please could you help me eliminate Trojan horse Rootkit-Pakes.U that infected from my windows\systeme32\drivers\atapi.sys on a windows XP . Please help me .

Thank you
 

A:Trojan horse Rootkit-Pakes.U infected on XP

Thank you for receiving NO HELP !!! (
 

Read other 1 answers
RELEVANCY SCORE 109.2

Logfile of HijackThis v1.99.1Scan saved at 2:43:20 AM, on 7/10/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Sygate\SPF\smc.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Logitech\G-series Software\LGDCore.exeC:\Program Files\Logitech\G-series Software\LCDMon.exeC:\WINDOWS\LOGI_MWX.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\CTHELPER.EXEC:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exeC:\Program Files\Logitech\G-series Software\Applets\LCDClock.exeC:\Program Files\Java\jre1.6.0_01\bin\jusched.exeC:\Program Files\iTunes\iTunesHelper.exeC:\PROGRA~1\SYMANT~1\VPTray.exeC:\Program Files\AGEIA Technologies\TrayIcon.exeC:\Program Files ... Read more

A:Trojan Horse And Vundo Trojan Still Present

Welcome to the BleepingComputer HijackThis Logs and Analysis forum D-Machine My name is Richie and i'll be helping you to fix your problems.Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop Close any open browsers. Double click on combofix.exe and follow the prompts. When it's finished it will produce a log. Post the entire contents of C:\ComboFix.txt into your next reply. Note: Do not mouseclick combofix's window while it's running. That may cause the program to freeze/hang. Also post a new Hijackthis log.

Read other 1 answers