Over 1 million tech questions and answers.

Leftover Problems from Rootkit

Q: Leftover Problems from Rootkit

I had a virus/rootkit that I thought I had cleaned up. I'm still having the following issues though:
1. Blue screen trying to boot into safe mode (can't read reason)
2. Generic Host Process for Win32 Services has encountered a problem and needs to close message
3. Can't run full antivirus scan now without getting the above error, but it pops up at other times, like right now. When I get it, I have to restart my laptop - it won't do anything else.
4. Have the occasional extra pop up with an advertisement when I open up IE.
5. I couldn't post this on my laptop - I had to borrow someone else's for a few minutes to get this to go through. It just kept saying it couldn't diplay the page after I tried hitting submit.
6. My laptop is running much slower than normal.

Hope someone can help! I'm in the middle of a big project that needs files from my only computer, so this is the worst timing ever!

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Liz at 17:38:04.46 on Fri 05/13/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.894 [GMT -4:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\System32\svchost.exe -k Cognizance
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\ifxspmgt.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\IfxPsdSv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Taskbar Shuffle\taskbarshuffle.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Documents and Settings\Liz\Application Data\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Liz\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local;<local>
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: ChromeFrame BHO: {ecb3c477-1a0a-44bd-bb57-78f9efe34fa7} - c:\program files\google\chrome frame\application\11.0.696.68\npchrome_frame.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Taskbar Shuffle] c:\program files\taskbar shuffle\taskbarshuffle.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule
mRun: [IFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logitech\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [LVCOMSX] "c:\program files\common files\logitech\lcommgr\LVComSX.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\liz\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\liz\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\liz\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260811602922
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {B3E32D88-8E7F-468F-B0E2-3A300FD4A82C} - hxxp://myitlab.pearsoned.com/Pegasus/Modules/SIMIntegration/Resources/ax/stub.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://intercall.webex.com/client/T27L10NSP11EP5/webex/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: gcf - {9875BFAF-B04D-445E-8A69-BE36838CDE3E} - c:\program files\google\chrome frame\application\11.0.696.68\npchrome_frame.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: DeviceNP - DeviceNP.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: tpgwlnotify - tpgwlnot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\liz\applic~1\mozilla\firefox\profiles\q5htfe6o.default\
FF - plugin: c:\documents and settings\liz\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npstrlnk.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: [email protected] - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Move Media Player: [email protected] - c:\documents and settings\liz\application data\Move Networks
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Fast Youtube Downloader: [email protected] - %profile%\extensions\[email protected]
.
============= SERVICES / DRIVERS ===============
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-10-1 28552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-7-24 38816]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-4-14 14336]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-4-14 14336]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-12-18 108392]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-12-14 193840]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2007-5-9 97280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2009-12-15 41216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110512.002\NAVENG.SYS [2011-5-12 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110512.002\NAVEX15.SYS [2011-5-12 1393144]
R3 WacomISDPen;Wacom Penabled HID MiniDriver;c:\windows\system32\drivers\wacomisdpen.sys [2009-12-15 23936]
S1 aiptektp;Pen Pad;c:\windows\system32\drivers\aiptektp.sys --> c:\windows\system32\drivers\aiptektp.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-15 135664]
S2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-2-2 2440120]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2009-12-16 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-12-15 135664]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2009-12-11 14208]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2007-1-22 34736]
.
=============== Created Last 30 ================
.
2011-05-13 21:15:15 -------- d-s---w- C:\ComboFix
2011-05-12 23:52:02 -------- d-----w- c:\docume~1\liz\applic~1\SUPERAntiSpyware.com
2011-05-12 23:52:02 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-12 23:50:31 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-11 22:45:40 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2011-04-28 02:33:49 106192 ----a-w- c:\program files\mozilla firefox\plugins\npstrlnk.dll
2011-04-28 02:33:16 -------- d-----w- c:\program files\common files\Napster Shared
2011-04-27 21:28:59 91136 ----a-w- c:\windows\system32\kswdmcap.ax
2011-04-27 21:28:59 720176 ----a-r- c:\windows\system32\drivers\LV302AV.SYS
2011-04-27 21:28:59 61952 ----a-w- c:\windows\system32\kstvtune.ax
2011-04-27 21:28:59 348160 ----a-r- c:\windows\system\msvcr71.dll
2011-04-27 21:28:59 28672 ----a-w- c:\windows\system32\vidcap.ax
2011-04-27 21:28:58 53760 -c--a-w- c:\windows\system32\dllcache\vfwwdm32.dll
2011-04-27 21:28:58 53760 ----a-w- c:\windows\system32\vfwwdm32.dll
2011-04-27 21:28:58 43008 ----a-w- c:\windows\system32\ksxbar.ax
2011-04-27 21:24:10 69715 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\ctor.dll
2011-04-27 21:24:10 5632 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\DotNetInstaller.exe
2011-04-27 21:24:10 266240 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iscript.dll
2011-04-27 21:24:10 192512 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iuser.dll
2011-04-27 21:24:09 729088 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iKernel.dll
2011-04-27 21:24:08 311428 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\setup.dll
2011-04-27 21:24:08 188548 ----a-w- c:\program files\common files\installshield\professional\runtime\09\01\intel32\iGdi.dll
2011-04-27 21:22:40 -------- d-----w- c:\program files\common files\Logitech
2011-04-24 00:00:36 -------- d-----w- c:\program files\iPod
2011-04-24 00:00:32 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 21:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2011-02-17 12:32:12 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9250410AS rev.0002SDM1 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A4B56F0]<<
c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Company Mobile Data Protection System
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4bba10]; MOV EAX, [0x8a4bba8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A588AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A545C58]
5 hpdskflt[0xBA341536] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000099[0x8A54B9E8]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A54C940]
\Driver\atapi[0x8A4F0270] -> IRP_MJ_CREATE -> 0x8A4B56F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4B553B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:42:47.57 ===============

RELEVANCY SCORE 200
Preferred Solution: Leftover Problems from Rootkit

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Leftover Problems from Rootkit

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Please do not PM me directly for help. If you have any questions, post them in this topic.
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.____________________________________________________Rootkit UnHooker (RkU)Please download Rootkit Unhooker from one of the following links and save it to your desktop.Link 1 (.exe file)Link 2 (zipped file)Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.Double-click on RKUnhookerLE.exe to start the program.
Vista/Windows 7 users right-click and select Run As Administrator.Click the Report tab, then click Scan.Check Drivers, Stealth Code, and uncheck the rest.Click OK.Wait until it's finished and then go to File > Save Report.Save the report to your Desktop.Copy and paste the contents of the report into your next reply.-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".NEXT:Running OTLWe need to create a FULL OTL ReportPlease download OTL from here:
Main MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Change the "Extra Registry" option to "SafeList"Push the button.Two reports will open, copy and paste them in a reply here:
OTL.txt <-- Will be openedExtras.txt <-- Will be minimizedNEXT:Please provide an update on how things are running in your next reply.

Read other 3 answers
RELEVANCY SCORE 58.8

Hello, I originally posted this over in "Am I infected? What do I do?" and then Blade Zephon recommended I start a new topic here.Here is the original topic: http://www.bleepingcomputer.com/forums/t/257317/my-pc-iswas-infected-by-windows-police-pro/For your convenience, I'll just quote the whole thing, omitting the unnecessary parts:Now, however, I've got a newer PC virus/malware, and I don't know what to do with it! I was just on some gaming websites when my computer revved up, so I checked task manager, and saw two processes trying to run: "a.exe" and "b.exe." I ended both of them, but soon after that "Windows Police Pro" popped up. I knew what kind of malware it was, so I ended it in task manager and deleted its folder which had popped up in my C:/program files.Those two processes kept coming back, though... I tried to run Malwarebytes, but it did not, and still will not work, even though I've reinstalled it several times. I even tried running the Fixexe.reg program, but it didn't seem to help. I can't even get Malwarebytes to start up unless I reinstall it, and then it only gets about four seconds into a scan before it closes abruptly. I ran "AdAware 2008" successfully, but it only picked up four things... I downloaded "Avast," and it did a long start-up scan, apparently getting rid of several of the infected files --- lots of filenames with "SKYNET" in them --- there was one .dll I "moved to chest" and one file I could do nothing but "ignore..." Now, Avast is installed, ... Read more

A:Help me remove a rootkit leftover from a Windows Police Pro infection

Hello Bent 00,Please save this file to your desktop. Click on Start->Run, and copy-paste the following command (the bolded text) "%userprofile%\desktop\win32kdiag.exe" -f -r into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Read other 31 answers
RELEVANCY SCORE 58.4

Hello, I believe I'm infected with the subject rootkit/virus/etc and possibly others. I have received blue memory dump screens several times after first trying to run gmer until I changed the name. I've been receiving pop-ups that I never used to get, and when I checked my event viewer, under windows security it's showing a lot of system integrity and other audit failures, suspicious logon events with processes by Advapi to services.exe, and security state changes. I have already reviewed and done some of the stuff in this thread: http://www.bleepingcomputer.com/forums/t/87058/slow-computerbrowser-check-here-first;-it-may-not-be-malware/ because at first it was running noticeably slow.Please see examples:- Anonymous logons to the account domain NT Authority through NtLmSsp- Audit policy changes to many of my c:/windows/system32 files (.dll's, .exe's, and others) and registry through a process named C:\Windows\servicing\TrustedInstaller.exe with a New Security Descriptor listed as: S:ARAI(AU;FA;KA;;;WD) OR S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD). I searched this security descriptor on the internet and it seems foreign it nature.- Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. File Name: \Device\HarddiskVolume2\Users\Konita\AppData\Local\Temp\fwryqkoc.sys- Code integrity determined that the image hash of a file is not valid. ... Read more

A:Infected With win32k.sys Rootkit & Possibly Other Leftover Infection Traces

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 34 answers
RELEVANCY SCORE 52.8

Hello

I am trying to help my friend again with her PC. I removed Adware and Kazaa a few months ago but someone installed Kazaa again so now I have to clean it up again. She promised her first born if it happens again.

I have installed the latest Windows security updates, cwshredder and Spybot but the browser is still not 100%. It is usable but there 4-5 ads when you launch. Here is her Hijack this file

Logfile of HijackThis v1.97.7
Scan saved at 7:00:14 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe
C:\WINDOWS\System32\mwvzapst.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\odrbvzkha.exe
C:\documents and settings\user\local settin... Read more

A:Leftover Kazaa problems

Read other 11 answers
RELEVANCY SCORE 52.4

Hello, I have been trying to clean a friend's computer for a few hours now, the main problem was the Antimalware Doctor virus. I managed to finally get a clean scan from Malwarebytes, SuperAntiSpyware, and Ad-Aware (there were about 150 items caught on the first Malwarebytes scan, I have that log file if it is needed), but I'm still getting redirected when I do a Google/Bing seach on Internet Explorer and Firefox (Chrome seems to work just fine). So far the only thing I know for sure it is redirecting are "malwarebytes" and "antispyware doctor" keyword-related searches, even though I am eventually able to get to the site I want after a few tries. Occasionally I will get redirected from other searches, but the previously mentioned keywords seem to almost always get redirected three or four times to random ad-sites before I can access the site I want. I also ran ComboFix to try and fix some issues, but the redirecting problem remains.Any help on this is greatly appreciated.The HiJackThis and ComboFix logs are below, but here they are as attachments:
 hijackthis.log   5.8KB
  0 downloads
 log.txt   15.32KB
  1 downloadsHIJACKTHIS:Logfile of Trend Micro HijackThis v2.0.4Scan saved at 8:32:05 PM, on 4/4/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32 ... Read more

A:Antimalware Doctor Leftover Problems

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is... Read more

Read other 8 answers
RELEVANCY SCORE 52.4

Last night I got a nasty case of the Virusbursters disease. I'm running a fully updated Windows XP. I followed the "How To Remove Virusbursters" instructions for the automatic removal, and that seemed to help. Then suddenly the whole thing started over again. Then I tried following the manual removal instructions, but none of the dll files that I was supposed to remove were present. Then I read somewhere that Prevx would get rid of it, so I used the Prevx software and that did seem to get rid of Virusbursters. Although it did leave an entry for it on my quickstart bar and my Add/Remove Programs list. Unfortunately, a range of other stuff has been popping up. Random IE pop-up windows and even Firefox tabs coming up with ads for porn and music sites, and most of all for BS anti-virus programs. One repeat offender is something like Win Anti-VirusPro, or something like that. Also, Windows Explorer has been crashing, leaving me with a blank desktop. [Edit - I see others are having issues with this as well. Also, one bit I forgot - my Norton Anti-Virus periodically gives me the "A virus tried to do something, but I stopped it" pop-up message. The virus is always some random name.exe, and never the same one twice.] I have run the following: Spybot S&D (found and removed a bunch of stuff) Ad-Aware (found and removed some stuff) Panda Scan (found a ton of spyware, over a thousand files, according to the scan, but the free version wouldn't clean them) Windows ... Read more

A:Virusbursters - Leftover Problems After Removal

For added, reference, here's my rapport.txt after running a SmitFraudFix search.

SmitFraudFix v2.124

Scan done at 22:06:23.92, Sun 11/26/2006
Run from C:\Documents and Settings\Ed\Desktop
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

???????????????????????? C:\
???????????????????????? C:\WINDOWS
???????????????????????? C:\WINDOWS\system
???????????????????????? C:\WINDOWS\Web
???????????????????????? C:\WINDOWS\system32

C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

???????????????????????? C:\WINDOWS\system32\LogFiles
???????????????????????? C:\Documents and Settings\Ed
???????????????????????? C:\Documents and Settings\Ed\Application Data
???????????????????????? Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

???????????????????????? C:\DOCUME~1\Ed\FAVORI~1

C:\DOCUME~1\Ed\FAVORI~1\Antivirus Test Online.url FOUND !

???????????????????????? Desktop
???????????????????????? C:\Program Files

C:\Program Files�... Read more

Read other 22 answers
RELEVANCY SCORE 52.4

I keep my computer pretty safe and secure, but recently I had a breakin and was confronted with the daunting task of Spy Sheriff taking over my desktop background.I took all of the steps needed to remove it, I believe, but now that I'm pretty sure it's gone, I'm not able to reset my desktop back. Here is my current HJT log.Logfile of HijackThis v1.99.1Scan saved at 11:11:42 PM, on 6/17/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Unable to get Internet Explorer version!Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exeC:\Program Files\Purdue University\Air Link\cvpnd.exeC:\Program Files\Ewiedo\Security\ewidoctrl.exeC:\Program Files\Common Framework\FrameworkService.exeC:\Program Files\McAfee\Mcshield.exeC:\Program Files\McAfee\VsTskMgr.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\BCMSMMSG.exeC:�... Read more

A:Spy Sherrif fixed, but problems leftover

Welcome berlinbm2004 to Bleeping Computer.Please read these instructions carefully. You may want to print them as we will perform most of this advise in safe mode. Be sure to follow ALL instructions!Open HijackThisGo to ?config?Go to ?misc tools?Press the button ?open uninstall manager?In the list find:SpySheriffPress ?delete this entry?.***Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)O4 - HKCU\..\Run: [fBx9RTK3X] recunirl.exeO16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} - http://213.254.243.5/data/dialercab/IberoDialerHTML.cabO16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downloadv3.com/binaries/EGDA...ESS_1058_XP.cabClose HiJackThis.***Delete the following, in bold, if found:C:\Program Files\SpySheriff <-whole folderC:\Windows\Desktop.htmlC:\winstall.exe***Copy everything inside the quote box below (starting with REGEDIT4). Paste it into Notepad. Go up to "File > Save As", then click the drop-down box to change the "Save As Type" to "All Files". Save it as fixspy.reg on your desktop. *Make sure there is NO blank line above REGEDIT4REGEDIT4[HKEY_CURRENT_USER\Software\Microsoft\Windo... Read more

Read other 3 answers
RELEVANCY SCORE 52.4

I am getting the following error reportGeneric Host Process for Win32 Services has encountered a problem and needs to close.C:DOCUME~1MELOCALS~1TempWER5602.dir00svchost.exe.mdmpC:DOCUME~1MELOCALS~1TempWER5602.dir00appcompat.txtWhen I first realized I had a problem, AVG stopped working so I unistalled it and downloaded Spybot and ran that in Safe Mode. This seemed to repair some of the problem as it found many infected files. I reinstalled AVG. Ran that and it to found infections. I then had problems running certain things like disk defragmenter and task manager. Unistalled Spybot and installed Malwarebytes. This corrected almost everything. AVG is now telling me that my atapi.sys is infected and it can't do anything to it. Here is a list of what is in my AVG virus vault."Infection";"Trojan horse SHeur3.ARI";"C:Documents and SettingsMemvhasyvimk.exe";"";"2/28/2010, 3:23:08 PM""Infection";"Trojan horse BackDoor.Generic12.AMHS";"C:lsass.exe";"";"2/28/2010, 3:29:17 PM""Infection";"Trojan horse SHeur3.ATW";"C:WINDOWSTempiufg.tmpsvchost.exe";"";"3/1/2010, 4:41:17 AM""Infection";"Trojan horse FakeAV.SL";"C:WINDOWSsystem32sshnas21.dll";"";"3/2/2010, 5:32:06 AM""Infection";"Trojan horse FakeAV.SY";"C:WINDOWSsystem32_VOIDkdkxcqwpwc.dll";""... Read more

A:Have leftover problems from either a virus or malware

Thank you Pandy for getting me in the right forum. I am having trouble getting the rest of my reports to post.

Read other 12 answers
RELEVANCY SCORE 51.6

I?m working on (my father-in-law?s) pretty old Dell desktop.

He was hit with Internet Security 2011 malware. It gave me quite a hard time.

In desperation I went into the registry and deleted several entries associated with the malware as per a help site I found. I looked at a dozen different sites including bleepingcomputer.

Then I finally used a fresh copy of malwarebytes (downloaded on my own laptop and transferred over with a flash drive). I ran it but it didn?t seem to find anything. Perhaps because I had pulled out several components already.

I also ran combofix which seemed to help(?)

Anyway, I ran updated versions of malware bytes and spybot S & D. Spybot came up with a few items which I ?fixed? with spybot.

However, it looks like several of the programs, including Norton 360 are blocked. I was able to clear the block from malwarebytes using the cacls command.

I was not able to clear Spybot because I could not figure out how to type ?Spybot ? Search & Destroy? with the command prompt. I also am having trouble with Norton. ?and who knows what else may have been affected.

At this point I don?t know what?s left in there. I fear there may be ?pieces? of the original malware. Additionally, I need to correct all the permissions it changed and I?m not sure how to find them (and correct them).

I read the preparation guide, downloaded the files, moved them to the desktop and ran them and saved the logs.

BTW, the computer is not connected to the internet at ... Read more

A:leftover problems from internet security 2011

Hello and welcome to Bleeping Computer We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. Please take note: If you have since resolved the original problem you were having, we would appreciate you letting us know. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
If you are unsure about any of these characteristics just post what you can and we will guide you.Please tell us if you have your original Windows CD/DVD available. If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far. Upon completing the steps below another staff member will review your topic and do their best to resolve your issues. If you have already posted a DDS log, please do so again, as your situation may have changed. Use the '... Read more

Read other 24 answers
RELEVANCY SCORE 51.2

Hi all.

One of my dad's friends was having a problem logging into Windows (initially all he had was the mouse pointer on an otherwise blank screen...). The problem was fixed, but when we eventually logged in, the antivirus, firewall and antispyware programs I originally installed were missing!

I reinstalled them, and ran them. AVG discovered a Trojan (I forget which strain it was), which was subsequently removed, while SUPERAntiSpyware (kindly provided by cybertech on a previous fix I had to do) found 111 threats (also removed).

I have the machine here with me so I can check it over further. I ran HijackThis so I can get your opinion on what to do next. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:48 AM, on 6/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.e... Read more

A:Solved: Checking for leftover problems on infected machine

Read other 14 answers
RELEVANCY SCORE 45.2

Hello, I was sent here from the Am I Infected Forum by garmanma. Topic referenced is here: http://www.bleepingcomputer.com/forums/t/260361/requesting-virus-help-malware-greenav-and-rootkit-etc/ ~ OBPrior to posting in that forum. I tried to run MBAM, Spybot, Spyunter. The programs would not run at all, I would get an error stating I didn't have appropriate permissions. I downloaded the DDS.scr file and tried to execute a scan. The scan screen popped open for about one second and closed....every program that I try to run will either not run at all, or if it does run, it will close a few seconds into the scan then shut down. If I try to run it again, I'll get an error saying I don't have permission to run that file.I have tried online scans from Bitdefender, Microsoft's OneCare, and one more (forgot the name)...but every online scan shuts down the entire browser. Also, on occasion I get a fake page saying that the webpage I requested has been blocked due to my infections, and links to me to a page regarding GreenAV. I could not run most of the tools in the preparation guide, even after renaming them. However, in the other forum I was able to run a couple of scans before the programs shut down. I was requested to start a new topic here and post the logs that I have. Thanks in advance:I was instructed to download "peek.bat" and run that program and also RootRepeal. The results from both are listed below:Peek.bat Log:Volume in drive C is SQ004214P01Volume Serial Number i... Read more

A:Rootkit and Spyware Problems: Antispyware/Antivirus/Rootkit Scanner programs all shut down when executed...

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 44.4

I've tried almost everything to get rid of this trojan and I alway end up with one of two results. First either when the computer reboots it automatically reboot through a continous cycle once it hits the window screen. Second, I log onto windows and start to run a program, a physical memory dump occurs. I also think my external hard drive has the virus on it, although none of the hundreds of virus scans I've completed show a virus on the drive. Please give me some insite on what to do. Thanks



DDS (Ver_09-07-30.01) - NTFSx86
Run by paul at 19:41:12.95 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT 4.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\WINDOWS\system32\ZuneBusEnum.exe ... Read more

A:generic rootkit.d rootkit NTOSKRNL-HOOK problems

Hi there,

Looks a lot better, but lets run a few more checks.

1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Code:
FileLook::
c:\windows\S0A0D9E6F.tmp
c:\users\paul\cc_20090725_201550.reg

DirLook::
c:\program files\My-Proxy
c:\users\paul\APPLIC~1\lsptttiq
c:\users\NetworkService\Application Data\lsptttiq

RegNull::
[HKEY_USERS\S-1-5-21-436374069-1715567821-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{52432C9E-AC35-115A-59A8-20D2B4352033}*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d620a955-eb2d-4b83-8024-1840b1f2d536}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download RegQuery by Noviciate to your desktopCopy the following registry keypath by highlighting the text an pressing CTRL and C at the same time
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogonDouble click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Cli... Read more

Read other 5 answers
RELEVANCY SCORE 42.8

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 39.6

hey guys. I have peerguardian 2 and everytime i start my computer someone called offeroptimizer.com/static.callinghome.biz[spy], st. also i was looking with spysweeper at my items that startup with windows and i noticed there is something called ShowWnd.exe and i googeld it and some things said it was malicious and some said it was not. Maybe you could help me out. Heres my Hijackthis log. Thanks.Logfile of HijackThis v1.99.1Scan saved at 4:20:18 PM, on 5/25/2005Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccProxy.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Norton Internet Security\ISSVC.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files&#... Read more

A:HJT-Leftover

Welcome leftover to Bleeping Computer.*Restart the computer.*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.*Use the arrow keys to select the Safe mode menu item*press Enter.***We need to make sure all hidden files are showing so please:* Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View Tab. * Under the Hidden files and folders heading select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm. * Click OK.***Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exeClick on Fix Checked when finished and exit HijackThis.***Open Windows Explorer.Find and delete this file:C:\Windows\System32\ShowWnd.exe***Reboot the computer to normal mode.Please post back in this topic with a fresh log using HijackThis.

Read other 16 answers
RELEVANCY SCORE 39.2

Hi I need help getting rid of some trojan/malware remains. Malwarebytes and tdsskiller don't find anything but I am still getting internet explorer redirects, windows firewall turned off & will not turn on and need help because it looks like I may have a rootkit hiding somewhere. I have included my dds files. Also avast is showing alot of "malicious URL blocked" messages and the process is C:\Windows\System32\ping.exe. I have ESAT, MBAM, SAS & HiJackThis logs. I have combofix, aswMBR & minitoolbox dl'd & ready to run but don't want to use them without your direction. I have windows 7 32 Thanks!

A:Win7Antispyware leftover fix

Update......running eset fixed the redirects but I wonder if I still have the rootkit. Eset said I had a variant of the Win32/Sirefef.DN trojan.

Read other 19 answers
RELEVANCY SCORE 39.2

I got some kind of malware last week. I kept getting tons of pop-ups, which never bothered me before, and other things. One of those fake anti-spyware sites that took over my computer till I shut it down, etc.

So in the past week I have done the following:

I ran Stinger, Ad-Aware, Malicious Removal Tool, CC Cleaner, Housecall, HS Remove, cwshredder, Kill2Me, all of which found nothing, and did a System Restore which had no effect..

Then I ran Malwarebytes and Stopzilla both of which found some Trojans, Malwares, Ad cookies etc and deleted them. (No worms that I could see.)

Since then I still have the following problems:

When I load Firefox - before the page loads in the upper left hand corner I get the following box:

"Java Application Type Error: spElement is null." (A search of "spElement is null" on Google turns up nothing.)

When I click OK, the message box disappears and Firefox loads. Sometimes a few different pages load, Ask.Com, My * 10.Com, etc. A couple pages sometime try to load but there is a message box that says the locations couldn't be found. I click off those pages, I seem to be able to use Firefox without any further problems.

If I try and load Internet Explorer, a bunch pf pages try to load, all with the same internet address with numbers, letters, and symbols that I have never seen before (not a foreign language, but symbols which aren't on my keyboard, letters, etc) Luckily for each page that tries to loa... Read more

A:A few leftover's that I can't seem to shake??

I would do the following.....Use Rkill to stop the rootkit processes that start when the computer comes on. Then I run the Malwarebytes and SUPERAntiSpyware. Here are some DL links for the Rkill....LINK 1LINK 2LINK 3LINK 4Save it to your desktop and then double click to launch it (With Vista you need to right click and select run as administrator). You should see a little black window open and then close. If you see that box then it worked. If you don't see the black box then delete the file and use another download link and repeat the steps.After running Rkill update and run MBAM. Next I would install AFT Cleaner check the box for select all and then run it. Finally, I would run SUPERAntiSpyware. If you have more than one username then you will need to scan each user account seperately with this.

Read other 1 answers
RELEVANCY SCORE 39.2

HI, i removed a security program,and i now find that i have leftover files, i went into task manager found file location, but when i try to delete them, a popup say's i need permission. i am the only user on the pc and also administrater how do i obtain permision or is the another way to delete. i have vista premium 32-bit...thanks

A:Get rid of leftover files

Hi patch41, Take ownership of that file and then delete it.

Read other 5 answers
RELEVANCY SCORE 39.2

Can anyone tell me if there is such a progamme that can detect leftover programmes on the pc. By that I mean, when you have installed a programme and then decide you don't want it, you delete it from the add/remove control but it always seems to leave some file behind.

Is there anything that would clean all those files up? Hope I am making sense.

Thanks
 

A:Leftover files?

Read other 14 answers
RELEVANCY SCORE 39.2

After finally getting the Windows 10 Anniversary Update to install, as expected, I had a WIndows.0ld file. Following instructions posted here and elsewhere, I used Disc Cleanup to remove most of that file.

There are still two folders remaining in Windows.old from System32, one in Drivers (IntcDaud.sys) and one in DriverStore (intcdaud.info.amd64xxxxx.) When I go directly to System32, both drivers appear in the same folders where they show in Wndows.old. Disc Cleanup no longer even recognizes Windows.old, so I cannot run it again to remove what appear to me to be extraneous entries.

Can I safely use Unlocker to try to remove the remaining Windows.old file, which likely would only work after a reboot? If not, is there some other method, short of using the Jaws of Life or a ten-pound sledge hammer to remove the leftover Windows.old file?

A:Windows.old leftover

Hello Not Myself,

Unlocker should work for you. If you like, OPTION THREE below should work as well.

Windows.old Folder - Delete in Windows 10

Read other answers
RELEVANCY SCORE 39.2

thank you for helping me,

Here is where we were working on Internet Explorer issues before I was told there was leftover malware items> http://forums.techguy.org/windows-xp/949714-internet-explorer-problem.html#post7597460

i ran the uninstaller then did the hijack this scan again.
i didn't see the two items you said i should check mark on the list.. so i looked back at the first log and they are listed, but now after the uninstall they are gone. because im not sure what to do, i didn't do the Norton uninstaller part yet.. this it the latest file after the uninstall.

i also noticed that when i would open any file the Search Settings v1.2.3 tried to open every time, and i had to hit the cancel button several times to close it. now that I've done the uninstall, it no longer does this. im guessing they are related somehow and i hope that this new information doesn't come too late..
thank you again for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:40:46, on 9/13/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17080)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\... Read more

A:Leftover infection

Search Settings seems to be gone alright.

As for Norton, it should be removed since you should never run more than one antivirus software at the time. They will work one against the other (Avira and Norton), cause your system to be slow and even freeze. Your computer will be even more vulnerable.

Your log is showing traces of past or present infection. After we're done here, we'll need to get you transfered to the Virus & Other Malware Removal forum.
 

Read other 1 answers
RELEVANCY SCORE 38.8

I had a trial program loaded, the program was past the trial period and I forgot to uninstall it. When I did uninstall the program I thought all traces of it where gone. That was about a couple of months ago.
I decided that I would like to use it the program and tried to download it. The program started to download, but never finished the download. Got a message that "old version" needed to be removed.
I've done a search for the program, couldn't find any trace of the program. Went into regedit>software..found something I'm not sure if its the program or not. The program in question FakeWebCam...found in regedit>software "fwc" with 9 keys with values. The initials match the program's name.
Should I delete that folder from regedit?
 

A:Solved: Leftover Program

I just installed it into a virtual machine and it created the fwc key with 9 values so that's probably the one to delete. Always a good idea to export a copy first just in case.

HTH

Jerry
 

Read other 3 answers
RELEVANCY SCORE 38.8

So my dad was using the pc and installed malware by mistake. I ran malwarebyes and removed the malware but every time he signs into his account on startup this error pops up. I tried to find it's folder but couldn't see it so how can I remove it please?

A:Cannot delete this malware leftover

Originally Posted by Edward


So my dad was using the pc and installed malware by mistake. I ran malwarebyes and removed the malware but every time he signs into his account on startup this error pops up. I tried to find it's folder but couldn't see it so how can I remove it please?



Hi Edward.
Do you have Ccleaner installed on the computer?
If so, please navigate to the TOOLS selection on the left, then go across the tabs to SCHEDULED TASKS. Look in that window for the DLL call and highlight it, and select DISABLE. Reboot the computer.

Read other 3 answers
RELEVANCY SCORE 38.8

I am trying to clear out the last remnants of 2 spyware infections, spysherriff.exe and ibm0001.exe. I have gotten just about everything cleared out, but i still have a few items on my hijackthis log that i can not get rid of at all. I am not sure if this is related or not, but my internet just stops working after 20 minutes after i reboot. Called the ISP, they said my connection is okay, i can ping out, but i can not get a connection to anything, IE and firefox open as nothing, no page.this is the one entry that i can not get rid of.O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dllI have ran, Ewido, adaware, AVG, Spybot - Search & Destroy, kaspersky (which for some reason i can no longer get too). I run WIN XP's firewall, but i can not get to the settings, gives me an error saying "Due to an unidentified problem, Windows cannot display Windows Firewall Settings".Any help would be gladly appreciated, Thanks in advance.Logfile of HijackThis v1.99.1Scan saved at 6:20:24 PM, on 1/14/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32�... Read more

A:Hijackthis Log: Last Remnants Leftover

Hi,

Sorry for this delay. Post please a fresh hijackthis log if you still have problems.

Read other 5 answers
RELEVANCY SCORE 38.8

My old EIDE WD Caviar200AA is in a box.It was in a Compaq p.o.s.that died,last march.
My new" no-name" is running NTFS. and has 80 Gb Hdd.
How much hassle to add additional" slave" drive to new machine?
what are the snafu's out there? How do I start?
btw I'm new at this

Is the ole' 5600rpm drive seemingly tons slower than my 7200 in practice?

Can any of the fat32 stuff be left on that 20Gb or does it all have to be wiped?
 

A:should I install a leftover second- harddrive,20G

Read other 8 answers
RELEVANCY SCORE 38.8

I downloaded a bad file on accident and got inundated with trojans and all kinds of other garbage. So I ran a full MBAM scan and cleaned it all out, mostly. When I open up my browser (Firefox) This is what I see on the top of my browserI also randomly get a page that says "CONNECTION RESET BY REMOTE SERVER. something about reasons for errors, then a link that says RUN THE COMPLETE SCAN." Obviously it's a ruse and I just hit refresh and it goes away. Any help is appreciated

A:I need some help cleaning up some leftover spyware. . .

Hello please run these as instructed and post back 2 logs. If you have SpyBot running please disable it for these.From your regular user account..Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..DO NOT run yet.Open SUPER from icon and install and Update itUnder Scanner Options make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminate memory threats before quarantining.Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.Now reboot into Safe Mode: How to enter safe mode(XP)Using the F8 MethodRestart your computer. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu. Select the option for Safe Mode using the arrow keys. Then press enter on your keyboard to boot into Safe Mode. Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox or Opera browser click that browser at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.NOW Scan with... Read more

Read other 5 answers
RELEVANCY SCORE 38.8

I am reparing a machine for a friend. After installing and updating Mcafee, I found and removed multiple viruses. However, the desktop still has a long message on a black background that reads: WARNING You Are In Danger All that you ever do on your computer...... Can anyone tell me how to get this off the Desktop? Thanks.
 

A:Desktop Virus Leftover

http://www.processlibrary.com/processscan/ this may help once you reach desktop,however i would run all the anti spy you have make sure you have spybot,adaware etc,download iobit v2 free install run then go to tools start up and look through the registry entries which are starting with windows,also microsoft malicious removal tool may be usefull
http://www.iobit.com/AdvancedWindowsCarePersonal/download.htm
http://www.microsoft.com/security/malwareremove/default.mspx
 

Read other 1 answers
RELEVANCY SCORE 38.8

Need some help with this log please, guys. I have broadband but the last day or so the connection was extremely slow and sluggish. I then ran a Spybot search and came up with the wwwcoolsearch.leftover virus. I deleted it from Spybot but the system remained slow - sometimes taking 5 minutes or so to load a page. I then performed a system restore to three days ago and so far that seems to have solved the problem - speed of the broadband connection seems to be much faster now. I just want to make sure there's nothing in my HJT log that should warrant further investigation. If it's of any interest, on Monday I upgraded from ME to XP.



Logfile of HijackThis v1.99.1
Scan saved at 00:07:13, on 31/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBVE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcal... Read more

A:wwwcoolsearch.leftover Hijack log

OK, seems I typed too soon. System is back to slow this AM. HELP!

Read other 2 answers
RELEVANCY SCORE 38.8

This is not a big deal, but after cleaning up a mildly infected computer with Malwarebytes Professional, AdwCleaner and HitmanPro, I find I still have a running process for SearchProtect when I checked in Task Manager for anything else.  It is not showing it's using a lot of resources, but it is there.  The entry is located in the System 32 file.  I hesitate to remove anything from that file... Should I leave well enough alone or delete it?  Thanks!Edit: Topic moved from General Security to the more appropriate forum. ~ AnimalEdit: Topic moved from Am I Infected forum to the more appropriate forum. At the request of Malware Removal team member. ~ Animal

A:Leftover Conduit Entry

Hi & to Bleeping Computer Forums!My name is Jürgen and I will be assisting you with your Malware related problems.Before we move on, please read the following points carefully: My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.Perform everything in the correct order. Sometimes one step requires the previous one.If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.If I don't reply within 24 hours please PM me!Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.Step 1Please run a FRST scan. This will help us diagnose your problem.Please download Farbar Recovery Scan Tool and save it to your Desktop.(If you are not sure which version (32-/64-bit) applies to your system, d... Read more

Read other 14 answers
RELEVANCY SCORE 38.8

I used the Windows Police removal procedure as shown and successfully removed the program. THANKS - got my computer back! However, every time I start up my computer or a program now I get the following window notification "name of exec file - BAD IMAGE. Then it states that "globalroot\systemroot\system32\gasfkybospyfqm.dll" is not a valid Windows image. Please check it against your installation disk." I can click on OK and everything works but it comes up everytime something loads. Any information on getting rid of this screen would be appreciated. Also - all my RESTORE points have gone, I can't even get back into yesterday or last month. RESTORE is set to work so????

A:Windows Police leftover help please

Moved from HJT to a more appropriate forum. Tw

Read other 7 answers
RELEVANCY SCORE 38.8

I have previously posted in this forum about my computer on this thread: http://www.bleepingcomputer.com/forums/t/239917/google-redirect/. The google redirection issue described there was resolved, but there are still a few symptoms that indicate the computer may not be completely fixed. I was working with Blade81 via private message but we were unable to solve these symptoms. They are:When I log into the "Steve" account, I see this error message:
RUNDLL
Error loading C:/DOCUME~1/Steve/protect.dll
The specified module could not be found.
(Note that the combofix in the previous thread was done to the Donna account)The antivirus program auto-update does not seem to be working. I can do a manual update, and I can see that automatic updates are enabled, but they do not seem to be executing.Uploading actions, such as sending an email or uploading pictures to Picasa, seem to take longer than they should.I have run DDS on the "Steve" account since it is the one that has the error message. Thanks in advance for any help you can provide.DDS (Ver_09-07-30.01) - NTFSx86 Run by Steve at 21:08:58.73 on Wed 09/02/2009Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1679 [GMT -5:00]AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k ... Read more

A:Leftover Malware from a Previous Fix

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 9 answers
RELEVANCY SCORE 38.8

Howdy,

Now that I seem to have removed my root-kit I now wish to figure out how to remove what is leftover from a Virumonde infection that I had last year. I am no longer infected, but have 2 calls for dll files that are left in the registry, and cause an error on system start, generating error boxes. I am simply tired of them, but had to get my other issues taken care of first.

Hijack This and MB both allow me to delete the registry entries for both dlls, but they keep reappearing. I have researched this, only to find that it has something to do with the system restore function in XP. That doesn't make sense to me as I have turned system restore off, and it still happens. That leads me to believe that this problem is coming from somewhere else, but I have no idea how to track it down.

Thanks!
 

A:Leftover Virtumonde trash

Read other 16 answers
RELEVANCY SCORE 38.8

Ok, finally got Smitfraud-C.Core Service and Virtumonde cleaned out. DriveCleaner2006 does not seem to want to go away now. Had some WinAntiSpyware as well. The only thing that seems to be hanging on at this point is the DriveCleaner. Here is the HijackThis log. Thanks for your help!Logfile of HijackThis v1.99.1Scan saved at 3:24:28 AM, on 7/26/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16473)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exec:\program files\safeandsecure\safeandsecure\app\CurtainsSysSvcNt.exeC:\Program Files\Common Files\Command Software\dvpapi.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\McAfee\Common Framework\FrameworkService.exeC:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\system32\ctfmon.exe... Read more

A:Leftover Stuff From Malware

Welcome to BleepingComputer, I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back with a fix for your problem as soon as possible.I recommend that you "track this topic" to be notified when a reply has been made. At the top if this thread choose Options > Track This Topic and then select Immediate Email Notification.RegardsPOADB.

Read other 14 answers
RELEVANCY SCORE 38.8

Last Thursday, I'm sure a file from WinMX while my AVG was off(that's a long story) caused a browser hijack. Anyway, I read though your and other forums and followed some of the suggestions given to others with similar ills. After a lot of trail and error I seem to no longer have browser hijacking ( i.e.. new window opening with "url.urtbk" in the address) but I'm not sure if all is well. There may still be leftovers. My browser still runs slower than normal and I fear a redirect is in my future. Here's my current HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:51 PM, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx... Read more

A:Malware leftover blues

I now have Java SE installed (files in my registry leftover fron Windows Cleanup Utility prevented installation)
 

Read other 1 answers
RELEVANCY SCORE 38.8

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:20:52 PM, on 4/24/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Real\RealPlayer\RealPlay.exeC:\WINDOWS\system32\ezSP_Px.exeC:\Program Files\Verizon\McciTrayApp.exeC:\Program Files\ATT-SST\McciTrayApp.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Motive\McciCMService.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Viewpoint\Common\ViewpointService.exeC:\WINDOWS\wanmpsvc.exeC:\Program Files\Linksys\WUSB54GSC\WLService.exeC:\Program Files\Linksys\WUSB54GSC\WUSB54GSC.exeC:\WINDOWS\system... Read more

A:HJthis log - still have viruses leftover?

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below I will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Follow the instructions... Read more

Read other 2 answers
RELEVANCY SCORE 38.8

I had been using WMP 6.4. Decided to try Version 7. Uninstalled and checked out Version 9. Wish I hadn't done either. I don't care for the extra features they added and should have just stayed with 6.4.

After searching, I've learned that those newer versions added lots of registry entry's that do not get removed with Add/Remove Programs.

When I run Spybot S&D, I still see entry's about Media Player and SDK. I have Win98SE, use Norton Windoctor and JV16 Powertools.

Is there a tool or guide to remove leftover WMP registry entries before putting 6.4 back on? I had deleted 6.4 from Explorer and ran the above before installing the other versions. I also have the Alternative versions, but need WMP for streaming.
 

A:Remove leftover WMP reg entries

Read other 8 answers
RELEVANCY SCORE 38.8

Hi!
I created that XML using WSIM. However, if I leave the size field blank (partition: 4), I encounter an error during installation, claiming DiskConfiguration to be incorrect. Is there any way to do this, and how?
Also, after I fixed this, I got a message telling me drivers for HDD/SSD were missing. Since this doesn't seem to happen with the regular installer disks, how and which drivers I need to integrate?

Thanks in advance!
<?xml version="1.0" encoding="utf-8"?><unattend xmlns="urn:schemas-microsoft-com:unattend">    <settings pass="windowsPE">        <component name="Microsoft-Windows-International-Core-WinPE" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">            <SetupUILanguage>                <UILanguage>de-DE</UILanguage>            </SetupUILanguage>            <InputLocale>de-DE</InputLocale>      &nbs... Read more

Read other answers
RELEVANCY SCORE 38.8

So I contracted Smitfraud-c, as named by Spybot, and like everyone else I couldn't get it off. My computer was just going nuts; adding desktop icons, opening my browser, countless prompts ostensibly notifying me of spyware removal tools, and actually running these fake programs. I tried a few smitfraud cleaners and other recommendations to no avail.
Finally I tried using HJT to "delete a file on reboot.." and deleted the dll associated with smitfraud-c. I think I determined the dll file with the SpybotSD recovery listings following a scan, or something like that. Anyway, after I did this SpybotSD was actually able to delete the Smitfraud-c object. After numerous scans with all of my clean-up tools, they are no longer picking up any more malware.
I was happy about this, however things still arent completely right: Boot-ups take a long time (malware is starting up and initiating its hijack, I think), my home page keeps changing, and I'm pretty sure I'm seeing browser hijacker entries in my HJT log.
Security and cleanup tools that I use: SpybotSD, AdawareSE, Spyware blaster, AVG, windows firewall, CCleaner, RegCleaner, Windows disk cleaner and every now and then I'll run rootkit scanners. Here's my HJT log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.e... Read more

A:smitfraud-c, leftover stuff

Read other 12 answers
RELEVANCY SCORE 38.8

There's been a lot of trojans/malware on this pc in the past and although I've usually managed to eliminate most of the threats, I'm pretty sure there are still some leftover bits and pieces, so I figured I'd try posting this log to see if anyone could help me clean it up a bit, as it's not my computer, obviously I don't want to go messing about in the registry by myself. Take your time, no rush ;)Logfile of Trend Micro HijackThis v2.0.4Scan saved at 03:36:58, on 27/07/2011Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDevice... Read more

A:Hijack This / Looking For Leftover Narsties

Hi,Please do the following:Please download DDS from either of these linksLINK 1 LINK 2and save it to your desktop.Disable any script blocking protection Double click dds to run the tool. When done, two DDS.txt's will open. Save both reports to your desktop.---------------------------------------------------Please include the contents of the following in your next reply:DDS.txtAttach.txt. NEXTPlease download aswMBR ( 511KB ) to your desktop.Double click the aswMBR.exe icon to run itClick the Scan button to start the scanOn completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Read other 18 answers
RELEVANCY SCORE 38.4

I have installed a couple of Linux distros a copy of XP etc that have been removed from the system. The entries are still left showing up in the bootmenu. How do I delete these unwanted entries?

Note, currently I have Zorin 8 installed dual booting with Windows so it's grub's boot loader that shows up first. This is fine with me and the way I prefer it. On choosing to go to my windows bootmenu I then get the bootmenu screen with all the unwanted entries.

If I am not mistaken, I should be able to delete these entries so when choosing to boot Windows, the system then should boot right into windows without giving me that extra windows bootmenu screen ( because it's not needed - there will be no other choices in that menu to choose from)

How can I do this? Thanks (BTW, I don't want to use a 3rd party tool like BCDEdit)

A:How do I remove leftover entries from the Win 8 bootmenu?

Windows key + R. type msconfig and press Enter.
Click on the Boot tab.
Select the entries you want to remove and click the Delete button.

Read other 9 answers
RELEVANCY SCORE 38.4

Hello! A few months ago my computer was infected with the Happili virus. It was incredibly difficult to get out, but with the help of one of the guys on here, I finally got rid of it. I noticed my computer still seemed to be running slower than usual, though, but I chalked it up to a high CPU usage. Unfortunately, just a few weeks ago my computer has started acting really funky. It takes about two to five minutes for it to pull up my desktop. Sometimes it will open Firefox; other times Firefox will never come up, no matter how many times I click the icon. Still other times, Firefox will work temporarily and then just stop loading websites out of the blue. Sometimes there is no volume - it claims that the audio mixing device is missing - and other times the volume is just fine. Most recently, I won't have volume and can't pull the volume adjuster up at all, or I can pull the volume adjuster up but have absolutely no sound. Sometimes it will open OpenOffice and WordPad, but most of the time it never pulls them up. The one thing that remains the same is that 90% of the time, I have to force it to shutdown, otherwise it just sits there with an iconless desktop background. Also, instead of going straight to the "Microsoft Windows" loading screen (the one before the "welcome" screen) it shows me a black screen that asks me if I want to boot up in Safe Mode, Safe Mode with Networking or Normal Mode. This screen always pops up every time I turn it on.
... Read more

Read other answers
RELEVANCY SCORE 38.4

I had SpySheriff on my computer and had a large black box on my desktop with Spyware Infection in red letters on my desktop. Also, my internet security setting kept being set to minimum. However, I have taken care of most of the problems...I think. All that is left now is a black desktop that I cannot change.

The steps I have taken to get to this point are from brendandonhu's fix of lazbum's problem. The thread is titled "Spyware infection desktop wont go away i need help." However, when I get to actually doing the desktop fix, it doesn't work.

Please let me know what I can do to fix this. Thanks
 

A:Solved: Spysheriff leftover problem...

Read other 9 answers
RELEVANCY SCORE 38.4

Trojan installed fake security program without warning, disabled task manager and then bluescreened. Restarted and ran malawarebytes and was able to quarantine most of the files. Google was being redirected, so I ran CWShredder and fixed that, sort of. Now google only randomly redirects when I click on some links in search. Ran RootRepeal and have a log for that as well which shows some issues.
DDS (Ver_09-12-01.01) - NTFSx86
Run by ERIKA at 14:42:01.15 on Tue 12/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.560 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Java ... Read more

A:Leftover Vundo.H trojan issues

Hello and welcome to Bleeping Computer! We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Fo... Read more

Read other 2 answers
RELEVANCY SCORE 38.4

I like to reformat my computer periodically, it keeps everything running smooth. The time had come to reformat, so I popped in my XP Pro install disc and let it whirr. I did the usual deal, deleted my old partition, and recreated a new one using a Quick NTFS Format. The install went smoothly.

Now however, I'm looking at some registry values, and I have all kinds of entries from old programs that were installed before I formatted. There are a few games on the list (FEAR, Oblivion, etc), the only problem is, I haven't installed those programs yet. It seems as if the format I've done didn't actually clean everything off.

I have two harddrives, but I use one for all the downloads/files/pictures/documents/other OS's/etc, and I use the other one just for installing XP and my programs. Is it possible that the quick format didn't do its job? Maybe it didn't get to delete the partition tables correctly or something, I dunno.

Anyone else ever have this problem before?
 

A:Leftover registry values after reformat

Read other 6 answers
RELEVANCY SCORE 38.4

I've tried many times but they wont go away. I have a screenshot of the issue.

I've had a previous issue where I was losing disk space for no reason. I don't know if this had anything to with it, but I still have that issue even though I've tried everything. I've backed up my personal data so it's no big issue.

The issue right now is that I can't remove some of the malware that Hitmanpro had detected. I can't find them anywhere on the computer and CltMngSvc isn't even on the task manager.
 

Read other answers
RELEVANCY SCORE 38.4

Good eveningSeveral weeks back I was hit by AV Anti-virus. I ran Rkill and MalwareBytes seemed solve the problem - all the fake Windows security pop-ups stopped. However, I still have internet redirects (usually from google searches, but sometimes at random times) to mostly harmless looking websites - caranddriver.com for instance. Lately though, things are getting worse. I cannot load windows update, keep getting win32 errors, my Windows theme has reverted to classic, Windows firewall will not load, my volume icon in the systray no longer works, and I cannot boot in safe mode without the blue screen etc etc etc. There's a host of other oddities that keep occurring - I can go on if you need.MalwareBytes, AVG Free, Adaware, Avira, and Windows Defender can't fix the problem (MBAB does find something each time I update definitions but the issues described above do not go away, the others find nothing). MBAB has identified qnlka.sys as a trojan in the past, and GMER has it lit up in red font too. But I cannot get rid of it, even when using KillBox.I just can't seem to shake this one, and really appreciate some help. ThanksDDS (Ver_10-03-17.01) - NTFSx86 Run by Chris Roberts at 19:36:29.35 on Tue 07/06/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.475 [GMT -4:00]============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC... Read more

A:AV Anti-Virus leftover? qnlka.sys?

Hi,Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.Please reply to this post so I know you are there.The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.Once I receive a reply then I will return with your first instructions.Thanks

Read other 2 answers
RELEVANCY SCORE 38.4

So yeah, just went through the harrowing ordeal of getting rid of System Fix, only to find my poor, innocent laptop in even more trouble. AVG is picking up rootkits, which I've only just managed to get rid of, Internet explorer was completely hijacked by something (uninstalling IE was my sloppy fix of choice) and Google redirects are frequent. Here's the DDS (and the attach thing, too. I followed the preparation guide):

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_24
Run by Touphi at 3:26:34 on 2011-11-16
Microsoft Windows 7 Home Premium 6.1.7601.1.932.81.1033.18.3836.1968 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe... Read more

A:Leftover trouble after dealing with System Fix

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you are unable to create a log because your computer cannot start up successfully please provide detailed information about the Windows version you are using: What we in particular need to know is version, edition and if it is a 32bit or a 64bit system. [/b]If you are unsure about any of these caracteristics, just let us know and we'll help you figuring it out. Please also tell us if you have your Windows CD/DVD handy.Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about y... Read more

Read other 2 answers